In late 2014, FBI Director James Comey made what was, at the time, an alarming allegation against a supposed network of Chinese hackers. He suggested that every US firm had either ‘been hacked or didn’t know they’d been hacked’ by the Chinese, and went on to say that he thought each breach would end up costing the US economy billions of dollars.
Clearly, such claims are not without merit. The vagueness of his allegation gives Comey a layer of protection against legal action – an entire country’s population are unlikely to sue one man – but the evidence would suggest that at the very least, Comey has a point. However, Comey didn’t need to vilify an entire nation, and didn’t need to go to the extent that he did to make a point about corporate data security.
Comey could have said that US businesses are more vulnerable to a security breach than they were five years ago. Some of the world’s most recognisable firms have been targeted by hackers in the past 18 months, and the new FBI Director telling business directors to be alert would be prudent advice. He could also have said that the internet makes the threat of a cyber-attack real from anywhere in the world. The reality is that the hacker’s location is irrelevant, and Comey would hardly have been putting the cat amongst the pigeons by saying that the cyber threats are more varied and more frequent.
However, he chose to pit his nation against another, and although his words are likely to have been spoken for publicity and awareness rather than to cause an investigation to take place, Comey will have left his mark. Aside from the controversy, there is a pertinence in his suggestion that should raise eyebrows with every UK business owner. The emerging ‘David vs. Goliath’ theme in cybersecurity does increase the vulnerability of corporate data, and as Morgan Stanley, Experian and Sony can attest to, being bigger than the hacker doesn’t guarantee anything.
As we near the end of 2016, the security risk for businesses of all sizes in the UK is as great as it has ever been. The world’s largest firms have fallen victim to targeted attacks, with PWC delivering a report which supports Comey’s theory that suffering a hack is just a matter of time. Moreover, the smaller budget of smaller businesses often means they are an easier target for a ‘brute force’ attack – where a weak link in a company’s network will be exploited by a computerised trial and error system.
Worse still, companies who compromise on their cyber security by cutting costs with consumer designed products could suffer the worst repercussions. Business users of outlook.com, googlemail or Yahoo! Mail are at greater risk than users of the corporate mail products of those companies, as the encryption, permission setting and data loss preventative measures included in the corporate versions are absent from personal accounts. This may seem insignificant, but the potential cost of a breach which results from using a sub-standard mail system is too great not to address.
A data security breach can cost a UK SME more than £300,000. As well as the huge financial burden of such an event, the damage to a brand’s reputation could be devastating. Whether you are a one person start up or an established multinational firm, you are faced with constant threats to the security of your data. In the same way you wouldn’t leave the door open to your house at night, the risk of not addressing your cyber security is too great to ignore.