Last December, Target, one of the world’s largest retailers, confirmed that its US stores chain had suffered a massive data breach of 40m credit and debit card accounts. As of February 2014, the breach has cost Target US$61m.
Also in February this year, a Distributed Denial of Service (DDoS) attack, designed to knock a company’s systems off the internet, broke the 400 gigabits per second (Gbps) mark. This ‘cyber tsunami’ smashed the record of 300 Gbps a year ago.
Separately that month internet security firm Hold Security uncovered stolen credentials from 360m accounts and 1.25bn email addresses available for sale on the black market. Again, this surpassed the previous record of 153m credentials stolen from Adobe Systems last October.
These high-profile cyber attacks all point to a fact which can no longer be ignored: it is not a question of whether systems will be breached, but when.
Cyber Risk High on Board Agendas
Cyber security breaches have become an urgent challenge. They threaten entire financial systems and, in some instances, have resulted in extensive damage of physical infrastructure across critical national and corporate systems.
The World Economic Forum (WEF) has also identified cyber attacks as one of the top global risks since 2012. In a report released earlier this year, the WEF noted that major technology trends could create between US$9.6 trillion and US$21.6 trillion in value for the global economy. Conversely, failure to defend against cyber attacks will lead to new regulations and corporate policies, which will cost the global economy some US$3 trillion by 2020.
It is no wonder then that organisations today are finding themselves under heightened scrutiny. They are increasingly subjected to legislative, corporate and regulatory requirements, which demand evidence to verify that confidential information is being protected and managed appropriately.
Cyber risk has also risen in prominence on the board agenda. Investors, governments and regulators are increasingly challenging board members to actively demonstrate diligence in this area. Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks.
The Current Cyber Security Landscape
KPMG’s analysis of the current technology and security landscape reveals several key megatrends. For one, organisations are increasingly losing control over the computing environment.
Consumerisation of information technology (IT) and the rapid adoption of disruptive technologies increase the attack breadth and thus, strains existing defences. Changing work patterns including remote access, big data, cloud computing and mobile technology are among the factors that increase organisations’ exposure to cyber threats.
Cybersecurity systems are also in a state of continuous compromise. The rise of sophisticated, determined and well-funded attackers performing advanced attacks capable of bypassing traditional protection mechanisms have further increased security challenges. In some instances, threats persist undetected for extended periods.
Another major issue is right-spending and capabilities. With the pressure to optimise capital and operational spend on already constrained IT and security budgets, organisations are forced to make assumptions that existing security measures are sufficient to mitigate against today’s advanced security threats. This has challenged the ability of many of them in acquiring, retaining and enhancing relevant talent in their workforce.
Understanding the Cyber Adversary
Cyber criminals are, of course, also aware of these vulnerabilities. The motives of cyber criminals are various, from pure financial gain to espionage and terrorism. Understanding the adversary, or the person or organisation sponsoring or conducting the attacks, is the first step essential for effective defence.
Adversaries can be divided into four categories:
- An individual hacker, generally acting alone and motivated by being able to show what he or she can do.
- The activist, focused on raising the profile of an ideology or political viewpoint, often by creating fear and disruption.
- Organised crime, focused solely on financial gain through a variety of mechanisms from phishing to selling stolen company data.
- Governments, focused on improving their geopolitical position and/or commercial interests.
Attacks by these different adversaries have a number of different characteristics, such as the type of target, the attack methods and scale of impact. Understanding the adversary will go a long way towards establishing intelligence, a vital component to effective cyber security.
Intelligence is Key
Threat intelligence is growing in importance because solely relying on defence is no longer viable. The determined adversary will get through eventually.
Intelligence will help organisations to know and understand the larger cyber environment out there. This is so that they can quickly identify when an attack has taken place, or when an attack is imminent.
An intelligence capability enables organisations to identify potential threats and vulnerabilities in order to minimise the ‘threat attack window‘ and limit the amount of time an adversary gains access to the network before they are discovered. Organisations that take this approach understand that threat intelligence is the ‘mechanism’ that drives cyber security investment and operational risk management.
Prevent, Detect, Respond
Having a strong intelligence capability will allow organisations to effectively prevent, detect and respond to threats.
- Prevention: This begins with governance and organisation. It is about technical measures, including placing responsibility for dealing with cyber attacks within the organisation and awareness training for key staff.
- Detection: Through monitoring of critical events and central safety incidents, an organisation can strengthen its technological detection measures. Monitoring and data mining together form an excellent instrument to detect abnormal patterns in data traffic, find the location on which the attacks focus and to observe system performance.
- Response: This refers to activating a plan as soon as an attack occurs. During an attack, the organisation should be able to directly deactivate all technology affected. When developing a response and recovery plan, an organisation should perceive information security as a continuous process and not as a one-off solution.
Managing Cyber Threats as Part of Risk Management
Cyber threats should be considered as part of the company’s risk management process. Companies should start with identifying the critical information assets they wish to protect against cyber attack -the crown jewels of the firm – whether these be the financial data, operational data, employee data, customer data or intellectual property.
More importantly, companies should focus on the perspective of the attackers and understand through a robust intelligence framework what the threats are after and the value of assets to cybercriminals.
Companies should also determine their cyber risk tolerance and implement controls to prepare, protect, detect and respond to a cyber attack – including managing the consequences of a cyber security incident.
Finally, organisations should monitor cyber security control effectiveness and institute a programme of continuous improvement, or where needed, transformation, to match the changing cyber threat -with appropriate performance indicators.
Conclusion: Transforming your Cyber Security
Dealing with cyber threats today is a complex matter. As the threat landscape is continuously evolving, a shift of focus from relying solely on preventive defence to a more detective and responsive stance is critical.
Intelligence and the insight that it brings is at the heart of next generation information security.
In many large, complex global organisations, moving from a reactive to proactive operating mode requires transformative change. Technological vulnerabilities are only part of the problem. Organisations must also address core people processes, culture and behaviours so that cyber security becomes a company-wide approach.
Tim de Knegt, treasurer for the Port of Rotterdam, discusses how he is looking to bring more value to the Port's clients using blockchain.
Regulation technology is fast gaining currency by transforming how financial institutions can tackle compliance in a swift, comprehensive and less expensive manner.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.