In this chapter, we shall examine the reasons why cyber-attacks succeed – cyber vulnerabilities. These include policy, process and procedure vulnerabilities, technical vulnerabilities, people-related vulnerabilities, and physical and environmental vulnerabilities. We will also consider the damage or consequences that can result from a successful attack – cyber impacts. These include personal impacts and organisational impacts.

CYBER VULNERABILITIES

Any weakness that can be exploited to mount an attack on a network, system or service is termed a vulnerability.

While we may be unable to take preventative action to ward off threats and hazards, vulnerabilities are things that we can often take steps to reduce or even eliminate altogether, such as software bugs.

Some vulnerabilities reflect the nature of the asset, for example the ability of data on magnetic media to be overwritten or deleted. These are sometimes referred to as intrinsic vulnerabilities since they are part of the essential nature or constitution of the subject matter. Others result from some accidental or deliberate action or inaction, for example failure to undertake regular backups. These are extrinsic vulnerabilities, as they are not part of the essential nature or constitution of the subject matter but arising from something outside it.

The vulnerabilities themselves, and indeed the methods (or controls) we may use to treat them, come in many shapes and sizes. Most of them arise from failures to have or to adhere to policies, processes and procedures. Significantly less frequent, but also potentially serious, are the technical vulnerabilities. People-related vulnerabilities are also a major area of concern, as are environmental vulnerabilities.

Policy, process and procedure vulnerabilities

While many organisations have robust policies and procedures in place – either to ensure that the right things happen and in the correct sequence, or to ensure that the wrong things don’t happen or happen in the wrong sequence – they are occasionally either overlooked or simply given lip service. This section highlights some of the key policies and procedures that organisations might overlook or fail to undertake.

Failure to have an overall information security policy

The failure of an organisation to put in place an overall information security policy comes right at the top of the list of vulnerabilities. Security policies do not need to be lengthy or complex but should state clearly and simply what formalities the organisation requires to be in place and make it clear that people must adhere to them.

The lack of, or poorly written, access control policies

A formal access control policy or one that is inappropriate for the needs of the organisation is the next port of call, and the lack of suitable policy, or one that is not properly communicated to staff, can cause severe repercussions. Access to buildings (especially data centres), computer rooms and network facilities, systems, applications and information should only ever be given on the basis of the user’s business need and should always be approved by their line manager and countersigned by the manager responsible for the location, system, application or information.

Failure to change user access rights when changing role or leaving the organisation

Another vulnerability connected with this is poor access control procedures for users changing roles or leaving the organisation. Continued access to locations, systems, applications and information is frequently overlooked when an individual changes role. A method of combating this is that of role-based authentication, in which the user gains access by means of both their job function and their identity, rather than by their identity alone.

On leaving the organisation, the user’s access rights should be immediately revoked so they can no longer access the organisation’s premises, network, systems, applications and information.

Inadequate user password management

One of the most frequent vulnerabilities is poor password management. In the past, this included the failure to enforce regular password changes together with a test of password strength. However, the US NIST has recently deemed that frequent changes are unhelpful to users and that strength checkers may not be sufficiently robust. Instead, new guidelines have been developed¹ that rate password length and hashing method² (a process of one-way encryption of the password) as being more user-friendly by placing the burden on the verifier rather than the user.

The continued use of default system accounts and passwords

An extremely common vulnerability is the continued use of default factory-set accounts and passwords for new and upgraded systems. Many individuals in the hacking world are aware of these and circulate them around the community. The failure to change or hide wireless network identities or service set identifiers (SSIDs) will allow an attacker to pinpoint target networks, and if the default administrator passwords have not been changed or the security level enhanced, these provide a simple and highly attractive entry point into an organisation’s network.

The continued use of inbuilt system accounts and passwords

Worse still than the continued use of default settings, there may sometimes be a tendency to allow one system to connect to another by embedding user IDs and passwords within applications. This is a highly dubious practice since a change on one system or another can easily result in application failures.

