Cyberspace has become a progressively attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. The technical capabilities and reach of cybercriminals are now equal to those of many governments and organizations. In the next few years, these capabilities will extend far beyond those of their victims. As a result, the ability of current control mechanisms to protect organizations is likely to diminish, exposing them to greater impact.
In this day and age, organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen high impact events. In 2014, the global cost of cybercrime was estimated at more than $400 billion, a sum which is approximately the same as other, more mature criminal activities such as counterfeiting or illegal drugs sales. This makes cybercrime a lucrative business. Additionally, e-commerce sales are predicted to increase dramatically over the next two years, presenting cybercriminals with equally large opportunities.
Cybercrime, along with the increase in hacktivism, the increase in the cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of underinvestment in security departments, can all combine to cause the perfect storm. Moving forward, if the C-Suite doesn’t understand cyberspace, they will either take on more risk than they would knowingly accept, or miss opportunities to further their strategic business objectives such as increasing customer engagement or market leadership. These organizations are more likely to suffer embarrassing incidents, and when they do, they will suffer greater and longer-lasting impact.
Cybercrime Is Valuable
It goes without saying that information that is being stolen, leaked or lost, has a value. Cybercrime syndicates mature as malspace continues to develop. Let’s take a look at a few types of cybercrime that we at the Information Security Forum (ISF) are seeing:
Crime-as-a-Service: As crime syndicates mature, they emulate corporate practices by aligning commercially and diversifying their enterprises, seeking profits by moving more of their activities online. They base their operations where political and law enforcement structures are weak and malleable in order to conduct their activities relatively undisturbed. This level of sophistication forces legitimate organizations everywhere to adapt their security strategies and fortify their internal business operations.
In a criminal marketplace with a global talent pool, professionalization will lead to specialization. Different criminal business units will focus on what they do best, and strategy development and market segmentation will emulate private sector best practices; malware development is a prominent example. Rising profits will allow crime syndicates to steadily diversify into new markets and fund research and development from their revenue. Online expansion of criminal syndicates will result in Crime-as-a-Service (CaaS) offerings and the proliferation of bulletproof distributed hosting providers that turn a blind eye to the malicious activities of their outlaw clients.
Mobility Concerns: Smartphones are a prime target for malicious actors. The rapid uptake of Bring Your Own Device (BYOD) and the introduction of wearable technologies to the workplace will intensify the high demand for mobile apps. To meet this increased demand, developers working under intense pressure and on razor-thin profit margins will sacrifice security and testing to rapid delivery and low cost, producing poor quality products that are easily hijacked by criminals or hacktivists.
Mobile devices, applications, and cloud-based storage introduced to the workplace by employees constitute a growing security risk to businesses of all sizes. These risks stem from mismanagement of the device itself, external manipulation of software vulnerabilities, and the deployment of poorly tested, unreliable business applications (shadow IT).
IoT Adds Unmanaged Risks: The billions of devices that comprise the IoT will collect a wide variety of data from users, who will be unaware that it is happening, where the data is being stored, or who has access to it. These devices may be inadequately protected, exposing critical infrastructure, including industrial control and financial systems, to attack.
As organizations deal with this complex digital environment, they will respond by automating tasks previously performed by people. Human cognitive abilities will be regarded as a bottleneck to task completion and efficiency. Algorithms will be increasingly used to ensure tasks are performed with accuracy and timeliness. However, the interactions between these algorithms will become overwhelmingly complex, introducing significant new vulnerabilities and new challenges for security experts.
Insiders Continue to Pose a Threat: Most high-profile attacks on corporate data centers and institutional networks have originated outside of the victimized organizations. But the network openings that allow outside cyber-attackers to burrow in, infect databases and take down file servers almost always originate with trusted insiders. According to a worldwide survey of ISF members, the vast majority of those network openings were created innocently through accidental or inadvertent insider behavior. Vulnerabilities can be created by something as mundane as a trusted employee taking files to work on at home.
