The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

Cybersecurity regained: preparing to face cyber attacks

EY Global Information Security Survey 2017-18

Confront your cyber threats

Today, all organizations are digital by default. Not every organization delivers its products and services primarily through digital channels, but all operate with the cultures, technology and processes of the connected era of the Internet of Things (IoT).

The World Economic Forum now rates a large-scale breach of cybersecurity as one of the five most serious risks facing the world today. The scale of the threat is expanding drastically: by 2021, the global cost of cybersecurity breaches will reach US$6 trillion by some estimates, double the total for 20151.

It has never been more difficult for organizations to map the digital environment in which they operate, or their interactions with it. Every organization’s technology infrastructure is both bespoke and complex, spanning networks consisting of tools and technologies that may be on-premises or in the cloud.

Connected devices add to the complexity. The convergence of IoT networks with what were once separate and self-contained – and therefore more manageable – systems represents fundamental change.

Mounting threat levels require a more robust response and this year’s Global Information Security Survey (GISS) reveals that many organizations continue to increase their spending on cybersecurity. 70% say they require up to 25% more funding, and the rest require even more than this. However, only 12% expect to receive an increase of over 25%.

For many organizations, the worst may have to happen for these calls to be met. Asked what kind of event would result in cybersecurity budgets being increased, 76% of survey respondents said the discovery of a breach that caused damage would be likely to see greater resources allocated.

By contrast, 64% said an attack that did not appear to have caused any harm would be unlikely to prompt an increase in the organization’s cybersecurity budget. This is higher than the figure reported last year, which is concerning given the reality that harm is generally being done by an attack even it is not immediately obvious.

Ultimately, organizations that fail to devote the resources necessary for adequate cybersecurity will find it very difficult to manage the risks they face. Our survey suggests organizations increasingly recognize this: 48% of respondents say either that they have made changes to their strategies and plans to take account of the risks posed by cyber threats, or that they are about to review strategy in this context.

1”Cybercrime Report 2017 Edition”, Cybersecurity Ventures, 19 October 2017.

EY - Key findings

Understanding the threat landscape

The first step for organizations seeking to enhance their cybersecurity ability is to develop a better understanding of the nature of the threat to them. What are the threats and what do they mean for you and your organization?

Organizations may feel more confident about confronting the types of attack that have become familiar in recent years, but still lack the capability to deal with more advanced, targeted assaults; they may not even be aware of attack methods that are emerging. To be cyber resilient, however, organizations must increase their understanding rapidly – it is likely that they will face all of these categories of attack at one time or another, and possibly simultaneously.

Every organization must assume that the worst could happen.

With so many disparate threats – and perpetrators that could be anyone from a rogue employer to a terrorist group or a nation state – organizations must be vigilant across the board and be well acquainted with their own threat landscape. All the more so since attackers have easy access to malware and sophisticated tools – and can even hire cyber-criminals – online.

Employees and criminal syndicates are seen as the greatest immediate threats. For many organizations, the most obvious point of weakness will come from an employee who is careless or fails to heed the cybersecurity guidelines.

Organizations are also increasingly fearful about the vulnerabilities within new channels and tools. For example, 77% of survey respondents worry about poor user awareness and behavior exposing them to risk via a mobile device; the loss of such a device, and the potential for loss of information and an identity breach, are a concern for 50%.

Threats and vulnerabilities perceived to have most increased the risk exposure of the respondents, 2013–2017

EY - Vulnerabilities and Threats

Fighting back against the threat

Organizations are likely to be confronted by a wave of attackers of varying levels of sophistication, and they can and must fight back. The response must be multilayered:

Defending against the common attack methods

According to Greg Young, Research Vice President at Gartner: “Through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.”

At this threat level, point solutions remain a key element of cybersecurity resilience, with tools including antivirus software, intruder detection and protection systems (IDS and IPS), consistent patch management and encryption technologies that protect the integrity of the data even if an attacker does gain access to it.

Employee awareness is also a crucial frontline defense, building cybersecurity consciousness and password discipline throughout the organization. As the respondents to this survey point out, careless employee behaviors represent a significant point of weakness for most organizations.

To defend against common threats, organizations need to make sure that the basic strategic components are in place.

Defending against advanced attacks

If organizations are ambitious enough to seek to close the door on common types of cyber-attack, they must also be realistic enough to accept that advanced attackers will get in. It is crucial to be able to identify intrusions as quickly as possible – and to have processes that are known to provide the organization with an effective means to deal with the after-breach situation and to kick attackers back out.

A Security Operations Center (SOC) that sits at the heart of the organization’s cyber threat detection capability is an excellent starting point, providing a centralized, structured and coordinating hub for all cybersecurity activities. SOCs are becoming increasingly common, but 48% of organizations still do not have one.

