Feature

Cyber Crime

Cyber crime has galloped to the top of the business risk agenda. It's a huge threat that won't go away, but companies can take action.

 

CYBER SECURITY RISK: LIVING ON THE DIGITAL EDGE

The statistics are daunting. Cyber crime is growing at an alarming rate and becoming increasingly sophisticated, with companies and policymakers struggling to keep up. Here Cheri McGuire, who oversees cyber security policy for Symantec, maps the scale of the problem and outlines how companies can manage risk and make themselves safer.

Criminals go where they can make a profit – and few areas these days are as lucrative as cyberspace.

So it is not surprising that cyber crime is increasing at an alarming rate. According to Symantec’s 2015 Internet Security Threat Report,  five out of every six companies, employing more than 2,500 people, were targeted in so-called spear phishing attacks last year, a 40% increase in activity. These included attacks on healthcare (up by 37%), retail (+11%), education (+10%), government (+8%) and the financial sector (+6%).

Cyber attacks are also becoming more sophisticated, with some 340 million new malware variants unleashed in 2014. That’s a staggering nearly one million new pieces of malware a day.

As technology advances, so too do the channels through which cyber criminals operate. Despite all the systems we use to identify threats and block attacks, the bad guys only have to find one hole in the defences to get into sensitive corporate or government networks.

And there are plenty of paths for them to follow since our networks are globally interconnected and use a vast array of hardware and software. Moreover, there are multiple users, and, in the corporate context, that’s not just direct employees – partners, suppliers, clients and even consumers may have access to the network. Each one of these can present risks and vulnerabilities that hackers can exploit in increasingly subtle ways.

Playing catch up

Part of the challenge is that businesses and public agencies have invested heavily in new systems in recent years in a bid to increase efficiency and cut costs. But they have not invested as much in making this technology secure.  As a result, many corporate enterprises and government agencies – increasingly alarmed by the cyber threats facing them – are now playing catch up.

In helping our clients modernize their security posture, we urge them to think about security holistically. The old dictum of addressing people, process and technology still holds true today.

Ultimately it is about risk management – deciding what level of risk your organization is prepared to take and making the necessary investments to protect your IT infrastructure and data accordingly. If any one of the three areas gets insufficient attention, then you may have a gap in your defences that creates more risk than you are willing to accept.

People

With the proliferation of “bring your own device” policies, web applications, the Internet of Things, and use of social media in the workplace, individual behaviours provide perhaps one of the biggest challenges to corporate enterprises today. It is vital to properly train and educate employees in cyber security. Too often employees, at all levels of seniority, assume that cyber security is not something they need to worry about. There is a view that the Chief Information Security Officer will make sure the system and data are secure while they get on with their own roles.

But, in reality, cyber security truly is everyone’s responsibility, because hackers carefully target individuals at all levels of an organization. They research individuals with access to the network, either inside or outside the company. They build a profile, perhaps gleaning useful personal information from social media, and then use this to target the unsuspecting individual with what often looks like an entirely legitimate and innocuous email. That person opens it up, clicks the attachment, and the hacker is in.

So while people are a company’s greatest asset, they can be, in the context of cyber security, also their greatest point of weakness. And corporate trends can exacerbate the people problem. The number of companies encouraging employees to bring their own devices to work, for example, means there are now many far less secure devices accessing a corporate network. As a result, we are seeing a growing demand from large organizations to equip them with both our enterprise and personal or consumer security software.

But the general point is this. Making cyber awareness part of the corporate DNA is one of the most effective ways to protect against cyber risks.

It is something we work hard on at Symantec. People often assume that, as a leading security technology provider, cyber security really shouldn’t be a problem for us. But as a global company, employing 20,000 staff in 50 countries, it is as important for us as for any other enterprise to keep checking our procedures. And perhaps even more so given the impact a breach could have on our reputation and brand.  As such, we run regular exercises to test our defences, our employees’ security awareness, and their use of our procedures, such as reporting attempted breaches to our security response centre for action.