Moving forward, organizations must nurture a culture where insiders can be trusted – and insiders can trust the organization in return. Organizations with a high exposure to insider risk should expand their insider threat and security awareness programs. A culture of trust becomes more imperative as the volume of information insiders can access, store, and transmit continues to soar and mobile working for multiple employers becomes the status quo.
The Dangers of Ransomware
Ransomware is certainly in the news these days, as has been seen with recent attacks on universities and healthcare institutions. These attacks involve a targeted device, such as a laptop, smartphone or tablet, being locked and the only person who has the key to unlocking the device is the attacker who typically demands money in return for the unlock key.
Ransomware is a form of malware, and no organization or individual is immune from ransomware attacks. These are targeted, profit-driven attacks and the criminals don’t care who they get their money from. It’s clear that the easier the target, the more likely an individual or organization is to be attacked.
The guiding principle from an ISF standpoint is that all individuals who have access to an organization’s information and systems should be made aware of the risks from malware and ransomware and the actions required to minimize those risks. There are three key areas that should remain a focus for individuals and organizations. This include:
- Follow good practice around patching of operating systems and software, ensuring that virus scanners and malware protection are up-to-date and performing regular backups
- Anyone with access to the organization’s IT is educated about ransomware and is asked to provide appropriate security controls on connecting devices
- Employees must be provided with continuous knowledge and learning about malware and ransomware.
- Education cannot be one-off. It should be reinforced frequently
One question that I’m asked frequently is “should I pay?” Ultimately, this is up to the discretion of the individual or the organization. Most will say that you should not pay. Others will say that it is OK. But remember, you could end up with a target on your back. The bottom line is that if you can’t do without the information, and you don’t have a backup, then paying is the only alternative you have left to recapture your information. Therefore, prevention is the way to go to better protect yourself.
Cybersecurity is Not Enough
No business is immune to a cyber-attack. But, there are ways to better protect your organization from future incidents.
Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberspace activity.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves.
Above all, cyber resilience is about safeguarding the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
The Importance of a Risk Assessment Process
Managing information risk is critical for all organizations, but effective only if it enables business strategies, initiatives, and goals. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of which risks could compromise business success and resilience.
For help with information risk assessment, I recommend reviewing the ISF Threat Radar. The Threat Radar plots the ability to manage a threat to its potential level of impact, thus helping determine its relative importance for an individual organization. It can also demonstrate any change likely to occur over the period in question.
It is important to remember that it is not feasible to defend against all threats. An organization, therefore, needs to look closely at its resilience: analyze and optimize the plans and arrangements in place to minimize impact, speed recovery, and learn from incidents.
Further detail on cyber resilience is available in our report Cyber Security Strategies: Achieving Cyber Resilience.
The Need for Better Security Awareness
Many businesses identify their people as their biggest advantage but fail to recognize the need to manage the human element of information security. People should be an organization’s strongest control. Organizations must go beyond security awareness training to embed positive information security behaviors that will turn into habits, creating a sustainable security culture throughout the enterprise. The real driver of security awareness activities should be risk, and how better employee behaviors can reduce that risk.
Adopting the perspective that disclosure will be more damaging than the data theft itself is a guaranteed way to damage customer trust. However, many organizations lack rehearsed incident response and tech-literate public relations plans. We urge our members to carefully consider their response because your organization can’t control the news once it becomes public. This is particularly true as data breaches occur with greater frequency and the general public pays greater attention to privacy and security matters. I highly recommend running simulations with your public relations firm so that you are better prepared to respond following a breach.
Data breaches have become a regular feature of modern life. This will continue as long as efficiency and ease of data access trump security, a state of affairs which makes economic sense for many organizations, that is until they suffer a breach of their own. Once a breach happens, the value of security as a business enabler becomes clearer. Prevention and detection will evolve, but will continue to rely on technical and intelligence-based solutions. This will involve a discrete number of stakeholders and departments who implement the basics and thereby manage the majority of information risk.
At a time when data breaches are becoming far too common, organizations that produce an imaginative and credible response will have a comparative advantage over those that are slow and confused, and this will translate into tangible business value. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of today’s increasing cyber threats and respond appropriately.
About the Author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.