SOCs are increasingly moving beyond passive cybersecurity practices into active defense - a deliberately planned and continuously executed campaign that aims to identify and remove hidden attackers and defeat likely threat scenarios targeting the organization’s most critical assets. Active defense represents a crucial step forward as organizations seek to counter advanced attackers, and can be thought of as a strategy encompassing at least four stages:

  1. Prioritizing the crown jewels – in any organization, certain assets, including people, are particularly valuable and must be identified and then protected especially well.
  2. Defining normal – it is important for organizations to understand how their networks normally operate. Cybersecurity analytics tools use machine learning to define the “normal” and artificial intelligence to recognize potential malicious activity more quickly and accurately.
  3. Advanced threat intelligence – by working closely with threat intelligence providers and developing in-house analyst capability, it is possible for organizations to build a much clearer picture of the threat landscape – including the identities of C-level executives.
  4. Active defense missions – these are exercises planned and executed to proactively defeat specific threat scenarios and uncover hidden intruders in the network.

Amongst organizations that have experienced a cybersecurity incident, almost a third say the problem was uncovered by their SOC.

Defending against emerging attacks

In practice, no organization can anticipate all the threats that are emerging. However, innovative organizations able to be imaginative about the nature of potential future threats can build agility into their cybersecurity so that they are able to move fast when the time comes.

The study shows that cybersecurity budgets are higher in organizations that:

  • Place dedicated business line security officers in key lines of business
  • Report at least twice a year on cybersecurity to the board and audit committee
  • Specifically identify non-IT crown jewels and differentially protect such assets

To improve their chances of fighting back against cyber attackers, organizations will have to overcome the barriers currently making it more difficult for cybersecurity operations to add value. For example, 59% of respondents cite budget constraints while a similar number lament a lack of skilled resources; 29% complain about a lack of executive awareness or support.


Ingredients required to achieve cybersecurity resilience

EY - Ingredients required to achieve cybersecurity resilience

Emergency service – responding to an attack

Organizations are wise to operate on the basis that it will only be a matter of time before they suffer an attack that successfully breaches their defenses. Having a cyber breach response plan (CBRP) that will automatically kick in when the breach is identified represents an organization’s best chance of minimizing the impact:

  • Cybersecurity – how will the organization ensure it withstands the attack, isolates and assesses the damage done, and shores up defenses to prevent similar breaches in the future?
  • Business continuity planning – how will the organization continue to operate as normal while remedying the attack?
  • Compliance – what are the organization’s duties for reporting the breach to the appropriate authorities, including law enforcement agencies if necessary, and how will these be discharged?
  • Public relations and communications – how will the organization communicate clearly and effectively with all potential stakeholders, including employees, customers, suppliers and investors, both directly and via the media where there is public interest in the breach?
  • Litigation – how will the organization assess what potential litigation the attack leaves it vulnerable to, or even whether it has any recourse to legal action itself? How will it forensically record and maintain evidence for use by law enforcement agencies?
  • Insurance – does the organization have cyber insurance and is this incident covered? In which case, what can be claimed?

This survey suggests different levels of readiness amongst organizations. Many organizations may also be confused about their legal responsibilities – 17% of respondents say they would not notify all customers, even if a breach affected customer information; 10% would not even notify customers impacted. As the European Union’s General Data Protection Regime looms large, such positions will not be justifiable.

Overall, 68% of respondents have some form of formal incident response capability, but only 8% describe their plan as robust and spanning third parties and law enforcement.

"Working together, we can regain cybersecurity resilience."
Paul van Kessel, EY Global Advisory Cybersecurity Leader

Understanding the threat landscape – detecting the potential risks on the horizon – is the groundwork of good cybersecurity. It enables organizations to limit the time they spend outside normality, to understand when and why they have moved into stress, and therefore to pre-empt the development of a full-on crisis.

Fighting back – protecting the organization from cyber risk – builds on this groundwork. It gives the organization the skills and confidence to deal with stress and crisis more effectively, with tools and processes that provide a framework for responding to attackers.

The ability to respond to an attack is the final piece. Organizations able to act calmly, employing a well thought-out and tested cyber threat breach response plan in which everyone understands their responsibilities, will be able to de-escalate the crisis much more quickly.

By pulling these strands of cybersecurity together, organizations will move toward greater resilience, even in the face of the significant and increasing risk posed by diverse and often sophisticated cyber attackers.

The tools and technologies required to meet the threat are already available and many organizations have developed innovative policies and processes to make best use of them. Now this best practice must become standard for all organizations.

Contact us for a conversation about cybersecurity