Cyber incidents 2023
At the beginning of 2021, the world realised that we had not completely put the unprecedented challenges of the previous year behind us. The healthcare industry continued to battle the COVID-19 pandemic, whilst suffering in parallel with increasingly sophisticated cyber attacks. The ransomware attackers that propagated in 2020 are as rife as ever, illustrated by the increasingly damaging techniques and processes employed.
In VMware’s Global Incident Response Threat Report, it was reported that cybercriminals now use the method of manipulating reality in their attempts to execute cyber-attacks. And, as a result of increasing remote-work environments over the last two years, around 32% of attackers are using business communication platforms such as Microsoft Teams, Zoom and Teams, to navigate around an environment and launch sophisticated attacks. This year’s Verizon report is the biggest one yet, with the Verizon team analysing 23,896 security incidents, of which, 5,212 were confirmed data breaches.
But what is a cyber-incident? And when should you report it?
According to the National Cyber Security Centre (NCSC), A cyber incident is:
“a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).”
Out of the 819 cyber-incidents reported to the FCA in 2018, 93 were confirmed as a type of cyber-attack such as DDoS, Malware or Ransomware of which the majority, not surprisingly, were phishing attacks. However, the most frequent incidents at 174 out of 819, were third-party failures.
I found this article dating back to April 2017 which refers specifically to the issue of UK firms not being prepared for third-party failures and at the same time having an over-reliance on third parties. This figure seems to suggest that not a lot has improved here although, in the 2 years since this article, I would say that businesses have been further pushed towards third party cloud services as that industry has grown, so the important takeaway here is that management of third-party suppliers is in need of improvement. For a full review of how to manage your suppliers, I suggest you read our supply chain security guide.
The second highest cause of cyber-incidents at 157 were issues with hardware and software, which cause service disruption. Again, reliance on third parties and third-party products and services is an area of security risk to be managed.
When to report a cyber-incident
Creating an incident response plan can help you to strategize your communication plans in the event of an incident. When to report a cyber incident and who to, varies depending on the consequences of the event and the industry.
Operators of Essential Services (OES) fall under the Network and Information Systems (NIS) Regulations along with other services critical to the economy and wider society such as water, transport, energy, healthcare and Digital infrastructure. NIS regulations came into force in May 2018 just before GDPR, though with a lot less fanfare.
OES’ have breach-reporting obligations under NIS. The banking sector falls within NIS and cyber incidents must be reported to the FCA, under NIS Regulations, when computer systems and the digital data stored and processed within them are compromised.
Under the UK General Data Protection Regulation, if a cyber incident results in “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”, the data controller must inform the ICO within 72 hours using the GDPR process, if there is deemed a risk to the rights and freedoms of individuals. If the risk is high, the breach must also be reported to the affected data subjects.
Non-compliance with GDPR can risk a fine of up to £17 million or 4% of annual turnover whichever is greater but the costs to the organisation, separate from any fine levied, may be significant and include the cost of reputational damage and lost business. Non-compliance with the NIS Regulations risks a fine of up to £17 million also. The GDPR and NIS are separate laws so it is possible that a single cyber-incident that infringes both sets of regulations could lead to double enforcement action from both the ICO and the relevant NIS competent authority.
The increased reporting of cyber-incidents in the finance sector over 2019 is undoubtedly linked to the introduction of the GDPR and NIS regulations in May 2018. Uncertainty regarding what needs to be reported has led to a belt and braces approach by firms fearful of falling foul of the new laws.
Need help with building a robust cyber security strategy?
If you would like to discuss your cyber security posture, contact our friendly team of cyber security experts.
"*" indicates required fields