Businesses and their employees are becoming increasingly inter-connected and reliant on internet-based systems for their day-to-day operations
Figures published by the Ponemon Institute, an information security consultancy, estimate 50 billion devices will be connected to the Internet by 2020. This will include not only traditional IT equipment such as computers and smartphones, but a multitude of every-day items such as vehicles, home and office appliances, and critical infrastructure. This ‘Internet of Things’ (IoT) is providing an increasingly target-rich environment for cyber threat actors, due to its utilisation of Internet-connected agents to gather intelligence and take automated actions – a printer reordering ink when supplies run low for example.
While the potential economic benefits of a hyper-connected world are hard to overstate – some estimates predict a resulting cumulative rise in global GDP of USD2,000 trillion by 2030 – there are also mounting associated costs as data breaches from malicious cyber attacks, system failures and human error increase. Indeed, a widely cited study conducted by McAfee and the Center for Strategic and International Studies (CSIS) estimates the global cost of cybercrime at USD445 billion annually, which could increase to USD2.1 trillion by 2019 if projections hold.
It is for this reason, among others, that The World Economic Forum (WEF) ranks large-scale cyber attacks as the eleventh most impactful and likely global risk in its 2016 Global Risk Report, warning they are ‘rising in both frequency and scale’. The concern is shared by business leaders surveyed for the latest Executive Opinion Survey, who identify cyber threats as the greatest concern for doing business in Estonia, Germany, the Netherlands, Japan, Malaysia, Singapore, Switzerland and the United States.
For individual firms, the financial impact of an attack can be significant, and the threat appears to be growing. PWC’s Global Economic Crime Survey 2016 ranks cybercrime as the second most reported economic crime among 6,337 companies surveyed in 115 countries – 32% confirmed they’d been targeted, 18% didn’t know, and a further 34% expected to be attacked within the next two years. Around 50 of the companies asked said they had incurred costs over USD5 million, with nearly a third of these claiming cybercrime-related losses in excess of USD100 million. Damage to reputations caused by loss of trust and business interruption is harder to quantify but can be equally if not more detrimental in the long term.
Many more organisations were likely breached without their knowledge, as hackers have demonstrated on multiple occasions their ability to infiltrate networks undetected. The infamous breach of the United States Office of Personnel Management (OPM) in June 2015, which resulted in the loss of more than 21 million personal records, was likely ongoing for more than a year before it was discovered. Similarly, when JPMorgan Chase announced the theft of 76 million customers’ details in August 2014, it soon became clear that those responsible had access to their system for the best part of two months before being detected.
The Nature of the Threat
Incidents of cybercrime are perpetrated by a range of threat actors with varying and sometimes overlapping motives. These can include nation states, disgruntled or unwitting employees and trusted third parties, organised criminal gangs, script kiddies and hacktivists. Some are driven by the prospect of personal gain, either financial or reputational, while others pursue political agendas, or bear a grudge against a current or former employer. Many will facilitate a system breach inadvertently by engaging in high-risk behaviour or failing to adhere to company cyber security protocols. In some instances, costly attacks will be perpetrated by individuals purely for entertainment.
Most attacks fall into two broad categories, according to PWC analysis – ‘the kind that steal money and bruise reputations and the kind that steal intellectual property (IP) and lay waste to an entire business’. The former, such as the OPM and JPMorgan Chase hacks, are often the most publicised, and, while costly, rarely pose an existential threat to an organisation.
Conversely, the theft of critical IP including trade secrets and product information – which is often harder to detect and may not even be on a company’s threat radar – can result in an ‘extinction level event’ where damage could include the ‘destruction of a line of business, a company, or even a larger economic ecosystem’. This is the primary cyber threat facing British firms, costing the UK economy an estimated GBP9.2 billion annually, according to information security consultancy Becrypt.
Worryingly, numerous studies have indicated a significant proportion of businesses remain underprepared to protect and respond to an attack. Indeed, many firms may not even know which data assets are at risk, and the nature of the threats they are exposed to. Research conducted by Aon for their 2015 Underrated Threats report indicated only 58% of businesses polled had completed a cyber risk assessment, with nine out of ten directors acknowledging that cyber risks are still not fully understood. Part of the problem stems from an inadequate allocation of resources – only 45% of company leaders believe their firm dedicates adequate funding to detect all breaches, according to a March 2016 report by insurance agency Advisen.
This is despite the growing understanding among experts of the need to employ holistic risk mitigation strategies that are regularly reassessed to ensure they adequately reflect the evolving threat landscape. Advanced Security Incident and Event Management (SIEM) tools can be employed to automatically monitor systems to help detect abnormal network traffic or behaviour, while the fostering of a culture of cyber security awareness with enhanced training can reduce the risk of a breach via an unwitting employee. This is arguably the most critical element of any information security plan, considering around 90% of breaches require the assistance of an unsuspecting individual, say Axelos, a business consultancy.
It is our natural inclination to be curious or helpful that is often exploited by cyber criminals and which can precipitate the 'beginning of a corporate disaster’. It is therefore essential that all employees from hourly workers to board level executives are provided adequate training on vital cyber security issues, such as the risk of phishing attacks; fraudsters utilising social engineering techniques to glean confidential information; secure password management practices; suspicious behaviour among colleagues; and how to handle data securely.
Ultimately, however, organisations need to accept that no system is completely secure; breaches will happen, no matter how advanced the defence. While companies have to ensure their security infrastructure is perpetually effective, an attacker only has to get lucky once to access the system. As such, it’s important to foster a culture of cyber resilience, accepting failures will occur, and establishing processes to facilitate the resumption of normal operations as quickly as possible, while protecting assets and reputations.
When a breach is identified, it is essential that the situation is immediately assessed to determine (where possible) who was responsible, how far the network was breached, what was stolen or compromised, who needs to be informed and what the wider legal ramifications are. Utilising cyber psychology techniques can aid the process of identifying the attacker’s motive so that an adequate response can be formulated. Additionally, it is vital that a thorough response is enacted that eradicates all back doors and other tools used by the hackers simultaneously. If not, says Jim Jaeger, Chief Cyber Services Strategist with General Dynamics Fidelis Cybersecurity Solutions, “They’ll stop while you’re doing the investigation, and in a month or two they’ll come back in. Sometimes they’ll just keep going”. Indeed, in many instances, it may be prudent to simply wipe and reformat all disks so that they can be rebuilt to standard configurations with data restored from backups.
It is important to understand that while technology can solve some of the detection issues, staff education to help identify threats should be pursued as a key defensive strategy. With ever-more complex and targeted attacks via spear phishing techniques, employees need to be increasingly vigilant in identifying suspicious behaviour. Expensive SIEM systems can certainly help mitigate the threat that an attack goes undetected; however, without the added human training and education, people will fundamentally remain the weakest link in the chain.