The lack of security of mobile devices

Many organisations fail to secure mobile devices, whether these are supplied by the organisation or brought in by the users themselves (bring your own device; BYOD). Unless configured to a pre-determined standard, mobile devices generally are relatively insecure and easily lost, mislaid or stolen, making both the device and the network to which it can connect equally vulnerable.

The lack of network segregation

Network segregation is commonplace in larger organisations, in which different networks are constructed according to the business requirement, and particularly according to their confidentiality, integrity and availability requirements. For example, an organisation with a significant research capability might well place this on a different internal network than that for finance or general administration use.

Failure to restrict access to networks according to use is a very common vulnerability and may allow people to reach resources to which they have no entitlement.

Failure to impose a clear-desk and clear-screen policy

The lack of a clear-desk and clear-screen policy again is a very common vulnerability. Some organisations make it a disciplinary offence for an employee to leave confidential materials in plain view or to fail to log out of or secure their workstation when they are away from their desk.

Restriction of administration rights usage

Unwarranted access to administration accounts is a frequent vulnerability. Only trained and authorised personnel should have administration rights and that should include user computers as well as central systems and networks. Also, administrators should have two accounts, one with the administrator rights for undertaking such work and a second ‘standard’ user account for day-to-day activities such as email, internet access and office work.

The use of untested software

It is good practice for organisations to test new or updated software, including the testing of patches before they go into a production or general-use environment. Untested software may not only cause operational issues if it fails to work as expected, but in cases where it is used in conjunction with other applications it can have a knock-on effect resulting in an embarrassing chain of consequences. See also ‘The lack of a patching and updating regime’.

Failure to restrict the use of system utilities

Although a relatively minor vulnerability, the failure to restrict the use of system utilities such as a terminal console application – normally by setting access privileges within the user’s profile – can result in users carrying out activities that are detrimental to their own device or to other systems, applications or information within the organisation.

Lack of separation of duties

In some situations, it is possible for staff to allow attackers to take advantage of access to information that they might not normally have. This ties back into access control, in which access to information might benefit from being role dependent.

Staff should not be placed in a position, for example, where they can not only raise requisitions for orders but also authorise them for purchase.

Inadequate network monitoring and management including intrusion detection

Inadequate network management, including the monitoring of hacking and intrusion attacks, will mean that successful attacks and intrusions may be overlooked, and little or nothing known about their occurrence until much later when the network change has been implemented.

The use of unprotected public networks

Many attacks are caused by unprotected public network connections, which allow an intruder to gain easy access to an organisation’s network, including the use of shared computers in public environments such as internet cafés and the use of unauthorised and unsecured or poorly secured wireless access points (WAPs).

The uncontrolled use of user-owned wireless access points

Occasionally, users of an organisation’s networks will discover ways of subverting the organisation’s security procedures and will attempt to connect their devices to parts of the network to which they have no entitlement. One way in which this is achieved is by connecting in a ‘rogue’ WAP to which they have unrestricted access. One of the main issues with this is that the security settings of such WAPs might not be as strict as those of the organisation itself, and while the users may be able to access the network, so might an attacker if the access point has either poor or no security configured.

Poor protection against malware and failure to keep protection up to date

Malware protection software, especially antivirus software that is not kept up to date, will make an attacker’s job much easier. Attackers will take advantage of any means of access available to them, and often are aware of vulnerabilities in applications and operating systems long before a supplier’s update is available. Delays in updating these applications leaves an organisation wide open to attack.

The lack of a patching and updating regime

As with the regular updating of malware protection software, the failure to install manufacturers’ software patches will leave operating systems and application software open to attack. See also ‘The use of untested software’.

Inadequate and untested backup and restoral procedures

Most organisations nowadays carry out regular backups of user data. However, it is far rarer for them to verify that these backups are actually fit for purpose and that information can actually be successfully restored from the backup media. This again presents a serious vulnerability, since backup media that does not fulfil its objective is just as bad as having no backup regime at all.

