By Steve Durbin, Vice President, Information Security Forum (ISF) trade body
The range and complexity of cyber security threats is growing daily. Given the high potential rewards from cybercrime, especially when it comes to banking and finance, this trend is likely to continue into the foreseeable future. Threats are increasingly being deployed in combination in more sophisticated ways, such as when organised criminals adopt techniques developed by online activists or government agencies, which is why being prepared is vital.
We cannot live without cyberspace: it offers enormous opportunities and benefits through increased innovation, collaboration, productivity, competitiveness and customer and citizen engagement. Holding back or disconnecting from cyberspace altogether is simply not feasible when it is now so critical to modern business.
But the commercial, reputational and financial risks that go with cyberspace presence are real and growing. So how can we counter these growing risks without losing the huge benefits of Internet-based trade, commerce and communication?
The unpalatable truth is that we are probably fighting an unwinnable 'war', especially given the increasing sophistication and pace of change in cybercrime. What we can do, however, is to prepare an effective response to the inevitable attacks so that their effect is minimised, and our livelihoods and key resources protected.
Much more than information security
Building resilience against cyber attacks requires an overhaul of the traditional approach to managing security risks, which has typically fallen to the information security function.
Traditional risk management is simply not enough to deal with the potential impacts of cyber attacks. We need to extend risk management to become more resilient, based on a foundation of preparedness. And with almost every aspect of business open to online exposure, we need to be prepared to move at the speed of a tweet.
This means taking a much more strategic and business-based approach to managing and mitigating security risks, with buy-in and participation at board level. To take advantage of both technology and cyberspace, organisations must manage new risks beyond those traditionally covered by the information security function, including attacks on reputation and all manner of technology.
Emerging cyber threats
In the Information Security Forum’s (ISF) published report, entitled ‘Threat Horizon 2014: Managing Risks When Threats Collide’, the trade body identified some of the key emerging cyber threats that financial institutions and other organisations need to develop an effective response to.
The report identifies three main threat areas – external, regulatory and internal – and provides practical guidance on how to deal with increasingly complex threats in each one.
External security threats include those that arise from the increasing sophistication of cybercrime, state-sponsored espionage, online activism and attacks on systems that have a physical impact in the real world, such as industrial control systems – Stuxnet being a prime example. The external threat can be summarised as follows:
• Cyber criminality increases as malspace matures: The sophistication and scale of 'malspace' (an online environment inhabited by hacker groups, criminal organisations and espionage units) is growing and developing daily. Monitoring and effective responses are needed.
• The cyber arms race leads to a cyber cold war: Nations that are developing more sophisticated ways to attack each other via cyberspace are getting better at it, those who haven’t will start, and organisations will suffer collateral damage. Targets for espionage will include anyone whose intellectual property can turn a profit or confer an advantage. The knowledge will seep out into the private sector and banks will be targeted.
• More causes come online; more activists will get more active: Anyone not already using the Internet to advance their cause very likely will. These could include customer affinity groups, community associations, terrorists, dictators, political parties, urban gangs – the list is endless. Online organisation will become easier and protest channels will be available to greater numbers. If your financial institution makes a mistake expect it to be publicised on social media.
• Cyberspace gets physical: The increasing convergence of cyber and physical worlds will bring more attacks on physical systems, from attempts to switch off lights or climate control systems to the disruption of manufacturing systems. Whether attacks are successful or not, credible publicised threats will cause disruption and panic. Denial of service attacks may also proliferate.
These external threats have the potential to be magnified through mobile malware (especially that targeting mobile banking), attacks on smartphones and Internet telephony (to enable eavesdropping on calls and meetings, location tracking and information theft), and domain name abuse will be common from new top-level domains and non-Latin domain names.
Regulatory threats are growing in importance as regulators call for greater transparency about incidents, data leaks and security preparedness, while increasing the requirements for data privacy. The regulatory threats include:
• New requirements shine a light in dark corners, exposing weaknesses: Further movement towards increasingly transparent security disclosures will highlight weaknesses and potentially make organisations more vulnerable to attack. Financial institutions forced to report security risks may have as much to fear from customers and business partners as they do from irate hackers and regulators.
• A focus on privacy distracts from other security efforts: New privacy requirements from consumers, business customers and regulators impose a heavy compliance burden. Organisations will need to decide whether to invest in the necessary security and legal controls, outsource to someone who can, or exit certain markets. They will also need to consider the message their actions send to their customers. White labelling in financial services may become even more common.
These regulatory threats can be magnified by the possible creation of 'cyber havens' (countries that provide data hosting without onerous regulations), a mandate to have real-time reporting (not just an audit snap-shot), and inadequate security with critical business partners.
Internal threats arise as technology introduces new benefits at a relentless pace and organisations adopt them without fully understanding the risks. The threat vectors include the following:
• Cost pressures stifle critical investment; an undervalued function can’t keep up: While it is normal to see investment increase after a prolonged downturn, some economies and sectors will continue to struggle. Even financial institutions that are increasing security spending may have a legacy of under-investment that can’t be corrected overnight. But cyber-criminals are investing, and it will become easier and less expensive to buy criminal technology and services.
• A clouded understanding leads to an outsourced mess: continued cost pressure will lead to a new form of digital divide between organisations that understand the marriage between IT and information security, and everyone else. Leading financial institutions will appreciate the strategic value of channels, systems and information, and will invest in monitoring techniques and technologies to harvest information, while others will suffer competitive disadvantage and higher risk of damaging incidents.
• New technologies overwhelm: Organisations are unlikely to slow their adoption of new technology or decrease their participation in cyberspace. Along with business benefits, however, come potential vulnerabilities and methods for attack, so companies will continue to be hit. Organisations that don’t understand their dependence on technology may have a nasty surprise if it leads them astray or suddenly goes offline.
• The supply chain springs a leak as the insider threat comes from outside: A modern organisation’s data is spread across many parties, and more financial institutions will fall victim to incidents at partners or suppliers. This will increase as organisations further digitise supply chains, outsource payment functions and rely on external advisors.
Potential magnifiers for these threats include the hidden security costs of seemingly attractive business initiatives, and artificial intelligence decision-making used in automated business processes.
From cyber to insider, organisations have varying degrees of control over evolving security threats. With the shape and complexity of the threat landscape changing daily some organisations are being left behind, sometimes in the wake of reputational and financial damage (see the recent Global Platform hack for example). We all need to take stock now to ensure we are fully prepared and engaged.