Criminals go where they can make a profit – and few areas these days are as lucrative as cyberspace.
So it is not surprising that cyber crime is increasing at an alarming rate. According to Symantec’s 2015 Internet Security Threat Report, five out of every six companies, employing more than 2,500 people, were targeted in so-called spear phishing attacks last year, a 40% increase in activity. These included attacks on healthcare (up by 37%), retail (+11%), education (+10%), government (+8%) and the financial sector (+6%).
Cyber attacks are also becoming more sophisticated, with some 340 million new malware variants unleashed in 2014. That’s a staggering nearly one million new pieces of malware a day.
As technology advances, so too do the channels through which cyber criminals operate. Despite all the systems we use to identify threats and block attacks, the bad guys only have to find one hole in the defences to get into sensitive corporate or government networks.
And there are plenty of paths for them to follow since our networks are globally interconnected and use a vast array of hardware and software. Moreover, there are multiple users, and, in the corporate context, that’s not just direct employees – partners, suppliers, clients and even consumers may have access to the network. Each one of these can present risks and vulnerabilities that hackers can exploit in increasingly subtle ways.
Playing catch up
Part of the challenge is that businesses and public agencies have invested heavily in new systems in recent years in a bid to increase efficiency and cut costs. But they have not invested as much in making this technology secure. As a result, many corporate enterprises and government agencies – increasingly alarmed by the cyber threats facing them – are now playing catch up.
In helping our clients modernize their security posture, we urge them to think about security holistically. The old dictum of addressing people, process and technology still holds true today.
Ultimately it is about risk management – deciding what level of risk your organization is prepared to take and making the necessary investments to protect your IT infrastructure and data accordingly. If any one of the three areas gets insufficient attention, then you may have a gap in your defences that creates more risk than you are willing to accept.
With the proliferation of “bring your own device” policies, web applications, the Internet of Things, and use of social media in the workplace, individual behaviours provide perhaps one of the biggest challenges to corporate enterprises today. It is vital to properly train and educate employees in cyber security. Too often employees, at all levels of seniority, assume that cyber security is not something they need to worry about. There is a view that the Chief Information Security Officer will make sure the system and data are secure while they get on with their own roles.
But, in reality, cyber security truly is everyone’s responsibility, because hackers carefully target individuals at all levels of an organization. They research individuals with access to the network, either inside or outside the company. They build a profile, perhaps gleaning useful personal information from social media, and then use this to target the unsuspecting individual with what often looks like an entirely legitimate and innocuous email. That person opens it up, clicks the attachment, and the hacker is in.
So while people are a company’s greatest asset, they can be, in the context of cyber security, also their greatest point of weakness. And corporate trends can exacerbate the people problem. The number of companies encouraging employees to bring their own devices to work, for example, means there are now many far less secure devices accessing a corporate network. As a result, we are seeing a growing demand from large organizations to equip them with both our enterprise and personal or consumer security software.
But the general point is this. Making cyber awareness part of the corporate DNA is one of the most effective ways to protect against cyber risks.
It is something we work hard on at Symantec. People often assume that, as a leading security technology provider, cyber security really shouldn’t be a problem for us. But as a global company, employing 20,000 staff in 50 countries, it is as important for us as for any other enterprise to keep checking our procedures. And perhaps even more so given the impact a breach could have on our reputation and brand. As such, we run regular exercises to test our defences, our employees’ security awareness, and their use of our procedures, such as reporting attempted breaches to our security response centre for action.
Such tests are vital for any company. But the evidence suggests companies have a long way to go to get this right.
A recent survey of members of the Information Security Forum found that only 41% rated their awareness programs as “good” or “very good”, with 59% saying they “needed improvement”. Moreover, none considered their efforts to be “excellent”, implying that there is room for improvement in nearly all organisations.
Process and technology
Companies also need the right processes in place to respond quickly when a breach occurs. Having a tested plan before a crisis, that addresses technology, legal, and media aspects, can reduce exposure and aid executives with immediately responding and managing through the event.
And of course, having the right technologies to protect your networks and data is core to managing cyber risk. According to a recent report from the Online Trust Alliance, 90% of last year’s breaches could have been prevented if organisations implemented basic cybersecurity best practices.
We advise clients to look at five basic aspects of security technology. Organizations should use modern security software, as well as strong passwords and multifactor authentication. You would expect somebody like me to stress the importance of using the very latest security software. But the truth is that whatever system you choose you need to ensure it provides modern security protections. For example, if you are currently using a five-year old Symantec product, you will have about half the level of protection needed to address the current threat environment – it’s just a reflection of how much our security technology has evolved to meet today’s threats.
