Sibos Topic 3: Preparing for a cyber attack

By Nicole Miskelly | 6 October 2015

At Sibos this year, cyber security is a topic high on the agenda. Due to a number high profile cyber attacks over the past year, many firms are increasing spending on cyber security initiatives and are realising that unless they start to effectively protect their company, staff and clients, it is a question of when, rather than if, they will be targeted by cyber criminals.

According to industry experts, one of the biggest mistakes that firms are making when it comes to cyber security is not understanding how they are currently protected and what they can do to further protect themselves. Many of the Sibos sessions being held around this topic, focus on collaborating and joining forces with other companies to explore how to effectively deal with a cyber attack.

With comments from Murray Walton, CRO and cyber crime fighter, Fiserv, moderator of the ‘Joining Forces on Cyber Intelligence’ session at Sibos this year, bobsguide investigates what firms should be doing to prepare for a cyber attack and the role technology can play to help combat cyber crime.

According to the 2015 Information Security Breaches Survey conducted by PwC, the number of security breaches this year has increased and 9 out of 10 large organisations surveyed have suffered some sort of security breach. With this in mind, over 50 per cent of respondents expect there to be more security breaches next year than there were this year, so what can firms be doing to better prepare for a cyber attack?

Murray Walton, CRO and cybercrime fighter, Fiserv says that one of the biggest mistakes firms are making when it comes to cyber security is underestimating cyber criminals. “We are fighting organised crime with substantial human and financial capital, specific malicious objectives and business plans, and amazing patience and persistence.”

Rather than trying to crack sophisticated firewalls, cyber criminals are now concentrating on social engineering attacks, which involve duping staff members into giving away their passwords and security details. This method of attack leaves all staff members vulnerable and means that the level of human risk has gone up.

The PwC report states that 75 per cent of large organisations suffered a staff related breach this year, alongside 31 per cent of small businesses. The risks posed by human error are evident and according to Chris Richter, Senior Vice President of Managed Security Services, Level 3 Communications who spoke about cyber security back in June, 1,800 new distinct families of viruses have been detected in the past year and that “40 per cent of the top 10 data breaches in 2014 were due to lapses in non-technical controls, which includes mistakes and a lack of governance.”

Many industry experts believe that firms should be making efforts to train staff about security, which could help eliminate mistakes that could lead to a breach, as well as helps them notice odd behaviour by malicious insiders or fraudsters. Also, organisations should perform vulnerability scans against every system in their network, both internal and external.

According to Walton, the top 5 things firms should be doing to prepare for a cyber attack are:

1. Understand your potential attack surface. Maintain a detailed, evergreen inventory of your hardware, software, networks and data assets. You can’t protect it unless you know it’s there.   

2. Acquire threat intelligence systematically. Assess what’s happening externally against who you are, what you do, and how you do it. Adapt your defensive paradigm accordingly.

3. Incorporate cyber-attack scenarios into your business continuity plans. Test regularly with your internal teams, your vendor community, and industry groups that sponsor exercises.

4. Cultivate a broad set of law enforcement contacts, to ensure there will be parties who already know you and your business at the other end of the phone when you need them. 

5. Plan communication strategy and tactics you would employ under cyber-attack conditions. In advance of need, plot the roles and responsibilities of your response team, retain and brief any third party resources you would tap, identify the constituencies you would need or want to reach, and draft general templates that could accelerate your response to foreseeable cyber-attack scenarios. 

What role can technology play to help the industry combat cybercrime? According to Murray, predictive analytics coupled with automated monitoring can identify the precedent conditions for cybercrime, such as privilege escalations or anomalous processing activity or unusual data traffic, before a cyber attack comes to fruition. He also believes that automation can improve the speed and effectiveness of important-but-routine tasks such as asset inventory and patching that are essential to environmental hygiene. 

However, Walton says that many organisations are over-relying on technology and need to remember that risk can only be successfully managed if there are varying levels of support. “Effective risk management requires an artful balance of people, process, technology, infrastructure and third party support. Each of these vectors can make a significant contribution to deterring and managing the risks of cyber attack, and should be exploited to its fullest potential based on an organisation’s threat profile. Avoid the general tendency to over-rely on technology defences, under-rate the potential for process discipline, and miss opportunities to enlist your own people more broadly in this war.”

Hear more from Murray at ‘The Joining Forces on Cyber Intelligence’ session at 10.15am on Monday 12th October.

Don’t miss Sibos Topic 4:  How are corporate treasurer requirements evolving? later on this week…

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development