Such tests are vital for any company. But the evidence suggests companies have a long way to go to get this right.

A recent survey of members of the Information Security Forum found that only 41% rated their awareness programs as “good” or “very good”, with 59% saying they “needed improvement”. Moreover, none considered their efforts to be “excellent”, implying that there is room for improvement in nearly all organisations.

Process and technology

Companies also need the right processes in place to respond quickly when a breach occurs. Having a tested plan before a crisis, that addresses technology, legal, and media aspects, can reduce exposure and aid executives with immediately responding and managing through the event.

And of course, having the right technologies to protect your networks and data is core to managing cyber risk. According to a recent report from the Online Trust Alliance, 90% of last year’s breaches could have been prevented if organisations implemented basic cybersecurity best practices.

We advise clients to look at five basic aspects of security technology. Organizations should use modern security software, as well as strong passwords and multifactor authentication. You would expect somebody like me to stress the importance of using the very latest security software. But the truth is that whatever system you choose you need to ensure it provides modern security protections. For example, if you are currently using a five-year old Symantec product, you will have about half the level of protection needed to address the current threat environment – it’s just a reflection of how much our security technology has evolved to meet today’s threats.

Encryption is also key to ensure data is protected, whether at rest or in transit. Finally, data loss prevention (or DLP) technology can help stop the theft of sensitive data by alerting the system manager to anomalies before the data is exfiltrated, or moved outside the system.  For instance, it two terabytes of data is leaving your network at three o’clock in the morning when no one should be working, then you probably have a problem. Without DLP technology, such an anomaly would likely go unnoticed before it is too late.

Regulation

Regulators, law enforcement, and policymakers are also struggling to keep up. In part, this is appropriate as policy should follow technology development because it is important that we do not stifle innovation with premature rule making. Nevertheless, companies – particularly those working in multiple jurisdictions – would clearly benefit if there were stronger and better coordinated actions by law enforcement to bring cyber criminals to justice.

While progress is being made on cross-border cyber apprehensions and prosecutions, the global nature of cybercrime and the speed at which it happens are significant obstacles to making more progress. .

In addition, regulations for data and network protection  are often sector-specific rather than general – perhaps with the exception of those governing critical infrastructure. As a result, we see varying levels of security practices being implemented across different business sectors.

However, we have seen some positive advancements in this area.  One is the launch of the Cyber Security Framework by the U.S. National Institute of Standards and Technology (NIST).

The Framework – developed following a 2013 executive order from President Barack Obama –  was drawn up in close consultation with industry and is not regulation per se. Instead it provides a menu of actions companies and government agencies across sectors can take following five key principles – identify, protect, detect, respond and recover.

The Framework is flexible, recognising that not all businesses need the levels of industrial grade protection that might be required, for instance by a nuclear power plant. But it is a highly practical and useable risk management reference guide, and has been deployed by multinational companies all over the world.

We are also seeing the finalization of the European Union’s General Data Protection Regulation. While not yet completed, we expect it will have far reaching impacts on how data is processed, stored and secured for organizations doing business in Europe. As such, companies are starting to prepare for the expected new requirements.

To that end, the “State of Privacy in Europe Report”, published by Symantec earlier this year, in which we surveyed 7,000 individuals in seven European countries, identified significant concerns by individuals on how their data is used and protected. The report provides a snapshot of data privacy perceptions, and reveals that people do not believe businesses and governments are doing enough to keep their information safe. The Report offers suggestions on how businesses can improve their data privacy position, and get ready for the impending new data protection regulations.

Geo-politics

We can’t escape the fact that one of the most serious types of cyber attack is state-sponsored. It is a significant issue and there is an ongoing international debate about accepted norms of behaviour in cyberspace.

