The true cost of cyber attacks - and the business weak spots that allow them to happen
11 hours ago Share Save Theo Leggett International Business Correspondent Share Save
BBC
The first day of September should have marked the beginning of one of the busiest periods of the year for Jaguar Land Rover. It was a Monday, and the release of new 75 series number plates was expected to trigger a surge in demand. At factories in Solihull and Halewood, as well as at its engine plant in Wolverhampton, staff anticipated that they’d be working flat out. Instead, when the early shift arrived, they were sent home. The production lines have remained idle ever since. Though they are expected to resume operations in the coming days, it will be in a slow and carefully controlled manner. It could be another month before output returns to normal. Such was the impact of a major cyber attack that hit JLR at the end of August. It is working with various cyber security specialists and police to investigate, but the financial damage has already been done. More than a month's worth of worldwide production was lost. Analysts have estimated its losses at £50m per week.
Getty Images JLR's production lines were left idle after the firm faced a cyber attack at the end of August
For a company that made a £2.5bn profit in the last financial year, and which is owned by the Indian giant Tata Group, the losses will likely be painful but not fatal. But JLR is not an isolated incident. So far this year there has been a wave of cyber attacks targeting big businesses, including retailers such as Marks & Spencer and the Co-op, as well as a key airport systems provider. Other high profile victims have included the children's nursery chain Kido, while last year incidents involving Southern Water and a company that provided blood tests to the NHS raised serious concerns about the vulnerability of critical infrastructure and services. In all, a government-run survey on cyber security breaches estimates 612,000 businesses and 61,000 charities were targeted across the UK. So just how much are attacks like these costing businesses and the economy? And could it be, as one expert analyst puts it, that this year's major attacks are the result of a "cumulative effect of a kind of inaction" on cyber security from the government and businesses that is now starting to bite?
Pyramid of suppliers affected
What is significant about an attack on the scale of the one that hit JLR is just how far the consequences can stretch. The company sits at the top of a pyramid of suppliers, thousands of them. They range from major multinationals, such as Bosch, down to small firms with a handful of employees, and they include companies which are heavily reliant on a single customer: JLR. For many of those firms, the shutdown represented a very real threat to their business. In a letter to the Chancellor on 25 September, the Business and Trade Committee warned that smaller firms "may have at best a week of cashflow left to support themselves", while larger companies "may begin to seriously struggle within a fortnight". Industry analysts expressed concerns that if companies started to go bankrupt, a trickle could soon become a flood – potentially causing permanent damage to the country's advanced engineering industry.
Resuming production does not automatically mean the crisis is over either. "It has come too late," explains David Roberts, who is the Chairman of Coventry-based Evtec, a direct supplier to JLR, with some 1,250 employees. "All of our companies have had six weeks of zero sales, but all the costs. The sector still desperately needs cash."
Russian cyber criminals or Western teens
A recent IBM report, which looked at data breaches experienced by about 600 organisations worldwide found that the average cost was $4.4m (or £3.3m). But JLR is far from an outlier when it comes to high-profile cyber attacks on an even greater scale. Those at Marks & Spencer and the Co-op supermarket chain this year are estimated to have cost £300m and £120m respectively. Over the Easter weekend in April, attackers managed to gain entry to Marks & Spencer's IT systems via a third-party contractor, forcing it to take some networks offline. They infected the company's networks with ransomware that encrypted or scrambled its data. Initially, the disruption seemed relatively minor – with contactless payment systems out of action, and customers unable to use its 'click and collect' service. However, within days, it had halted all online shopping – which normally makes up around a third of its business. It was described at the time as "almost like cutting off one of your limbs", by Nayna McIntosh, former executive committee member of M&S and the founder of Hope Fashion. The firm was left with the now commonplace nightmare scenario – rebuild all computer systems from scratch or pay the hackers millions of pounds in ransom for the antidote. M&S has refused to say if they paid the criminals or not. The damage was not just financial. The retailer later admitted that customer data had been stolen in the attack. This potentially included telephone numbers, home addresses and dates of birth, though not it said useable payment or card details. To compound M&S's embarrassment, hackers claimed to have sent a ransom demand directly to its chief executive, using an employee's email account.
Bloomberg via Getty Images Attackers managed to gain entry to Marks & Spencer's IT systems via a third-party contractor
When the Co-op supermarket chain was hit, the same group of hackers claimed responsibility. It was, they suggested, an attempt to extort a ransom from the company by infecting its networks with malicious software. However the IT networks were shut down quickly enough to avoid significant damage. As the criminals angrily described it to the BBC, "they yanked their own plug - tanking sales, burning logistics, and torching shareholder value". According to Jamie MacColl, a cyber expert at the security research group, the Royal United Services Institute (RUSI), it is no surprise to see major businesses being targeted in this way. He says it is the result of hackers being easily able to get hold of so-called ransomware (software which can lock up or encrypt a victim's computer networks until a ransom is paid).