Improper disposal of ‘end of life’ storage media

Once storage media have reached their end of life, they should be properly disposed of or wiped before reuse. There are numerous stories in the press regarding people who have bought second-hand computers only to find that the hard drives still contain sensitive or personal information that had not been securely removed prior to the sale. Some organisations will not allow magnetic media of any kind to be resold and insist that disposal is irreversible.

There are examples of computers that have been bought with the original user’s data still intact, as well as computers left on trains without password protection.³

The lack of robust ‘bring your own device’ policies

The concept that an organisation’s staff can bring their own device to work has become very popular, since it can reduce the IT hardware costs to an organisation. However, the lack of appropriate policies for its use and the lack of enforcement can bring about serious breaches of security, especially in situations where other members of a user’s family have access to the same device.

In 2010, one organisation was badly affected by a virus that was brought in on a user’s own personal computer. The machine had been used over a weekend by the user’s teenage son, who had unwittingly accessed a website that contained malware. The resulting infection spread throughout a large part of the organisation’s network and took its entire IT department several days to clear up. The user (a senior manager) was cautioned, but unfortunately the same event happened the following week, and the user was then banned from bringing in his own machine. What action he took against the offending teenager remains a mystery to this day.

Inadequate change management procedures

Inadequate change control can lead to software and patches being rolled out to the user population, new systems and services and network connections being made and redundant systems being removed without full consideration (and risk assessment) of the consequences. In smaller networks, change control can easily be vested in one or two people on a part-time basis, but as an organisation’s network grows, it may be necessary to employ a full-time team with representatives from multiple business units.

The lack of audit trails, non-repudiation of transactions and email messages

In some sectors, it is vital that online transactions and email correspondence are subject to detailed logging and non-repudiation. In many applications, this audit trail is built into the operating software, and in the event of a dispute regarding ‘who did what’, or ‘who said what’, those organisations that are able to produce evidence in their favour will greatly reduce their risk profile.

The lack of segregation of test and production systems

Those organisations that employ large-scale systems and application testing prior to roll out are open to problems if they fail to separate test and operational facilities, since users may inadvertently connect to a test system resulting in failed transactions. Likewise, users who are supposedly testing a new system might inadvertently cause problems on a live system.

Unacceptable use

It is not only good practice for organisations to include acceptable use statements in contracts of employment, but it should be mandated, whether for hiring permanent staff or taking on external contractors, so that staff members and contractors have no excuse for not knowing that they may not visit inappropriate websites, send or receive inappropriate emails via the organisation’s network, or post inappropriate material on social networks or web blogs.

The uncontrolled copying of business information

Operational management should limit the uncontrolled copying of information by users who have no need to access it – again, this is also largely an access control issue, but the identification of such activity may fall into a different management area. This includes the use of USB memory sticks and shared network drives.

Poor management of remote users

Although working from home was prevalent prior to the Coronavirus outbreak, it suddenly became a major factor in allowing organisations to continue operations, albeit possibly in a much reduced capacity. Even those organisations that had previous experience of this found themselves in the position of having to drastically increase their remote access capability, while those who had never experienced it suddenly found themselves at the mercy of both hardware and broadband suppliers.

Both kinds of organisation, faced with similar issues, stood the chance of allowing security considerations to be forgotten in the haste to equip their infrastructure.

Not only does working from home require a process to define how users connect to the organisation’s infrastructure, but also what physical network changes will be required in order to accommodate a larger number of external users, and a correspondingly reduced number of internal ones. Such a policy would need to be sufficiently flexible to allow for sudden alterations to the configuration as the working from home/working from the office situation changes.

Technical vulnerabilities

Technical vulnerabilities are sometimes less obvious to spot but are frequently highly dangerous. These could also be considered to be failures of policy, process or procedure, but are sufficiently significant to warrant their own section.

Poor coding practice

Poor coding practice is potentially one of the most serious issues around today. The IoT has brought us an increasing number of internet-connected products such as baby monitors, CCTV systems, home entertainment systems and environmental control systems. Many of these have been shown to have little or no security within the application software that runs within the IoT device itself, and also frequently in any application that is used to control it.

