The BBC series “Nightsleeper” has attracted mixed reviews. As a previously regular traveller on the Glasgow-London sleeper, I couldn’t help but watch it. The plot involves a cyber incident on an overnight train which results in the train’s onboard computers being controlled by “bad actors” – with no actual driver on board. (“Bad actors” is a commonly-used term for cyber criminals, I’m not criticising the thespian performances in the show.) At the moment, I’ve only seen the first two episodes so don’t know how it ends.
While aspects of the train “hack” and its eventual resolution have obviously been dramatised for effect and entertainment, the prospect of a serious security incident or hacking is one of the biggest risks many businesses now face. Increasing reliance on technology, and the increasing sophistication and methods used by cyberattackers are used to try and extract money and disrupt businesses every day. It might involve identity frauds and scams to provoke banking or payment errors. Or “ransomware” attacks where organisations will seek to capture and encrypt an organisation’s data, potentially paralysing its operations and its ability to service customers or commit further security breaches unless a “ransom” payment is made. Many will involve trying to acquire personal information or data about individuals which can be used for further criminal activity.
In most cases, these attacks work by exploiting vulnerabilities in an organisation’s resilience. These might be vulnerabilities in software or networks, weaknesses in processes or straightforward human error. And the legal and commercial pressures on businesses to manage and control these risks are increasing. Under GDPR, businesses are expected to process personal data to ensure “protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
All businesses should therefore be thinking carefully about what appropriate measures ought to be taken – and these involve ‘organisational’ measures around service design, people and process, not just technology. What is “appropriate” also needs to be thought about. Invariably, this will require assessment of risks, comparisons against recognised industry good practices and responsiveness to address any identified weaknesses.
As a consumer, unless you live completely “off-grid”, you will experience the effects of this every day. Multi-factor authentication to access online bank accounts, answering security questions, identity checks and added customer verification processes are the sorts of things businesses do to control the use and protection of information.
For businesses, protecting and operating resilient systems and technology is fundamental. The impact of getting it wrong can be very damaging, just like an out-of-control, runaway train. In contract negotiations, many customers will insist on severe legal remedies for security breaches, incidents, or downtime caused by cyber incidents. These often sit outside agreed limitations of liability because of the risk. Designing operations to mitigate and manage those risks is now a key task for any business. While the specialist input and professional advice needed can appear expensive it is usually a lot less than the cost of remedying a cyber incident.
