Recent years have seen an increase in the number of high profile cyber incidents being reported in the news. The sudden nature of how these headlines appear fuels the misconception that these attacks are very quick and are akin to a “snatch and grab” robbery. The reality is that attackers normally breach a network long before they actually get to the point where they take data out. Mr Jonathan Zhao and Mr Todd Stewart of EY elaborate.
In 2015, the Ponemon Institute reported that the average time an attacker spends inside a network was 200 days before being detected. There was even one recorded case where attackers sat inside a network for eight years before they were discovered.
Attackers know that they are most likely to be detected as soon as they start to send data out of the network, so they spend as much time as possible hiding in the shadows, collecting data, hiding it and when they are satisfied that they have enough or think that someone is getting close to finding them, they take it. That is when they are exposed and that is when the headlines appear.
The increase in incidents can be attributed to a number of factors:
Popularity of social media
Attackers are conducting a lot more research on their victims and are performing targeted attacks. It is absolutely mindboggling how much information can be obtained about an individual through social media.
If someone wanted to launch an attack on a particular organisation, they would start with a search on social media platforms for anyone who says they work in IT within that organisation. As people want to highlight their skills and experience to potential employers, they are also revealing a lot of information about the IT networks of the company that they work for.
If someone highlights that they have extensive experience in a particular technology, an attacker can assume that the company they work for are running systems built on that technology. Armed with that “inside” information, they can build their plan of attack.
A mind game – Evolution of the attacker is faster than the defending mechanism
Traditional security technologies have been using the same methods to detect security events for a long time now… and the attackers know this.
Traditional technologies rely on information that has been collected from attacks that have occurred before to build a signature of what that particular attack would look like. That signature is applied to the security devices so that they can recognise when that same attack method is being used on their network and, if spotted, the activity could be blocked or someone can be alerted.
With a little effort, it is relatively simple for an attacker to modify their approach to avoid detection using these old methods.
New challenges emerge with digitalisation
The push for digital enablement is a quest by businesses to create a simple and direct way to improve connectivity to their existing and potential customers, as well as business partners. These new channels have eroded the traditional security perimeters and introduced new sources of cyber risk in the process by offering new entry points for potential attackers.
With the capabilities of the attackers increasing, their attack methods constantly evolving and the internal budgetary and other pressures increasing, it is completely understandable that organisations are struggling to keep up, let alone stay ahead. We refer to this as the Cyber Gap.
Even with the advances in the level of security awareness among senior executives, there is a large number of organisations who still have a long way to go before they could be considered as having a mature cyber capability.
Common misconceptions
These are some of the most common misconceptions of cyber security that has been addressed over the years and continue to be heard today.
“Cyber is an IT problem”
Cyber is more than a technological control, it is a holistic culture that needs to be driven from the top and touch every aspect of an organisation to be successful.
When you consider that the majority of the latest high profile breaches have been the result of someone inadvertently handing over their credentials to the attacker, normally by clicking on links in emails, it is clear that all staff need to be made aware of cyber risks.
A complete framework of strategies, policies, processes, technical controls and awareness training is required to provide holistic protection against these cyber threats.
“We only need to do what the regulator requires”
Regulatory requirements form the minimum requirements that you are expected to satisfy to operate in that industry. They are designed to protect the information that is most important to the regulator.
This does not always translate into the protection of information that is important to you or your customers. The reality is that if you only apply the regulatory requirements, you will leave yourself exposed in other areas which means you are still vulnerable to attack.
“We want things to be as easy as possible for our customers to connect with us. Cyber has an impact on system performance and, hence, the customer experience”
Actually, in many cases this is absolutely true. But not for the reasons that you might expect.
Where security controls have been introduced very late in the development cycle and have been retrofitted into the application, they are most likely going to have a negative effect on performance and become a frustration for customers.
However, if cyber requirements are considered at the outset, during the planning stage of development and incorporated into the design of the application, there should be minimal or no impact to the customer’s experience at all. In fact, as customers are becoming more cyber aware, this could also be an opportunity to use enhanced security controls as a marketing message about how your organisation takes protection of customer data seriously.
“We’re not a bank. We don’t have anything that a hacker would want.”
If you have customers and hold their personal information within your systems, then you are a prime target. The very fact that you are not a bank makes you a more attractive target.
Banks have very stringent regulatory requirements around security. While they are still not impenetrable, they are certainly a bigger challenge to the attacker than an organisation which is not subject to those strict requirements.
There is a whole dark economy that has developed over recent years where stolen information about insecure networks and personal data has been commoditized. If an attacker can get hundreds of thousands of personal records of real people, they can sell it on to perpetrators of Identity theft, which has become increasingly prevalent.
What are you protecting and what protection mechanisms are in place?
In order to build a robust cyber security framework within an organisation, there are a number of things that must be done before making any heavy investment on solutions and technologies.
First, you need to understand what data you need to protect and what is the impact to your organisation of that data being breached? This will give you a good understanding of where you need to concentrate your efforts first.
Second, understand what protection mechanisms that you have in place and identify any missing pieces. This becomes your priority list of actions and helps to focus the cyber security strategy, roadmap and where the investment will give most benefit to the organisation, and ultimately your valued customers.
Mr Jonathan Zhao is Managing Partner, Asia-Pacific Insurance Leader and Mr Todd Stewart is Executive Director, Financial Services Risk Advisory – Cyber Security, both at EY.