Andrew Stott, a partner with Olswang in Singapore, discusses cyber security risks and the measures needed to secure data and systems
I’ve got bad news: you are all vulnerable. Personally, and professionally, your systems are at risk from cyber threats. In 2014 already the number of distributed denial of service (DDoS) events topping 20 Gbps are double that of 2013, with more than 100 attacks at over 100 Gbps or higher recorded in the first half of the year. That is a lot of data being stolen, at unprecedented speeds. Even high profile tech companies that you might expect to have some of the most sophisticated detection and prevention mechanisms in place are not immune. In May 2014, eBay had the records of 233 million users stolen. Evernote and Dominos Pizza are other well-known victims; many other corporates and governments also under attack.
The average cost of a data breach rose to US$3.5 million in 2013. Cyber security breaches result in losses from obvious causes such as lost sales from DDoS attacks and the costs of investigating and remediating the breach. However, even where the attacks come from hacktivists with no intention of profiting from their breaches and share prices, customer confidence and corporate reputation can take a hit causing significant and quantifiable losses.
Types of risks
This is not a risk which just affects tech or online businesses any more. In an evolving technological landscape, all companies are dependent on their IT systems, whether for CMS, POS, confidential data storage, physical security of buildings, or the more obvious route of using a web or app portal. As the brief list above aptly demonstrates however, the type of risks your business is exposed to will vary depending on the sector in which you operate.
The 2014 Data Breach Report compiled by Verizon identifies eight key types of breach, POS intrusion, web app attack, insider misuse, theft/loss, crimeware, payment card skimmer, denial of service and espionage. However, while a vast 41 per cent of attacks on information companies (covering tech, media and telecoms) were in the form of web app attacks, 46 per cent of cyber incidents in healthcare were tied to data theft/loss and by contrast in mining, 40 per cent of incidents stemmed from cyber espionage. Each sector differs and correspondingly, the measures that need to be taken to secure your data and systems will also differ from amending your user authentication systems to ensuring automatic patches on your CMS systems, using tamper resistant hardware, or having a process in place for system configuration change monitoring to ensure rapid identification and disarming of attacks.
Cyber security during M&A
Plainly, then, this must be one of the areas considered during the M&A process, which potential sellers should ensure it is adequately addressed in their existing systems, and buyers should ensure is thoroughly investigated during due diligence. However, despite almost all companies agreeing that prior cyber breaches or vulnerable systems would impact acquisition value, around three quarters of respondents in a recent survey said that in their experience, cyber security played little or no part of the diligence process.
This failing can be attributed to a basic lack of understanding: CEOs and business development teams are typically focussed on strategic synergies and financial benefit and few have the advanced technological background necessary to adequately understand the issues surrounding cyber security. We shouldn’t be shocked — technology is advancing so exponentially that it is natural for many or even most not to have an understanding of current trends and threats, but you are not alone, there are experts both internal and external who have the relevant expertise and just as you wouldn’t restructure your assets without consulting a tax advisor, so you should consider cyber security advice a necessary part of the M&A process.
So yes, I’ve got bad news: you are all vulnerable… but here’s the good news: there is a simple way to shore up your defences, and avoid acquiring a cyber liability. First, involve your CTO in the deal process, he may not be a deal expert, but he is the best equipped member of your team to ask the right questions and to understand the data once provided. Secondly, and perhaps most importantly of all, hire advisors who not only understand these issues and include them as part of their routine diligence review, but crucially are sector experts, so that they can quickly focus in on the critical risks which are most likely to affect your business or that of your target.
The views expressed are of the author, and e27 may not necessarily subscribe to them.
e27 invites members from Asia’s tech industry and startup community to share their honest opinions and expert knowledge with our readers. If you are interested to share your point of view, please send us an email to writers[at]e27[dot]co.