Domini Stuart reports on how the cyber criminal underworld – and the ways to combat it – are continually evolving.
In 2012, the director of the US Federal Bureau of Investigation told a gathering of cyber security professionals that there were only two kinds of companies: those that have been hacked and those that will be.
“Directors must understand that an organisation doesn’t need to be known to the public for it to be a target,” says Dr Greg Spencer MAICD, principal consulting partner at Beyond Technology Consulting. “You may have nothing you perceive to be of value online, but that still doesn’t mean you’re immune.”
Very large enterprises and financial institutions have been targets since cyber crime first emerged as a threat; they are well aware that they need to budget for appropriate security systems and countermeasures. By contrast, many medium-sized organisations still take comfort in the concept of “security through obscurity”.
“As the mid-tier is increasingly seen as a soft target for crime gangs, this is no longer an option,” Spencer continues.
“Changes in the information and communication technology (ICT) industry, such as the widespread adoption of cloud computing, have transformed the way businesses need to view and manage information security risks. Cheaper computers and more widespread internet access across the world have also brought about significant ICT penetration into poorer countries and, unfortunately, some criminal syndicates have taken advantage of this to scale up cyber criminal attacks on smaller organisations.
“But while large multi-nationals may be targeted by vandals and activists, smaller firms are only targeted for money – often ransom payments.”
Statistics support the view that cyber crime is a growing threat, but under-reporting could be distorting the true scale of the problem.
“It’s been estimated that the breach which led to the theft of names, addresses and possibly credit card data belonging to 77 million PlayStation users will end up costing Sony close to $2 billion,” says Jose Da Silva, CEO of ADVAM, a certified provider of integrated credit and debit payment solutions.
While few breaches would prove this expensive, it has made many directors more conscious that disclosure can open the door to both civil and criminal penalties and shareholder lawsuits in addition to the costs associated with recovering from an event of this kind.
“The Ponemon Institute calculated that there’s an average cost of US$194 associated with each record compromised,” continues Da Silva. “When you hold thousands or even tens of thousands of customer records, that alone could be enough to jeopardise the company’s future.”
Inevitably, there will also be damage to the brand.
“Twenty six per cent of Australian employees who responded to a 2011 survey said they would no longer do business with a bank, a credit card company or a retailer that had suffered a security breach which might have meant their personal information was stolen,” says Tom Crampton, managing director of Trusted Impact, an information security consultancy (Twitter @trustedimpact).
“Even if a relatively small number followed through on that threat, it could still have a significant impact on a company’s value.”
It is hardly surprising that, even in countries where disclosure is mandatory, fear of the consequences might discourage companies
from reporting any breach that could be kept under wraps.
New kinds of attacks
As more companies embrace “big data”, the amount of information which could be exposed by a breach will continue to increase. The “attack surface” – points vulnerable to attack – is also increasing as interconnected partner systems, internet-facing systems, cloud services and the widespread acceptance of a “bring your own device” policy blur the edges of what used to be very clearly-defined organisations.
Craig Searle GAICD, head of Cyber Security – Asia Pacific at BAE Systems Applied Intelligence (Twitter @BAESystems_AI), is also concerned about a rapid increase in the incidence of cyber-enabled fraud.
“Digital savvy criminals use cyber and fraud techniques simultaneously to carry out far more complex crimes than ever before,” he says.
“These attacks frequently establish ongoing access to information. We’ve seen clients who were compromised for more than a year before they discovered the breach.”
Cyber criminals are also searching out and attacking the weakest organisations in a supply chain.
“This allows them to abuse relationships based on trust,” Searle continues.
“For example, we’ve seen criminals hack into a law firm involved in complex commercial transactions in order to gain access to their clients – the real targets.”
The recent trend of outsourcing back-office functions to overseas locations is adding another layer of complexity to the problem.
“Companies must ensure that their outsourced service providers have adequate data management procedures in place,” says Michael Pryce, insurance group AIG’s Australasia (Twitter @AIGinsurance) regional manager of financial lines.
“Failure to do so can increase the risk of a cyber-attack and can also have significant regulatory consequences. There is also potential for conflict with foreign legislation, such as the European Data Protection and Privacy Law.
