Exceptional, June - December 2014
Under attack and unaware
The changing nature of cybersecurity has resulted in a greater need for top-down leadership. But often, by the time the boardroom accepts that a threat exists, it’s already too late.
Cyber crime is considered a bigger threat than nuclear war, the UK Home Affairs Committee July 2013 report on e-crime claimed. Hackers are increasingly relentless, and many businesses are unaware of the very real threat to their cybersecurity. It is no longer a matter of if your business will fall victim to cyber attacks, but when.
Organizations must be prepared to defend against this threat, but the tricky first step is to admit that the problem exists. While this may sound simple, making the leap from theory to practice can be hard.
Recognizing that a problem exists can get you out of the starting blocks, but in reality, when it comes to cyber attacks, you’ll likely be at the back of the pack. “Given the scale, expertise and funding of cyber attackers today, we have to assume our clients’ defenses have already been breached,” says Ken Allan, EY Global Information Security Leader.
Visit ey.com/giss to download EY’s 16th annual Global Information Security Survey.
Allan doesn’t hold back when it comes to the reality of cyber crime. “When we investigate our clients’ systems, more often than not we find evidence they have been breached, whether they think they have been or not. Once you adopt the position that you are going to be breached, and indeed probably have been, then you can look at ways you can contain that breach and learn from it in the future.”
Cyber crime is on the rise, and its broadening reach is affecting a growing number of businesses. Recent estimates by security technology company McAfee suggest the global cost of online criminality has reached more than US$300b annually.
In 2013, US retail giant Target admitted that credit and debit card information for 40 million of its customers had been compromised during the final days of the holiday season. A few weeks later, the personal information of 70 million more customers had been stolen. Responding to the breach has cost the company a reported US$61m, according to its fourth-quarter report to investors, and prompted the resignation of its chief information officer.
This is just one type of cyber crime affecting businesses worldwide. Other cases include hacking, intellectual property theft, tampering with research and development results, and malicious software that can be used to steal sensitive information or cause damage to software present in the system.
It is clear that Allan’s forthright assertion is not so out of place. “It’s not a sensationalist statement,” he says, discussing the inevitability of security breaches. “It is a statement that is more likely to be true than not.”
Preparing for a breach
The idea of accepting the probability of a security breach may be unnerving, but it follows a trend identified in EY’s 16th annual Global Information Security Survey, which highlights the growing risks associated with online security.
Of the 1,900 client organizations questioned, just under a third said the number of security incidents had increased over the past 12 months and nearly three-quarters admitted information security policies were now being reviewed at the highest organizational level.
“Certain sectors, such as financial services, have been working with this problem for some time, and other sectors are starting to catch up,” Allan explains. “Boardrooms are now very much focused on how well prepared they are to deal with a breach.
Many are concentrating on the idea that their organization could suffer a catastrophic loss.” The largest sector represented in the survey’s findings operates in banking and capital markets, followed by technology firms.
Perhaps more interesting is the different ways that cyber crime can affect established companies and early-stage start-up businesses. “Conventional start-up businesses have the opportunity to get it right the first time,” says Allan.
“They can create a business culture that totally accepts dependency on digital and make that a key part of their business ethos. More established firms might have to overcome entrenched practices that are perhaps not in keeping with today’s challenges.”
He continues: “The opposing view is that fast-growing start-ups, which are focused on market entry and returning a profit, may have other business drivers vying for their attention. However, in the case of technology start-ups, an attack in the early stages could likely derail the venture completely.
“Since most of these businesses are founded on some form of innovation, that is where most emphasis should be placed when it comes to protection.”
For both start-ups and established businesses, identifying the company’s “crown jewels” and focusing protection on them should be the cornerstone of any security strategy. In terms of combating cyber threats generally, one of the leading practices identified in EY’s survey is the significance of boardroom support to establish clear charters for information security and long-term strategies.
According to the survey, innovators in this field pay particular attention to data protection and intelligence threats, while those following behind focus on the ability to respond to specific computer incidents. As Allan suggests, allocating security resources is a key step and should be guided by mission-critical components of the business.
While this often means directing investment toward software solutions, there is another resource that Allan believes is often overlooked. “If we’re dealing with an organization that employs 100,000 people who have all been properly trained in identifying possible security risks, we have, in effect, 100,000 security departments,” he says.
“If they haven’t been trained at even the most basic level, then we have 100,000 security risks.” Cyber criminals often target users of Skype, Windows and Facebook using an exploit tool to infect computers with malware disguised as Windows licenses, Facebook account verification emails, Skype voicemail notifications and spam messages.
Increasing use of the cloud has also opened up more opportunities for cyber criminals, who are using account fraud, account hijacking and stolen credentials to gain access to cloud-computing resources. Training staff about phishing attacks, for instance, and what to do when they see one, has the potential to make a greater impact than all the security software packages put together, argues Allan.
Of course, to make this feasible requires top-level endorsement and support. “You have to have senior executives setting the tone,” he concludes. “Unless they are saying that the business is dependent on being properly prepared to deal with a cyber attack, then the rest of the organization won’t take cybersecurity seriously. It’s that simple.”