There has been some good news on this front recently, with the UN’s Group of Governmental Experts (GGE) agreeing in June on a set of norms that include three key commitments: nations should not attack each other’s critical infrastructure; nations should not target each other’s cyber emergency responders; and nations should help other nations investigate cyber attacks launched from their own territories. Though this still has a ways to go before becoming a formal protocol, it is important that the U.S., Russia and China are all represented on the GGE. Moreover, we saw in September 2015 some movement on the cyber norms front between the U.S. and China with their agreement following the summit between Presidents Obama and Xi. This is a welcome development.

Government policies in the name of national security also can have a serious impact on commercial enterprises – not least in the area of so-called tech-nationalism where a government will use cyber security regulations to foster growth of its own IT sector.

In its 2012 report titled “Lockout”, BSA|The Software Alliance identified a number of challenges with these in-country, “behind the border” regulations and requirements.  These policies often are couched as:  promoting indigenous innovation; enhancing security; or advancing other domestic priorities, such as market expansion.  Because these are done under the guise of national security, it is much more difficult to challenge in the WTO or with traditional trade remedies.  The result is market exclusion or imposing of costs (e.g., new testing and standards) that domestic suppliers don’t have to bear, thereby making multinational firms uncompetitive.

It is understandable why any nation might insist on having more domestic IT suppliers serving critical and sensitive government networks. But when these requirements expand across commercial sectors they can be significant market barriers to new entrants or existing players.  They also can limit the availability of the most current security technologies to commercial enterprises, such as financial institutions, whose business is highly dependent on safe and secure transactions.

Companies, as we’ve seen, have a tough enough job with their own corners of cyberspace.

Geo-politics, for now, is making that job a good deal more complex and it presents yet another cyber risk that executives must understand and manage.

Realism

Does that make me a pessimist about where all this is going?

Well, no. Our role at Symantec is to create technologies that protect information wherever it is stored or accessed. Even with the almost daily reports of new threats and breaches  you can’t work in cyber security and be a pessimist.

However, you do have to be a realist,  and that means starting from a simple fact: it’s not a matter of if your IT systems will be compromised, but when.

After that, it’s a case of managing your cyber security risk by taking all of the appropriate actions to best protect your organization and your information.

DEFENDING THE DIGITAL FRONTIER

Few corporate risks are as hard to counter or control as the now constant threat to cyber security. But there are effective technical, legal and practical steps companies can take to bolster their defences, says Lawson Caisley.

It’s been said that there are two types of company where cyber security is concerned – companies that have been hacked; and companies that have been hacked, but don’t yet realise it.

That may be a slight exaggeration – but only a slight one. Cyber security is now right at the top of the risk agenda in company boardrooms across all sectors. It’s a huge problem and the threats are changing and evolving all the time.

This is a different level of business risk. Most other business risks are fairly containable. You can get your hands round them relatively effectively, and can generally take very effective action to mitigate them.

Cyber security just isn’t like that and for two main reasons.

First, the nature of the threat and the techniques used by cyber criminals are sophisticated and fast-moving. Regulators and the information security industry often struggle to keep up with the technical innovations and developments used by the criminals.  Professional hackers are smart people, not two-bit criminals. Were they on the right side of the law, they would probably be in high-powered jobs in the tech industry. Their attacks are meticulously planned to exploit both technological and human vulnerabilities right through a company’s operations and its supply chain. If there is a way in, they will generally find it, often without detection.

Secondly, the scale of the damage and disruption that can be caused by a cyber breach is daunting. A company whose security is breached may have to manage a vast range of issues at once, and a failure to do so effectively can be potentially crippling.

Fall-out

Companies could face claims from customers and employees whose personal information may have been compromised. They may also face regulatory scrutiny and investigation and will need to demonstrate that they are not culpable for leaving themselves open to attack.

If attackers have stolen confidential information, the company will want to take steps to get it back and prevent it being misused.  This can be extremely difficult, particularly when hackers are operating from jurisdictions where the courts are less willing to grant the necessary disclosure orders and injunctions against use, or where the relevant legal and regulatory protections are weaker.