Such failings will undoubtedly have drastic consequences, since an attacker can not only attack and take control of the device itself but may well use it as a stepping stone to other devices on the network. Even if a vulnerability is discovered and hopefully fixed, the chances of it being possible to roll out the corrected code to the entire user base are not great, especially if a device has already been compromised.

In January 2017, it was announced at the Consumer Electronics Show (CES) that a number of manufacturers are developing routers with inbuilt security software designed to protect IoT devices that have inadequate security.⁴ This might be a possible solution to the problem, since consumers will only have to place their trust in one system to protect all their IoT devices and applications, but it will almost certainly encourage laziness from the manufacturers of IoT devices and applications as they will feel there is no point in trying to make their product secure.

It also implies that a security breach of the user’s router would become a single point of failure in the overall network, thereby allowing an attacker to access multiple IoT devices at will.

Indeed, poor coding practice is not limited to the IoT environment – it affects operating systems and applications as well, and combined with backdoors that allow a programmer to test code more easily, these types of vulnerability are among the oldest in the book.

Poor specification of requirements

Poor coding practice often originates from poor specification of requirements for the product or service. It is a long-held view that it is always better to design security into a product from the beginning rather than trying to patch it in later on, and this concept is now a legal requirement within the GDPR to build data protection into devices that make use of personal data (Article 25), but many organisations still persist in this bad practice, and some have been fined as a result.

Poor quality assurance and testing

Hand in hand with poor coding practice runs poor quality assurance and testing. It is easy to imagine that a programmer developing the software for an IoT device might well also be responsible for its functionality testing, in which case (given the lack of a security requirement in the product’s specification) the problem will be exacerbated, since the developer/tester will be oblivious to any likely security issues.

Single points of failure

Any organisation that delivers services over the internet, or indeed internally to its staff, must consider the possibility of single points of failure (SPoFs) as a major vulnerability. These SPoFs include the main computer system, its operating system, software applications, firewall technology, network connectivity, web servers and any front-end load balancing systems. The service design must consider the possibility of failure of any one of these components, leading to an overall failure of service, and the design must be planned so that this does not happen. Many organisations have found to their dismay that certain members of staff can also represent a single point of failure.

At the time of writing, the EU has provisionally agreed the introduction of the Digital Operational Resilience Act (DORA), designed to ensure that the information and communications technology (ICT) systems of financial institutions are sufficiently resilient to failure, although, following the UK’s departure from the EU, the UK will not be obliged to follow the EU reforms. However, financial entities operating in the UK, together with their service providers, should be aware that the finalised Act may have some bearing on the more general ICT risks they will be obliged to assess under current UK law and regulation. Following the Queen’s speech in May 2022, the UK government will look to introduce a ‘Financial Services and Markets Bill’, which would replicate the EU’s DORA legislation.

Technical attack vectors: end point devices

Internet Protocol cameras

In recent years, partly as a result of the dramatic reduction in their cost, people have installed IP security cameras to allow them to view visitors to their property. Some are simple cameras, pointed at (for example) an entrance to the property. Others allow a degree of point, tilt and zoom (PTZ) capability. These are generally passive in nature, allowing the user to connect to them and view the current situation; others can generate a notification to the user if someone enters a prescribed area. Other cameras are contained within the doorbell button, and will not only allow notification to the householder, but also an ability to respond in voice to the visitor.

While these cameras provide a degree of security (or at least the feeling of security), they can also be a weakness, since (if compromised) they could be sending video information to an unknown IP address, allowing, for example, an intruder to know when the property is unoccupied.

Fitness treadmills and body-worn fitness trackers

The more advanced fitness treadmills are internet-connected, allowing the user to track the distance they run, monitor their heart rate, and interconnect with other users as part of a virtual team. Fitness trackers not only replicate some of the treadmill’s actions, but additionally record the user’s whereabouts while exercising. The resulting fitness data can usually be downloaded onto a computer in order to keep track of their progress over time.

Again, if these devices are not sufficiently well secured, they could reveal information about the users that they may not wish to be publicly available.

