- Risks are spreading well beyond most prominent companies
- Real risks of cyber-hacking may still not be understood
TalkTalk Telecom Plc wouldn’t be at the top of anyone’s list of likely targets for sophisticated computer hackers.
The provider of inexpensive broadband packages has less than one-twentieth the revenue of Vodafone Group Plc, little of the globe-spanning telecommunications backbone of a company like BT Group Plc, and certainly none of the temptingly vast financial flows of a big bank like Barclays Plc.
TalkTalk is nonetheless reeling from a cyber-attack on its website that knocked as much as 11 percent off its market value at one point on Friday, and put the London-based company in the headlines around the world for all the wrong reasons. Its predicament, security experts say, shows how hacking has become a danger to virtually all companies regardless of size, prominence, or perceived vulnerability.
"How many of the Fortune 500 are hacked right now? The answer: 500. They all have security breaches, big or small," said Mikko Hypponen, Chief Research Officer at Helsinki-based cyber-security company F-Secure Oyj. "If you have a big enough infrastructure, you won’t be able to secure all of it."
TalkTalk’s crisis began on Wednesday, when it was hit by a "significant and sustained" attack on its website that might have compromised banking and credit-card data, as well as personal information. It later received a ransom demand from attackers it didn’t identify, who wanted payment in exchange for relinquishing customer data.
So far relatively few of the highest-profile hacks, like the 2014 crisis at Target Corp. and a recent assault on customers of T-Mobile US Inc., have targeted U.K. or European companies, and their response has been correspondingly restrained. In its most recent global information security survey, consultancy PricewaterhouseCoopers found almost a quarter of North American companies it surveyed spend more than $5 million a year on cyber-security, compared with about 19 percent in Europe.
The British government is concerned that U.K. firms are very vulnerable to attacks both from criminal groups looking for financial gain and state-sponsored cyber-spies, according to a senior security official who asked not to be identified discussing a private matter. As a result it’s trying to upgrade investigative and intelligence capabilities without creating a moral hazard that would discourage companies from taking steps to protect itself, the official said.
Companies seeking to avoid becoming the next TalkTalk, Target or T-Mobile must contend with a bewildering array of potential vulnerabilities within their own systems and those of vendors and customers. The Target hack, which resulted in the theft of millions of credit-card numbers, was reported to have begun with a supplier of heating and air-conditioning units that had access to Target’s systems.
To make matters more complicated, only a small proportion of breaches prove to be serious threats -- and "finding the needle in the needle stack that could really hurt you" is an enormous challenge, said Richard Turner, who heads operations for Europe, the Middle East and Africa at security firm FireEye Inc., which alerted Target to its hack. The problem will only grow as devices from refrigerators to lighting systems get Internet connections of their own as part of the broader move toward an "Internet of Things" -- each one its own potential point of access.
And even a robust security system can be defeated by a careless employee who opens the wrong attachment or plugs a USB key infected with malware into an office computer.
Banks and other companies that handle financial flows and detailed personal data need to be especially vigilant, for obvious reasons. A 2014 hack at JPMorgan Chase & Co. used stolen login details to access a server that didn’t require "two-factor authentication," or a one-time code generated with a physical device or sent by text message, for entry. From there, attackers were able to access data on millions of households.
To be sure, not all cyber-security experts are convinced that companies routinely face catastrophic threats from hackers. It’s in the interest of security companies and consultants to overstate risks and their ability to respond to them, said Ross Anderson, a professor of computer science at the University of Cambridge. For the most part, "cyber-criminals do volume petty crime and take care to stay below the thresholds" that would attract a significant law-enforcement response, he said -- an annoyance to companies, but not an existential challenge.
There’s some evidence that the latest high-profile attack was less masterfully executed than it might have first appeared. TalkTalk over the weekend told customers that it yielded only partial credit-card numbers, and that fewer customers than it originally thought were affected.
TalkTalk rivals Sky Plc and Liberty Global Plc declined to comment on their
security arrangements. EE, the largest UK mobile operator, said in a statement
that no customers were affected by the incident at TalkTalk, and that it has
"robust security measures in place" to safeguard data, as did Vodafone.
The real risks of cyber-hacking may only become clear if and when critical infrastructure -- like power plants and water grids -- comes into the cross-hairs for attack by sophisticated groups.
Some companies or governments "are certainly going to come up short if subject to a real significant and sustained attack," said Robin King, CEO of U.K. -based cyber-defense company Deep Secure. "I do not think we have yet seen the tip of the iceberg."