In today’s interconnected digital world cyber-crime regularly makes the headline news, says Allan Boardman, international vice president, ISACA, which should act as a reminder that it is a vital business issue and remind the boardroom to listen to their chief information security officer (CISO). This article provides some tips on how to deal with the threat of cyber-crime and educate the board, employees and others about how to respond.
The information security challenge that all businesses face today stems from the always-on 24x7 connectivity phenomena, which significantly increases the window of opportunity for cyber-crime attacks. The problem is exacerbated by innovations like digital currency, causing Liberty Reserve to be shut down earlier this year and the intensity of criminality as evidenced by the unveiling of the biggest ever hack by US authorities last month.
The always-on phenomena means that some cyber-crime attacks can also evolve at a much faster pace than the information security architectures, technologies and processes that are designed to protect against these threats.
A recent UK Home Affairs Select Committee report showed that despite being the preferred target of online criminals in 25 countries, the UK is still complacent about cyber-crime. The Parliamentary report stated that UK funding and resources for tackling online crime has not been sufficiently allocated, and highlighted that we are being too complacent about these types of crimes because the victims (and indeed the perpetrators) are often hidden in cyber-space. The Committee Chair stated that if we don't have a 21st century response to this 21st century crime, we will be letting those involved in these gangs off the hook.
Cyber-crime Can Damage Your Business and Reputation
The financial and wider social impact of cyber-crime is very real and growing. Incidents and attacks attributable to cyber-crime are increasingly expensive and damaging to organisations in terms of regulatory fines and reputational damage. A quick scan of major global security breaches shows that an alarming number of these incidents are due to sophisticated hacking attacks. The numbers are staggering, as the accounts being compromised often run into tens of millions for each individual incident. Stolen computer equipment and data also account for many of these incidents. The reality is that cyber-criminals are being very successful at their business. It’s a bit like playing football but where the organisations are only permitted to play in goal, and are constantly defending themselves against all types of bad actors trying to score against them from all directions, without any opportunity to have an attempt at goal themselves.
The increased sophistication and complexity of the cyber-security threat landscape, coupled with a huge growth in incidents and the scale of attacks, means that organisations need to rethink their strategies for dealing with these threats. It is important to note that the new breed of attacks, for example Advanced Persistent Attacks (APTs), often evade traditional countermeasures such as signature-based defences and network perimeter protection.
How to Fight Back
So what should organisations be doing about the threat from cyber-criminals? First and foremost businesses need to recognise that cyber-attacks are a business problem and a people problem, not just a technology problem.
People continue to be the weakest link in the information security chain, the proverbial soft underbelly, and not surprisingly these advanced threats continue to specifically target the people element via phishing attempts and so forth. Effective user education and awareness is therefore crucial to the success in the fight against cyber threats.
There are some key questions that organisations should be asking:
- Do you know what cyber threats your organisation faces and how exposed your organisation is to these threats?
- Do you know whether you have been a victim of an attack or whether your systems or data has been compromised?
- Do you know what the impact to your organisation will be if you were subject to a cyber-attack?
- Do you know what your organisation is doing to govern and manage the risks associated with cyber threats?
- Have you identified your key capabilities including incident response processes and are you taking mitigation steps to fill any significant gaps?
- Do you have the right people with the appropriate experience and technical capabilities in place to help you combat cyber threats?
The Threat Landscape
It is vital to understand the threat landscape and how it applies to your own organisation because each threat has its own motivations, capabilities and targets. The threats fall broadly into the following four categories:
- Organised criminals that typically operate globally and can be difficult to trace and prosecute. Their motivation is financial fraud; simply put to steal money. (It’s always good to remember an age old quote about a bank robber who is asked why he robbed banks? His answer: “I rob banks because that is where the money is”). These criminals also target personal data which is like a commodity or currency to them, and allows them to trade this information online with criminals bent on committing identity theft and fraud.
- Nation states or large corporations with an interest in gaining insider information about major economic decisions that would give them a competitive advantage [see the Mandiant report from earlier this year - Ed]. These type of politically motived cyber-espionage pursuits typically target intellectual property (IP) or trade secrets, critical infrastructure data, and also merger and acquisition (M&A) related information.
- Activists (sometimes called hacktivists and often in the press recently thanks to the activities of the Anonymous group) or cyber terrorists who are motivated and inspired by some ideology or belief can also be a threat. They target anything to do with the reputation of the organisation which may impact public and media perception, so will try to deface or bring down websites and services through distributed denial of service (DDoS) attacks to cause some type of disruption or damage.
- The insider threat: Malicious insiders or disgruntled employees can go after proprietary information such as customer lists, plans, and software code, either for personal gain, to cause disruption or to besmirch the good name of a business.
It is also useful to consider whether your organisation is likely to be a victim of an opportunist attack, in which case you want to make sure that you are not the weakest amongst your peer group. You should also consider whether your business is more likely to be a victim of a targeted attack, which may in turn influence your specific defence strategies.
Conclusions: What Should You Protect?
Senior executives and boardroom members should be asking the following key questions of their cyber-security policies:
- What are the organisation’s crown jewels which require the highest level of protection?
- Which business processes are critical to the survival of the organisation?
- What are the most important and significant security and privacy incidents your organisation and peer group organisations have faced recently?
- What have you learnt from those recent incidents and what have you done to prevent them from reoccurring?
- What is the organisation’s risk appetite - i.e. what are you prepared to live with, for downtime caused by cyber-attacks including data privacy breaches? [see the latest 2013 Information Security Breaches Survey (ISBS) from PwC here for your reference and understanding of this threat, as reported in the Infosec Europe 2013 trade show report - Ed].
- How do you ensure that your suppliers and others further down the supply chain, do not expose you to unacceptable cyber-risks? Answer: Do an audit.
The impact of cyber-crime incidents and attacks are much more far reaching than just financial, and can have significant reputational and regulatory implications.
The key thing is that organisation should recognise that cyber-security is not simply a technology issue and it is certainly not entirely down to the IT organisation to address. Cyber-security is a business imperative, and senior executives and boards need to be fully briefed and understand the risks and challenges, and to educate their employees to raise awareness and increase vigilance. Cyber threat intelligence is needed to help mitigate risks from sophisticated attacks. Has the time finally arrived for the emergence of the chief threat intelligence officer (CTIO) to assist the CISO? Maybe so: each organisation must decide for itself.