Cyber Risk: Reducing vulnerability to attack

Computer viruses have been an irksome part of life for decades but who would have thought a couple of years ago that malware could be infiltrated into a network through an e-cigarette, a doorbell or a toilet? Experts at the Expert Forum on Cyber Risk emphasised that any network-connectable device can become a vector through which cyber criminals can sneak into the systems they target.

Watch the video summary here:

Open slide in overlay

Only about 50% of data breaches are the work of external hackers, while the remainder are attributable to theft of PCs or hard media, insider jobs done for profit or grudge, with others resulting from error, negligence, faulty systems or accidental publishing. There has been a huge increase in the number of corporate hacker attacks over the last five years. In Q2 of 2015, twelve mega attacks crippled the target organisations to the extent that they could not function or do business. Many attacks are fairly simple in nature, merely because the cyber criminals find many easy targets. Breaches are frequently effected through crude ram-raids, where the criminals penetrate the system, harvest data and get out. In other cases, the incursion is subtler and the attackers lurk in the network, sometimes for years, gathering information and choosing the best way to compromise the system.

While the technical know-how needed for basic incursions is readily accessible, the hackers should not be underestimated; the smarter ones are creative, flexible, quick to react to technological advances, and they can apparently get into any system. In a recent survey of over 200 chief information security officers, 75% of them thought that cyber attackers’ ability to infiltrate networks was growing faster than companies’ ability to mount a defence. Much cyber crime is organised into units like legitimate firms, with employees working 9 a.m. to 5 p.m. and reporting to managers who have budgets, objectives and deadlines. Clients can place orders on the dark web and have their “goods” delivered. Apart from the organised professionals, there are hackers who act alone or in small groups, sometimes out of sheer bravado rather than to make money. Some of these are just teenage “script kiddies”, but they have occasionally carried off very large-scale operations.

Data breaches often garner the most attention

The cyber crimes that most often hit the headlines involve customer records breaches. News of these spreads rapidly not least because the companies infiltrated have to inform their customers. In addition, media stories of incidents like the recent V-Tech or TalkTalk hacks are lapped up by a public acutely aware of what it would mean to have their credit card records or identities stolen and their bank accounts plundered. So much credit card data has been taken that individual records are currently available very cheaply in the dark web milieu. Personal health data is now far more lucrative for the cyber criminals. The healthcare organisations, together with the banks and big retailers, are the sectors hardest hit by data breaches.

Intellectual property theft has less media impact than crime involving personal data but it can destroy a firm’s competitive advantage and severely damage its future prospects. Sadly, clients for such stolen information are easily found. There have also been cases where companies embarking on major transactions have had their whole negotiation strategy and price ceiling hacked and sold to the organisation on the other side of the discussion table. Distributed denial-of-service (DDoS) attacks have increased in frequency, resulting in business interruption and ransom demands. Reputational damage is a further risk for companies that have been breached. In the Ashley Madison case, the hackers were not even out for financial gain; their intention was to shame the company and close its website. But the costs to the firm, including litigation, compensation and regulatory fines, are going to be enormous. This sort of “hacktivism”, ie breaching networks for political, ideological or moral reasons, is on the increase.

Cyber security is more than investing in IT technology

The picture might look gloomy, especially as cyber experts maintain that companies will never be able to make their networks completely impregnable. Fortunately, the same experts say that organisations can build a high degree of cyber resilience, implement effective strategies for rapid response to cyber threats, and significantly limit potential damage. The process requires considerable effort since the security mindset of many organisations is outdated; they have to realise that cyber security is no longer solely a matter of spending large sums on IT technology to guard a network. It is becoming increasingly intertwined with the major business processes, so that security professionals now have to take the business objectives into account and understand the value chain, including the implications of dealing with vendors, suppliers and customers. Similarly, the business professionals must recognise the importance of security considerations for applications and ways of acquiring and engaging with customers. In particular, C-level executives need to have a deeper and more nuanced grasp of cyber security than they did a decade or so ago. The way to cyber resilience is a cross-functional process.

What measures can be taken to reduce cyber risk?

Most of the measures to be taken by companies advancing to cyber resilience are not overt cyber security or core IT activities. The first essential action is to determine what the company’s critical information assets are and where they are stored digitally. In short, what are the crown jewels and how can they be protected?

The second measure is to involve everybody in the company in the defence effort, much of which will be distinctly low tech. Access to company premises must be strictly controlled. Employees must be trained in password security and simple precautions like not leaving PCs switched on unattended, keeping notebooks safe, and being careful what they put in the trash. “Dumpster divers” have made a lot of money out of data retrieved from waste bins. Similarly, decommissioned PCs must be carefully disposed of since even deleted data can be retrieved from hard disks. Employees, especially in payroll and accounts, must be trained to deal with “CEO fraud” - where phony company executives make convincing, even authenticated, phone calls requesting money transfers. Every employee must be wary of phishing attacks. External suppliers and clients must be vetted for cyber security.

The third security measure is to incorporate cyber decision-making into standard business processes. Another, critical, measure is to have an integrated incident response ready across all business functions. This states how to engage customers and regulators in the event of a breach, and how the facts should be communicated to the employees and the media. A good, vigorous response to a cyber breach may actually boost a company’s reputation, whereas stakeholders will tend to penalise firms that have responded poorly.

A fifth measure is to bring security in at the front end of application development, ensuring it is firmly placed in the technological environment. The next requirement is to assign differentiated protection to the important assets below crown-jewel level. Finally, cyber defences must be skilfully deployed: if an incursion is detected, the best response might not be to throw the intruder out. A sophisticated cyber security team might steer an attacker to benign parts of their system and glean as much intelligence as possible on what the intruder is looking for and how.

Cyber insurance uptake is on the rise

A huge element of cyber risk is the opportunity cost arising from firms’ reluctance to invest in innovative technology because of security fears. If companies can hedge some of that risk through insurance, they are more likely to implement new technology and reap its benefits. About 50 companies currently offer cyber insurance. In the event of a breach, and depending on the policy, it will cover forensics, regulatory notification and fines, privacy liabilities, public relations, and ransom demands if there is no viable alternative to paying. When the EU General Data Protection regulation (GDPR) comes into force in 2018, breached companies considered to have inadequate security will be subject to heavy fines.

Cyber insurance has been on offer since about 2010. As insurers gain experience, they are well placed to evaluate the business implications of cyber attacks and advise companies on deployment of defence efforts. The questions insurers ask in rating cyber risk point the way to cyber resilience. They will want to know about the crown jewels, IT security and loss of revenue if IT goes down, employee training and awareness of cyber risk, and the risk coming from the supply chain and clients. They will further ask whether the company has a tested cyber incident response ready, which breach response specialist will be contacted, which data protection lawyer, which forensics company, and what the plans are for dealing with the press and contacting the regulators. Cyber insurance cannot replace a detailed risk analysis and creation of a crisis response mechanism, but if appropriate defence measures have been taken it will cover the residual risk. It is one component of cyber resilience, which is overall a change management and cultural issue.

Summary by Jeffrey Barnes. The article is based on the "Expert Forum on Cyber Risk" which took place on 29 January 2016 at the Swiss Re Centre for Global Dialogue.