On top of all the above, the issue can quickly become a public relations disaster and can cause long-term financial and reputational damage.

All sectors are at risk. The financial services sector, though generally regarded as having the most sophisticated defences and the tightest regulation, is a particular target for hackers. The information on their systems can often be sold or exploited for financial gain. Other hackers may be motivated by politics rather than money, as Sony found out when it was allegedly hacked by North Korea. Critical infrastructure like utilities may increasingly become a target for cyber criminals.

And it’s not just about external threats.  Some of the most damaging cyber attacks occur when an employee with legitimate access to a company’s systems decides to abuse their position of trust and steal sensitive data and information.    For example, there have been several court cases in the UK and the U.S. recently relating to the theft of automated trading algorithms and codes by dishonest employees of investment banks and hedge funds. Such cases often highlight differences in the level of protection and remedies afforded to employers in different jurisdictions.  For example, one recent case in the UK ended with a conviction and four-year prison sentence for fraud. By contrast, a very similar case in the U.S. resulted in the court concluding that, although the employee had contravened his employment contract, he had not committed a criminal offence.  This is not easy territory to navigate.

Countermeasures

However, the good news is that companies can adopt measures – technical and procedural – to reduce the risks.

Regulation is moving in the right direction in terms of creating a co-ordinated, cross-border response to the problem. And there are legal remedies available, although they may differ from jurisdiction to jurisdiction.

Internally, it’s vital that companies educate their employees about the risks. Recognising a spam email used to be pretty simple. It’s a lot harder these days. Hackers will often target individuals, build up a picture of their interests and habits from social media, and then channel the malware through an enticing and entirely credible looking personalised email. Simple rules about not opening attachments from an unknown source must be in place.

Effective monitoring is also vital – and it must include junior and senior employees alike.  It is often assumed that more junior staff represent a greater risk to the integrity of a company’s systems than senior staff, but it is often the other way round. Clear contractual arrangements with suppliers and service providers, which specify cyber security standards and provide for regular audits, are also key.

Technology and risk procedures can be rigorously tested, often with very effective help and support from external agencies. In the UK, for example, HM Treasury, the Financial Conduct Authority and the Bank of England have launched CBEST, a highly effective penetration testing service which allows key financial institutions to assess the robustness of their defences against cyber attack.

While national laws may differ quite radically from one country to the next, regulators are increasingly trying to co-ordinate the approach to rule making in this area and to co-operate more closely with each other.

The EU’s new Network and Information Security Directive, for example, aims to introduce a co-ordinated response across Europe to cyber attacks and requires mandatory reporting of certain incidents. Companies that have been hacked may not welcome being forced to disclose the fact, but information sharing is essential if effective defences against cyber attacks are to be developed and maintained.

The law offers both civil and criminal remedies for companies that have been hacked, and several jurisdictions are beefing up laws in this area.  In the UK, for example, the Computer Misuse Act has recently been amended to provide for life imprisonment for hackers who cause death, injury or damage to national security.

As a firm, we work closely with clients to ensure that all possible steps have been taken to manage the legal risk arising out of potential cyber attacks.  There is a suite of strategies clients can adopt in order to reduce legal risk, including the adoption of robust data security and retention policies, staff training and education programmes, and protective provisions in contracts with suppliers, service providers and customers covering issues such as security standards, audit rights and limitation of liability.  In addition, insurance against cyber attacks is becoming an increasingly standard part of clients’ strategies for containing risk.

Criminals, of course, will always try to stay one step ahead of their targets. But companies are not powerless. They may not be able to stop an attack, but they can certainly take significant steps to minimise the risk and plan the actions they will take if (or, as many experts would have it, when) an attack occurs.

Diversity1

Ahead of Diversity

Read more
M&A1

The Golden Age of M&A

Read more
Fintch

Fintech Marketplaces

Read more