And Investment Security Analytics Just Increased a Bit More …
And Investment Security Analytics Just Increased a Bit More …
My tip for a company to invest in? Well, one which is expert in security analytics, threat hunting and system monitoring, as CEOs all over the country will be reading about the fines imposed on British Airways (BA), and it will provide them with a worrying dilemma … you can still be fined, even if you have been exposed to criminal activity.
And so today it was announced that British Airways (BA) have been fined £183m by the ICO for a breach that happened in Sept 2018:
The case relates to a hack on the JavaScript integration on the BA site, and where hackers were able to harvest the credit card details (including CVV2 numbers) of users:
Why Modernization Is Not A Good Thingmedium.com
While many CEOs might struggle with some of the concepts of cybersecurity, they basically understand fines, and especially in the loss of funds, and in brand damage.
The fine is significant, as BA have seen themselves as the victim of a crime, and but now face a fine which is 1.5% of its worldwide turnover in 2017 (and which is less than the maximum fine of 4% under GDPR — the previous record fine was £500K to Cambridge Analytica).
The shock of the BA fine is that the fine for Cambridge Analytica related to the actual harvesting of the data, but the BA fine relates to the opportunity in providing the hackers with a way for the data breach to occur. In this way a company is liable to a fine, if it has not put the right safeguards in place. For CEOs, this is perhaps a wake-up call to increase security analytics budgets, and make sure that any breaches are detected at an early stage. The auditing functions of the security infrastructure, too, might also need to be tightened, in order that the controls are fully tested.
What is clear from the ruling is the focus on the lack of protection on person data, and that organisations needs to make sure they protect it from loss, damage or theft:
Today, there will be a few risk analysis doing some re-calculations. They might predict that their company is likely to be hacked once every three years, and that this will cost the brand £X million, and a loss of trade will be £Y millions, and that this could lead to a fine of £Z millions. They’ll be then recalculating their Annualised Loss Expectancy (ALE) as £(X+Y+Z)/3 millions. After the BA fine announcement, the Z value will probably have to be revised, so that CEOs might now be re-calculating their investment in cyber analytics in order to guard against these losses.
Conclusions
We have seen the rise of the SOC (Security Operations Centre), and many of our graduates have moved into security analytic roles. Overall, it is a great career path, and where those involved can move into many other areas, including threat hunting, risk analysis, and open source intelligence.
On the back of this fine, we should see increased amounts of investment with SOCs, especially in many companies moving this to external providers — as it is increasingly difficult for many companies to provide the internal resources required to recruit staff to support an internal SOC. For companies who provide these services — such as Secureworks, Ardama (prev ECS Security) and Quorum Cyber — it is likely to see a vast growth in their core business. Companies, too, will have to increasingly invest in threat hunting, in order to stop threats from happening, before they even begin.
The days of saying … “We just didn’t know it was happening” have gone, welcome to the world of 24x7 threat monitoring.