Encryption is also key to ensure data is protected, whether at rest or in transit. Finally, data loss prevention (or DLP) technology can help stop the theft of sensitive data by alerting the system manager to anomalies before the data is exfiltrated, or moved outside the system. For instance, it two terabytes of data is leaving your network at three o’clock in the morning when no one should be working, then you probably have a problem. Without DLP technology, such an anomaly would likely go unnoticed before it is too late.
Regulators, law enforcement, and policymakers are also struggling to keep up. In part, this is appropriate as policy should follow technology development because it is important that we do not stifle innovation with premature rule making. Nevertheless, companies – particularly those working in multiple jurisdictions – would clearly benefit if there were stronger and better coordinated actions by law enforcement to bring cyber criminals to justice.
While progress is being made on cross-border cyber apprehensions and prosecutions, the global nature of cybercrime and the speed at which it happens are significant obstacles to making more progress. .
In addition, regulations for data and network protection are often sector-specific rather than general – perhaps with the exception of those governing critical infrastructure. As a result, we see varying levels of security practices being implemented across different business sectors.
However, we have seen some positive advancements in this area. One is the launch of the Cyber Security Framework by the U.S. National Institute of Standards and Technology (NIST).
The Framework – developed following a 2013 executive order from President Barack Obama – was drawn up in close consultation with industry and is not regulation per se. Instead it provides a menu of actions companies and government agencies across sectors can take following five key principles – identify, protect, detect, respond and recover.
The Framework is flexible, recognising that not all businesses need the levels of industrial grade protection that might be required, for instance by a nuclear power plant. But it is a highly practical and useable risk management reference guide, and has been deployed by multinational companies all over the world.
We are also seeing the finalization of the European Union’s General Data Protection Regulation. While not yet completed, we expect it will have far reaching impacts on how data is processed, stored and secured for organizations doing business in Europe. As such, companies are starting to prepare for the expected new requirements.
To that end, the “State of Privacy in Europe Report”, published by Symantec earlier this year, in which we surveyed 7,000 individuals in seven European countries, identified significant concerns by individuals on how their data is used and protected. The report provides a snapshot of data privacy perceptions, and reveals that people do not believe businesses and governments are doing enough to keep their information safe. The Report offers suggestions on how businesses can improve their data privacy position, and get ready for the impending new data protection regulations.
We can’t escape the fact that one of the most serious types of cyber attack is state-sponsored. It is a significant issue and there is an ongoing international debate about accepted norms of behaviour in cyberspace.
There has been some good news on this front recently, with the UN’s Group of Governmental Experts (GGE) agreeing in June on a set of norms that include three key commitments: nations should not attack each other’s critical infrastructure; nations should not target each other’s cyber emergency responders; and nations should help other nations investigate cyber attacks launched from their own territories. Though this still has a ways to go before becoming a formal protocol, it is important that the U.S., Russia and China are all represented on the GGE. Moreover, we saw in September 2015 some movement on the cyber norms front between the U.S. and China with their agreement following the summit between Presidents Obama and Xi. This is a welcome development.
Government policies in the name of national security also can have a serious impact on commercial enterprises – not least in the area of so-called tech-nationalism where a government will use cyber security regulations to foster growth of its own IT sector.
In its 2012 report titled “Lockout”, BSA|The Software Alliance identified a number of challenges with these in-country, “behind the border” regulations and requirements. These policies often are couched as: promoting indigenous innovation; enhancing security; or advancing other domestic priorities, such as market expansion. Because these are done under the guise of national security, it is much more difficult to challenge in the WTO or with traditional trade remedies. The result is market exclusion or imposing of costs (e.g., new testing and standards) that domestic suppliers don’t have to bear, thereby making multinational firms uncompetitive.
It is understandable why any nation might insist on having more domestic IT suppliers serving critical and sensitive government networks. But when these requirements expand across commercial sectors they can be significant market barriers to new entrants or existing players. They also can limit the availability of the most current security technologies to commercial enterprises, such as financial institutions, whose business is highly dependent on safe and secure transactions.
Companies, as we’ve seen, have a tough enough job with their own corners of cyberspace.
Geo-politics, for now, is making that job a good deal more complex and it presents yet another cyber risk that executives must understand and manage.
Does that make me a pessimist about where all this is going?
Well, no. Our role at Symantec is to create technologies that protect information wherever it is stored or accessed. Even with the almost daily reports of new threats and breaches you can’t work in cyber security and be a pessimist.
However, you do have to be a realist, and that means starting from a simple fact: it’s not a matter of if your IT systems will be compromised, but when.
After that, it’s a case of managing your cyber security risk by taking all of the appropriate actions to best protect your organization and your information.