Asian and European Firms Still Unprepared for Data Breaches

The impact of economic losses in Hong Kong caused by malicious cyber attackers could amount to US$32 billion (HKS249.6 billion) annually –10 per cent of the city’s gross domestic product – according to a new study. Large organisations with more than 500 employees could suffer average losses of US$24.9 million.

The huge potential costs include ransom money and stock price changes as well as indirect setbacks such as reputational damage.

“Hong Kong is in line with other developed markets in terms of cyber resilience,” Microsoft Asia’s chief cybersecurity officer Michael Montoya says.

The study, commissioned by Microsoft and carried out by consultancy Frost & Sullivan, surveyed 1,300 business and IT executives in the Asia-Pacific region.

Almost a quarter of firms surveyed in Hong Kong had experienced cyber security incidents. Meanwhile, another 25 per cent said they were unsure. It is hard for them to quantify the total amount as they have not conducted proper data breach assessments. More reassuringly, just over half said they made regular checks on security to ensure that breaches did not occur.

There were 6,506 cybersecurity complaints in Hong Kong in 2017, up 7 per cent on 2016. That was a result of an upsurge in malware attacks, reports the Hong Kong Computer Emergency Response Team (HKCERT).

The Asian market will be bracing itself for more attacks of this sort but Europe is hardly immune, as news emerged that UK retailer Dixons Carphone admitted last week to a huge data breach involving 5.9 million payment cards and 1.2 million personal data records.

According to the BBC, it is investigating the hacking attempt, which began in July last year. Dixons Carphone said it had no evidence that any of the cards had been used fraudulently following the breach.

There was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked, it said. The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores, the firm said.

The incident is the first of its kind since the E.U. General Data Protection Regulation went live on the 25th May, so cyber analysts such as Fifth Step will be following the subsequent fall out with some interest.

The UK Information Commissioner's Office (ICO), which fined Carphone Warehouse £400,000 for the 2015 breach, will now be looking very closely at this latest failing of the merged companies. The £400,000 fine that was levied against Dixons was 80 per cent of the previous maximum whereas that sum would now be 80 per cent of 17 million - a potential fine of £13.5 million.

The BBC reported that “luckily for Dixons, the incident happened before the new GDPR rules, which promise much bigger fines, came into force,” however, the fact that the business reported the breach late could have serious repercussions.
Fifth Step’s advice is don’t delay – the post-breach response is in many ways more important than the initial breach. Be open and transparent from the start. The incident evokes memories of the 2017 Equifax data breach.

As I wrote recently in Strategic Risk magazine, despite the first attacks on Equifax going back as far as May 2017, the full details of the breach have not and may never be fully released to the public. There is, however, enough information available for those on the outside of the organisation to observe the lessons that can and should be learnt.

It is important to understand that although the likes of Dixons and Equifax made mistakes, they’re not the only company to do so. Their biggest mistake, however, was in not having a means of recognising the errors that had been made and mitigating the situation before it became the issue it is today.

The first lesson is to have and use an Incident Response Plan. The actions taken after these events seem to be wholly inadequate, with the incidents being largely ignored.

The first step is to stop more data being stolen. Inherent in this is a technical understanding and an initial triage of the attack. A good data breach response plan will identify the stakeholders for the organisation.

The plan is likely to be adjusted with the severity of the breach with guidance on how this should be achieved and included as part of the communications plan. Initiate the Business Continuity and Disaster Recovery Plan An incident response plan has many purposes, but a key one is to initiate the recovery process. This may be based on the initial information and triage but it is imperative to protect the organisation, its people, its assets (digital and physical), and its reputation.