Contract Flooring Journal (CFJ) the latest news for flooring contractors

HomeHelp and adviceFirms at risk of cyber-attack

Firms at risk of cyber-attack

With flooring companies Tarkett and Carpetright being among those targeted in cyberattacks, Adam Bernstein looks at the danger they pose to all businesses.

CYBER-ATTACKS are in the news again and the problem is acute reckons government’s Cyber Security Breaches Survey 2024. It found 50% of businesses had been subjected to a cyber-attack or breach in a 12-month period.

By far the most common type of breach or attack is phishing (84% of businesses). This is followed by others impersonating organisations in emails or online (35%), and then viruses or other malware (17 percent).

Those suffering incidents faced costs – on average – of about £1,205, but for medium and large businesses, this rose to around £10,830. Of course, ‘average’ means some losses are lower, but others are much higher – cybersecurity firm Sophos found the average payment by UK organisations in 2023 was greater than the global average, at $2.1m (dollars).

And the world of flooring hasn’t been exempted from trouble. Consider, for example, the trouble Carpetright found itself in at the end of April 2024 when hackers launched an assault on the company’s systems. Its 400-odd stores were unable to operate, and customers were unable to place orders. On top of that, payroll systems were put out of action. Management had to dedicate extensive resources to get its systems back online.

And just a few days later, French flooring surfaces firm, Tarkett, announced it too had suffered a cyberattack which resulted in ongoing disruption to its commercial and production operations, causing its share price to fall.

These organisations are larger than an independent flooring retailer or contractor, but the risk is just the same.

Defining a cyber-attack
So, what is a cyber-attack? According to Dai Davis, solicitor and partner at Percy Crow Davis & Co, the Wikipedia definition of ‘any attempt to expose, alter, disable, destroy, steal or gain information through unauthorized access to or make unauthorized use of an asset… that is a computer information system, computer infrastructure, computer network, or personal computer device,’ is one that he agrees with.

He says that it ‘matches the broad definition of an offence under s1 of the Computer Misuse Act 1990 which criminalises any action that ‘causes a computer to perform any function with intent to secure access to any program or data held in any computer where that access is unauthorised’.’
Roy Isbell, director at Information Assurance Strategies, agrees. He defines a cyber-attack as ‘fundamentally the interaction of a threat actor with a particular system with the intention of achieving a particular outcome’.

As to where threats originate, Davis says some are performed by ‘script kiddies… who try to hack into systems for fun. For the criminally minded, making money is the goal and they’ll attack anything that pays them to do so.

‘They may,’ says Davis, ‘send out millions of scam emails in the expectation that only a few people will fall for the con, alternatively they may target a particular ‘rich’ target but in a more subtle, considered manner’.

Of course, at the extreme, states such as China, Russia and North Korea attack companies to steal technology.

Worryingly, as Isbell points out, Covid-19 altered the landscape somewhat because ‘we now have a more distributed business model with some workers working from home, often on shared networks with only limited security implemented.’

And Davis has found any newsworthy topic may be used to persuade a staff member or individual to click on a link that will take them to a compromised website.

Security is a relative term
No system is perfect. But Davis knows ‘that the amount of effort it takes to breach a system is proportional to the amount of effort taken to secure the site in the first place.’

Moving on, Isbell says that a security breach is not a single event or tool, but a combination of knowledge, skills and intelligence used in sequence to achieve the outcome the threat actor wants to achieve.’

For him, the only way to achieve 100% security is for a system to be disconnected from the internet. He emphasises that cyber security is about managing risk – ‘this requires we spend time evaluating and understanding the cyber environment and what it is we need to protect; it is not always the data that requires protection, but the systems themselves, especially where the system is deemed critical’.

Countering threats
As both Isbell and Davis detail, there is no easy way to counter cyber threats.

Apart from an organisation’s own systems, Isbell would also look at its supply chain, ‘especially where processes may share data between firms’. For him, ‘an understanding of the firm’s cyber ecosystem is essential… and not just focussed on the data that resides on the various IT systems it may have’.

Davis, on the other hand, would create a budget and bring in an independent consultant. He cautions against placing too much reliance on specific security products, ‘many of which are good, but which solve only the security issue that the particular vendor advertises’.

Staff training is something else to consider. But as Davis warns, ‘training needs to be regular. There is little point in only training during induction week… staff may be sent a malicious email containing a spurious link at any time’.

Isbell too values training. He says ‘the most efficient and well understood security environments I have witnessed are where the company has worked to develop security as part of the culture of the organisation’.

And then there’s the option of placing a warning on every email staff members receive warning them if an email has come from an external source and that it may be malicious. But on this Davis thinks ‘it’s likely to be ignored as the staff member is anxious to read the email not the header’.

Crucially, Isbell recommends including cyber security breaches as part of disaster recovery planning: ‘While some firms have been unable to continue after a cyberattack, those that had a robust incident response plan have not only been able to recover but recovered faster and minimised the overall impact on the business.’

The risks from doing nothing
Those that do nothing, and suffer an attack, risk legal fallout. Davis points to fines under the civil part of GDPR – the General Data Protection Regulations. He says the probability of a fine is tiny, but the risk of criminal sanction under the GDPR is not: ‘Criminals, like regulators, have limited budgets and look for ‘low hanging fruit’. If you can make your business more secure than that of your competitors, it will be enough to persuade some criminals to look elsewhere for a softer target.’

Beyond that, Isbell says apart from implementing security, firms should have ‘some form of monitoring… if none is implemented, the firm will not know it has been breached until the breach is made public’.

When this happens, there comes a natural question – ‘who would trust an organisation that doesn’t take security seriously?’

And then there’s the risk of corporate failure…
Adam Bernstein is an independent columnist

Please click to view more articles about

Stay Connected

4,500FansLike
7,945FollowersFollow

Training

MOST READ

Popular articles