Thermostats and smoke detectors

These devices are becoming much more widely used. The thermostat can display information about the temperature within one’s property, and, knowing the property location, can also display the outside temperature – very useful in winter months, when a sudden drop in outside temperature can be dealt with automatically. These devices can control not only the central heating but also the hot water, giving the user considerable control over their energy consumption. They are also able to detect (through the presence of a mobile phone) whether the house is occupied, and can reduce the temperature or turn off the water heating automatically.

Smart smoke and carbon monoxide detectors can also be installed and, together with the user’s smartphone application, permit the user to know when something is wrong.

While highly useful, these devices, too, present a vulnerability if they are poorly secured, or if the manufacturer’s network with which they interconnect has security weaknesses.

People-related vulnerabilities

There are numerous people-related vulnerabilities, some of which arise from the lack of training and awareness provided by an organisation, while others arise from people’s inability to think and act logically or to follow instructions.

Social engineering

Social engineering may best be defined as an act that influences a person to take an action that may not be in their or their organisation’s best interest. This includes persuading them to divulge personal or confidential information or to transfer money to an attacker’s bank account.

People are frequently susceptible to social engineering or to coercion when an attacker who may have carried out research on the individual is able to gain their confidence through flattery or by offering some inducement that the individual is likely to accept.

Social engineering is a skill that many cyber-attackers work hard to develop, since assistance from inside an organisation can save them a great deal of time and effort.

One example of social engineering is the use of dark patterns, in which the user is lured into carrying out an action they had not intended. These are discussed in greater detail in Chapter 5.

Lack of awareness

An extremely effective technique for delivering malware is to provide people with free memory sticks infected with malware. Not only can this be achieved by handing them out at conferences and exhibitions, but also by leaving them on the ground near a target user’s house or place of work.

Thinking they’re getting something for nothing, people will happily plug these into their computers without contemplating the possible consequences.

Failure to comply with company policies and good practice

This is one of the most common forms of vulnerability. Computer users, especially in a corporate environment, may find that they are constrained by organisational policies, processes and procedures in which they see no point, or which they view as an obstacle to their work. In this case they may try to find ways of defeating or working around them. This may be the result of the policies, processes and procedures not being effectively communicated to them in the first place.

Typical among this type of vulnerability is people writing down key passwords, especially passwords for root access to systems, and sharing passwords with colleagues who either have forgotten their own, or more frequently should not have access in the first place.

Simple passwords

Occasionally, users will choose a simple password (for example, 1234) when using an application or service. Good password management techniques should prevent this, but occasionally users will still find ways of circumventing the system. Other vulnerabilities in this area include passwords that can be easily guessed or cracked, such as one’s mother’s maiden name or the make and model of one’s car.

Poor response to training and awareness

As with users failing to comply with policies, processes and procedures, a poor response to training and awareness may well be the result of ineffective communication on the part of the organisation.

In Chapter 10 we will cover techniques for training and raising awareness. It is important that this is not a one-off event but an ongoing process, so that users are regularly updated on security matters they need to be aware of, and that they continue to be trained in the correct way of doing things. However, some aspects of users’ behaviour will continue to require line management action when they fail to comply, and some organisations penalise staff who repeatedly ignore their training.

Physical and environmental vulnerabilities

There are some areas in which physical and environmental vulnerabilities will have an effect, and the impact of these can be dramatic.

Building and equipment room access

It may sound obvious that physical access to key buildings and sensitive areas within them should be carefully controlled, but all too frequently this is not the case, leaving the way clear for an intruder to enter unobserved. Theft is frequently a motive for this kind of entry, sometimes enabled by careful social engineering and sometimes by distraction of security staff, but it may also provide an attacker with the opportunity to introduce malware into a system.

Physical access to individual items of equipment

In addition to equipment room access, poor security can also allow an intruder to gain access to the individual systems where malware can be introduced. This often happens when a number of systems are located within a single rack space, so that having physical access to one automatically gives an intruder physical access to all the others.

