Cybercrime is afflicting big business. How to lessen the pain

More than a month for Jaguar Land Rover (JLR), an Indian-owned carmaker. A week for Asahi, a Japanese brewing giant. Six weeks for Marks and Spencer (m&s), a British retailer. That is how long each of those firms has needed to recover after being hacked. For JLR, the disruption has extended far beyond the firm. Last month the government in Britain, where it is based, said it would underwrite a £1.5bn ($2bn) loan in an attempt to keep the carmaker’s suppliers afloat.

Cybercrime has long been dominated by thieves who set out to steal information for profit. Now they’re being joined by thugs, who aim to use the threat of damage to a firm’s operations to extort higher payments.

Cryptocurrency has enabled ransomware, an attack in which hackers seize and encrypt vital data, then promise to unscramble it after a ransom is paid. (Sometimes they even keep their word.) As long as criminals focus attacks on firms in the West, countries such as China and Russia, in which many hacking gangs are based, see little need to crack down.

Companies cannot prevent this, but they are not powerless. 

One message is to be aware of which parts of an attack will prove to be the most expensive in the long run. As cyber-attacks have become more common, firms have begun buying specialist insurance to mitigate the risk. That is a good thing: insurance incentivises companies to take security more seriously, since those that don’t take care face higher premiums.

Even so, plenty of companies still do not take out enough cyber insurance, either because of a lack of awareness, or because it is costly. JLR is reckoned to have lost £50m for every week after the attack. m&s is thought to have missed out on around £300m of business in the weeks it spent fixing its website, yet its resilience insurance underwrote just a third of that. Buying insurance that protects against such losses would encourage firms not just to try to stop attackers getting in, but also to ensure their computer systems can recover quickly.

A second idea is to be aware of the risks of outsourcing. Handing off parts of a business to specialist suppliers makes sense. But IT outsourcers hold the keys to many different kingdoms. Front-line employees are usually told to follow a predictable script whenever an IT-support call comes in. These things make outsourcers especially attractive to hackers.

Sure enough, several recent attacks appear to have been carried out after hackers gained a foothold using outsourcing firms. Businesses that elect to outsource should vet their contractors carefully, and decide on risk-sharing arrangements before they sign. Outsourcers themselves may find that beefing up security could differentiate themselves from their rivals.

Governments can help, too, starting with tightening the rules around disclosure. Firms can be reluctant to admit they have been attacked. That reticence makes it harder for the authorities to spot patterns and learn about vulnerabilities, which puts others at risk.  Governments could go further and ban the payment of ransoms altogether.  The industry persists because it is more strongly in an individual’s interest to pay off extortionists. If hacking does not pay, it will wither.

show less