"Historically, this kind of cyber crime… has mostly been carried out by Russian-speaking criminals, based in Russia or other parts of the former Soviet Union", he explains. "But there's been a bit of a change in the last couple of years where English-speaking, mostly teenage hackers have been leasing or renting ransomware from those Russian-speaking cyber criminals, and then using it to disrupt and extort from the businesses they've gained access to. "And those English-speaking criminals do tend to focus on quite high-profile victims, because they're not just financially motivated: they want to demonstrate their skill and get kudos within this quite nasty sort of hacking ecosystem that we have."
Weak spots of big business
What makes companies like Jaguar Land Rover and Marks & Spencer particularly vulnerable is the way in which their supply chains work. Carmakers have a long tradition of using so-called "just-in-time delivery", where parts are not held in stock but delivered from suppliers exactly where and when they are needed. This cuts down on storage and waste costs. But it also requires intricate coordination of every aspect of the supply chain, and if the computers break down, the disruption can be dramatic. Likewise, a retailer like Marks & Spencer relies on a carefully coordinated supply chain to guarantee customers the right quantities of fresh produce in the right places - which similarly proves vulnerable.
Reuters If computers break down, the disruption can be dramatic for those businesses that require intricate coordination of every aspect of the supply chain
"Other industries have this model too: electronics and high-tech, because it's expensive and risky to hold inventory for a long time due to obsolescence. And then other industrial firms, such as in aerospace, for similar reasons to automotive," explains Elizabeth Rust, lead economist at Oxford Economics. "So they're a bit more vulnerable to supply chain disruption from a cyber attack." But she points out this is not the case for industries such as pharmaceuticals, where regulators require firms to hold minimum levels of stock.
Rethinking lean production
Andy Palmer, a former chief executive of Aston Martin who has spent decades working in the manufacturing sector, thinks the lean production models in the car and food industries need a rethink. It is a major risk, he says, when you have "these systems where everything is tied to everything else, where the waste is taken out of every stage… but you break one link in that chain and you have no safety. "The manufacturing sector has to have another look at the way it tackles this latest black swan", he says, referring to an event that is unforeseen but which has significant consequences. But according to Ms Rust, businesses are unlikely to change the way their supply chains operate. "Cyber attacks are really expensive… but shifting away from just-in-time management is potentially even more expensive. This is hundreds of millions, possibly, that a firm would have to incur annually". She believes the costs would also make it a steep challenge for regulators to demand such changes.
'The cumulative effect of inaction'
In late September a ransomware attack on American aviation technology firm Collins Aerospace caused serious problems at a number of European airports, including London Heathrow, after it disabled check-in and baggage handling systems. The problem was resolved relatively quickly, but not before a large number of flights had been cancelled. Industry sources warn that Europe's airspace and key airports are so heavily congested that disruption in one area can quickly spread to others – and the costs can quickly add up. In this instance, the knock-on effects were largely confined to widespread delays and flight cancellations. But it nods to a bigger question of what happens if a hack on critical infrastructure paralyses financial, transport or energy networks, potentially leading to huge economic costs - or worse?
AFP via Getty Images A ransomware attack caused serious problems at a number of European airports, including London Heathrow last year
"I think the worst-case scenario is probably something affecting financial services or energy provision, because of the potential cascading effects of either of those two", says RUSI analyst Jamie MacColl. "The good news is the financial sector is by far the most heavily-regulated sector in the UK for cyber security. And I think it's quite telling, there's rarely been a very impactful cyber attack on a Western bank." The outlook, were there an attack on the energy sector, is not clear. A 2015 study by Lloyds Bank, entitled "Business Blackout", modelled the impact of a hypothetical attack on the US power grid, concluding that economic losses could exceed $1 trillion (£742bn). However Mr MacColl believes that in the UK, there is probably enough spare capacity in the grid to deal with a cyber incident. More concerningly, Mr MacColl thinks the UK has had "quite a laissez-faire approach to cyber security over the past 15 years", with the issue given little priority by successive governments. He believes that this year's major attacks may be the "cumulative effect of a kind of inaction on cyber security, both from the government and from businesses, and it's sort of really starting to bite now". That inaction, he says, needs to change, with both regulators and large businesses taking more responsibility.
Anadolu via Getty Images Some check-in and baggage handling systems were disabled as a result of the attack that affected several European airports
In July last year the government did announce plans to introduce a Cyber Security and Resilience bill but its passage to becoming law has been repeatedly delayed. In May, GCHQ's National Cyber Security Centre published a report warning about the growing impact of cyber threats from hackers using artificial intelligence-based tools. It suggested that over the next two years, "a growing divide will emerge between organisations that can keep pace with AI-enabled threats, and those that fall behind – exposing them to greater risk, and intensifying the overall threat to the UK's digital infrastructure. However, what worries Jamie MacColl most are the sorts of attacks we haven't yet thought to protect against. "I would be more concerned about the sort of company that is the only business that provides a particular service, but that we don't really know about, and that isn't regulated as critical national infrastructure", he says. An attack on one of these less glamourous economic pivots, he argues, could have huge ramifications through the wider economy. "That's the sort of thing that would keep me up at night," he says. "The single point of failure that we are not aware of yet." Top image credit: PA