Locking equipment cabinets is an obvious solution, but all too frequently keys are left in the cabinet lock.

Heating, ventilation and air conditioning

Key systems are invariably located in controlled environments such as computer and equipment rooms, but these bring about a potential single point of failure, since all will rely on the environmental controls to maintain a steady temperature and humidity.

Provided that these are maintained within specified limits, the risk is minimal, but once the temperature changes, especially increasing beyond recommended levels, equipment can cease to operate. However, some data centres now run their equipment rooms at slightly higher temperatures than are comfortable for humans, realising that a few degrees’ increase in temperature will not cause problems, but will save a considerable amount of money on cooling in the long term.

However, there also exists the danger of server rooms becoming overheated during heatwaves (such as the UK is experiencing at the time of writing), resulting in organisations having to hire in industrial fans and cooling systems.

Power

The loss of or interruption to power is the main vulnerability of all systems, and while the loss for any long period of time can cause severe problems, equipment is rather more vulnerable to being powered off and on again repeatedly and is much more likely to suffer catastrophic failure.

These days, no self-respecting organisation with a major IT infrastructure would consider anything but an uninterruptible power supply system to run its essential computer room or data centre, and this would normally be backed up by a system of standby generation. Such systems often also provide power to other essential services such as those used by the supporting operations staff.

CYBER IMPACTS

Cyber impacts or consequences are the result of some unwanted event – when a vulnerability has been exploited by a threat. Impacts come in many shapes and forms, but all require some sort of decision to be made. Some impacts can be tolerated because they are not serious, but many cannot be tolerated and require some form of countermeasure, control or treatment in order to remove or minimise them.

Many impacts will be felt on a personal or individual level, while others will have a much wider impact on organisations. We’ll take a look at personal impacts first.

Personal impacts

This section covers many of the impacts that will affect individuals in the home or SME environment as well as those working in larger corporate organisations.

Loss of or unauthorised changes to personal information

One of the most worrying impacts on individuals is the loss or exposure of personal information. This could be almost anything about our private or professional lives that we would prefer to keep to ourselves but for whatever reason could become awkward or embarrassing if it became public knowledge, or would simply render us vulnerable to some kind of loss.

It is amazing how much information you can accumulate about someone without either having heard of them before, or without them being in any way aware of the fact.

There are quite a number of people around the UK who share the same name as me, and who apparently have a very similar email address. I regularly receive emails intended for them. Over a period of time, and quite unintentionally, I have built up a fuzzy picture of some of them. I know most of their full names; often their occupation; roughly, and in a couple of cases, exactly where they live; occasionally, their interests; and some of their shopping habits.

I am sure that if I put my mind to it, I could find out much more, but the more important fact is that they either are completely unaware of this or possibly unconcerned that much of their personal information has reached a person for whom it was never intended.

I always attempt to contact either the individual themselves or the person who has emailed them, but while they could at least apologise for the inconvenience and thank me for pointing out their error, sadly all too frequently there is no response at all. Whatever happened to good manners when we joined the connected world?

Sometimes people give my mobile phone number instead of their own, and I have received numerous text messages from various organisations advising of delivery times and appointments. These too have told me where someone lives and what they have ordered, but I have (so far) resisted the temptation to text back and make changes.

We happily join social networks and post information about ourselves. Facebook (Meta), Instagram, Twitter and LinkedIn are just four examples of social networks where an enormous amount of information can be discovered about us, including our earlier education, university life, job history, interests and hobbies, family life and much, much more.

It’s not only individuals who can cause problems for themselves. Take the case of a CEO who was having regular meetings with the CEO of another organisation with a view to a merger. On one occasion he took his family with him and his teenage daughter posted a photograph of the town they visited, together with a comment about her father being in a meeting at a particular company.

Someone following her on the social network put two and two together and made a couple of telephone calls, which resulted in a highly sensitive discussion becoming public knowledge, affecting the companies’ share prices, and effectively ruining the entire project.

This is perhaps an extreme example, but it does illustrate the possible consequences of seemingly innocent actions.

Loss of or unauthorised changes to personal credentials

Individual people’s credentials are big business. Details of bank and credit card accounts, usernames, email addresses, passwords and the like are bought and sold on the internet for surprisingly little money.

Attackers who can acquire these in bulk can monetise the data in a number of ways – either by using the credentials themselves to mount attacks on the individuals concerned, or by selling them on in bulk to others who are better equipped to mount the attacks.

The impact on the individual can be far-reaching, depending upon the type of credentials. If the individual is lucky, they may discover the attack early on, and may just lose a small sum of money. If they are unlucky, it can be much more devastating.

Loss of money and other financial instruments

Money is a major motivator for cyber-attackers, so naturally they will try to steal as much as they can if the opportunity presents itself. In some situations, where the individual can show that they have taken due diligence over their credentials and have protected their computer and bank cards as well as they reasonably can, the finance organisation will accept responsibility for covering the losses, but where individuals have been careless or negligent, they have the potential to lose considerable sums of money.

A knock-on effect of this is that one’s financial standing or credit worthiness might also be affected, if, for example, the loss empties one’s bank account immediately prior to a direct debit being taken for a mortgage payment, and this is subsequently marked against the individual’s credit rating.

Damage to personal reputation

Cyber-attacks can easily ruin reputations. If you consider the example of someone whose email account is stolen, or whose account username is used by an attacker, it is quite simple to send out malicious emails that could destroy their reputation overnight. Often, especially if they know the individual well, recipients accept that the account has been abused, but the repercussions of having malicious communications sent to someone you don’t know are potentially far more serious.

Reputations, like trust, are rather like eggs – very easily broken, and almost impossible to piece back together again.

Loss of personal trust

Trust goes hand in hand with reputation. People with a sound reputation tend to be trustworthy and vice versa, and the loss of trust in an individual implies that their word is no longer reliable.

The importance of trust cannot be overstated, whether this is in connection with conventional business or with online transactions. We shall talk more about trust in Chapter 11.

Loss of or unauthorised changes to intellectual property (IP)

The theft of IP is closely related to the theft of money, since although no actual money is stolen, the potential to have earned it through sales will have been denied to the IP owner. A secondary and rather more serious loss of IP is when an attacker steals the original material and claims it as their own, in which case the original IP owner will be at a very serious disadvantage.

An example of this type of loss reported by the Intellectual Property Office in its 2020/2021 IP Crime Report⁷ is the abuse of the set-top boxes designed to allow users to collect music, videos, photographs and games in a single application. Illegal third-party add-on software can allow users to download pirated material from film companies and television companies. The report flagged this kind of IP theft as being one of the top three it is investigating.

Identity theft

Some years ago, a colleague was targeted by an organised group who used her email address to send out hate mail to everybody in her list of contacts, stole money from her bank account, ran up credit card bills, and almost destroyed her personal and professional life.

However, she was actually extremely fortunate, as she discovered what had happened at an early stage and took remedial action to limit the damage, but while the perpetrators were identified they were never brought to justice since they were beyond the jurisdiction of the European security services.

She believes that the reason for targeting her was that on several occasions she had been publicly very outspoken about the integrity of a large overseas organisation.

Identity theft is often closely coupled with cyber theft, since an attacker may reveal their identity if they carry out too many actions using the stolen identity, whereas in the case of a quick ‘smash and grab’ the attacker can discard the identity as soon as they have the money.

Personal injury

This aspect of cyber security is rather new. In December 2016, in response to an article he had posted, Newsweek journalist Kurt Eichenwald reported having received a tweet containing flashing images that caused him to suffer an epileptic attack. Clearly the sender was aware of Mr Eichenwald’s medical condition, and the matter is under investigation by police in the USA.⁸

Such conduct raises the question as to what the consequences might be, for example, for patients undergoing kidney dialysis at home with equipment that is internet-connected.

Organisational impacts

Many of the impacts that affect individuals will also affect organisations. However, because of the scale of organisations, both in terms of numbers of people and in the amounts of finance involved, the overall impacts will potentially be significantly greater. These could easily include partial or complete failure of an organisation or severe job losses.

Brand and reputation

The organisation’s brand will invariably suffer a major impact when a cyber-attack is successful, especially if it became clear that the organisation concerned had not taken appropriate steps either to prevent the attack happening in the first place, or because it had failed to deal with it effectively once it had occurred. On occasions, it is because both of these have resulted in the organisation losing intellectual property, or customer information.

Organisations that suffer this kind of impact may find that customers no longer trust them and decide not to do business with them in the future.

Financial impacts

The impact on an organisation’s revenue streams can be devastating. Cyber-attacks frequently result in an organisation being unable to trade online since customers will be unable to place orders. This will not only cause an immediate loss of revenue but can often also result in downstream losses later on, as customers take their business elsewhere.

Following a successful cyber-attack that results in damage to the organisation’s brand, the organisation’s share price may well suffer a sharp decline. Under normal circum- stances a reduction in share value is a day-to-day occurrence and would not be a major cause for concern, but in these unusual circumstances it might take an organisation months or years to recover its share price.

Additionally, cyber-attacks can cause an organisation to be unable to order goods from its suppliers, pay them for goods already received, or be unable to pay staff their wages or salaries.

Under certain circumstances, and particularly in highly regulated sectors, organisations can be fined for mismanagement of customer data, especially if their actions contravene data protection legislation. They can also suffer further financial losses with interest being charged for late payments, especially to His Majesty’s Revenue and Customs (HMRC) for late payment of corporation tax.

On top of any revenue losses, organisations will find that there are costs involved in putting matters right after a successful cyber-attack, which will probably include the introduction of remedial information security controls.

Also, as discussed earlier in this book, there is the possibility that an organisation will be subjected to a ransomware attack and will have to pay the ransom to decrypt their data. The alternative would be for the organisation to face expending considerable effort in recovering all its affected systems. In some cases, the cost of such a recovery process could well exceed the ransom demanded.

Operational failures

If an organisation’s operational systems, such as development systems, production control systems, stock control systems and the like are impacted by a cyber-attack, the impact would be potentially catastrophic, as the organisation may be completely unable to operate for the duration of the problem.

Most, if not all of these, failures will inevitably link back to financial impacts, since the organisation’s ability to provide its customers with products or services will result in loss of revenue, and quite possibly in damage to the organisation’s brand and reputation as well.

An example of this is the case of an IT systems failure at TSB in in April 2018, which resulted in 1.9 million customers being unable to access their online accounts, receive incoming payments and make transfers to other accounts for as long as several weeks. The problem arose while the bank was migrating customer accounts to a new IT system. The bank lost an estimated £330 million, and five months later its chief executive stepped down.⁹ While this is not a specific cyber security incident, it does illustrate what can happen when system upgrades are not tested prior to roll out.

People impacts

The final impact that organisations might suffer following this kind of event is the loss of staff who have to be laid off due to the financial losses or operational failures, or who choose to leave the organisation because they have lost faith in its ability to adequately plan for and respond to cyber security disruptions.

1. See https://pages.nist.gov/800-63-3/sp800-63-3.html

2. The technique of hashing uses a one-way encryption algorithm that makes it impossible to recover the password from the encrypted or ‘hashed’ original. Imagine dicing a potato into small cubes and then trying to reassemble it.

3. See http://news.bbc.co.uk/1/hi/uk/7449927.stm

4. See www.bbc.co.uk/news/technology-38415067

5. See https://www.theguardian.com/technology/2016/feb/28/what-happened-after-ashley-madison-was-hacked

6. See https://www.reuters.com/article/us-grindr-dataprotection-norway-idUSKBN29V0NJ

7. See https://www.gov.uk/government/publications/annual-ip-crime-and-enforcement-report-2020-to-2021

8. See www.bbc.co.uk/news/technology-38365859

9. See https://www.theguardian.com/business/2019/oct/28/number-of-it-failures-at-banks-and-other-firms-is-unacceptable-say-mps