“One example of this was a case in the US where a data storage provider was required by the courts to hand over data that was stored offshore.”
As technology becomes increasingly sophisticated, the proficiency of cyber criminals is keeping pace – but it is also becoming much easier for the “work-from-home” hacker to make a very reasonable living.
“In 2012, the average phishing attack returned US$4,500 – not bad for a few days’ work,” says Crampton.
“And, these days, a cheap laptop, a simple internet connection and free hacking tools you can easily download can be all it takes for some of the world’s 2.4 billion internet users to become a serious threat.”
One recent study found that nearly 80 per cent of breaches had required low to very low levels of skill.
“For example, the man who entirely deleted the websites of 4,800 customers of Australian company Distribute IT was an unemployed truck driver whose IT skills were completely self-taught,” says Crampton.
New forms of protection
The search for effective protection is continuing both inside and outside individual organisations. For example, in 2006, the five major card providers – Visa, MasterCard, American Express, Discover and JCB – came together to form the PCI Council. They have taken on responsibility for increasing awareness of the issues surrounding security as well as developing and managing payment card industry standards.
“Any organisation that accepts credit card payments must now comply with the Payment Card Industry Data Security Standard (PCI DSS),” says Da Silva.
“Class actions that followed the Sony breach accused the company of violating the standard by failing to implement a proper firewall or to encrypt cardholder data, and by retaining cardholder data.”
In the US, large banks have created the Financial Services-Information Sharing and Analysis Center (FS-ISAC) in the hope that sharing information about attacks will help prevent similar ones elsewhere.
And, in Australia, the government has established the Trusted Information Sharing Network (TISN) so that critical infrastructure organisations can share threat intelligence.
“Other industries also have similar, if less formal, sharing schemes,” says Searle.
“These exchanges can be very useful, but there must a high level of mutual trust for companies to be completely open about cyber-attacks and their vulnerabilities.”
Some companies such as Facebook are paying experts to unearth security gaps in their technology.
“This approach is a full-time line of business for us,” says Crampton.
“We conduct hundreds of penetration tests for clients who typically use the internet as an important channel to their customers, partners or suppliers so that they can address any weaknesses.”
Cases like the Christmas holiday cyber-attack on Target Corp in the US, which triggered a drop in its share price, saw its CEO and chairman Gregg Steinhafel step down and led to a number of class actions against the company and its directors, have encouraged some boards to consider cyber insurance as part of their risk-management strategy.
“The Securities and Exchange Commission (SEC) in the US has already ruled that directors must make certain inquiries of their cyber resilience strategy and take steps to mitigate exposure through insurance,” says Jennifer Richards, managing director, financial specialties at Aon Risk Solutions (Twitter @AonAustralia).
Currently, insurance cover is available for costs associated with a wide range of potential risks such as unauthorised access to confidential information, cyber extortion and notification and management of a security breach.
“Risk profiling analysis around the key risks in a business can help directors to gain a clear picture of the risks they need to manage and how to manage them from an insurance perspective,” says Richards.
“Some insurers also offer security risk reviews as an add-on benefit for insureds. As insurers price the risk by looking at a company’s overall security risk framework and procedures, the prospect of paying less for insurance could also encourage better management of the underlying risk.”
A whole-of-business issue
In an era where employees, customers, partners and even competitors are effective collaborators in business innovation, security extends well beyond technology.
“Any organisation that continues to treat cyber security as an isolated ICT problem is setting itself up for a big fall,” says Crampton.
“It’s vital that directors see this as a whole-of-business issue and understand that business itself is fundamentally different now from before the digital age.
“Boards need to be thinking about risk in an entirely different way.
“It’s not a matter of expertise; you don’t need to be an expert in security to ask simple, relevant and probing questions about what information is valuable to the company, where it resides and whether someone in the organisation has responsibility for managing cyber threats.
“But raising these kinds of issues can play a crucial role in helping to protect the company’s future.”
A RECENT STUDY OF IT SECURITY PRACTITIONERS FOUND:
- 57% did not think their organisation was protected from advanced cyber-attacks
- 69% believed cyber security threats sometimes fell through the cracks of their companies’ security systems
- 44% had experienced one or more substantial cyber-attacks in the past year
- 59% did not have adequate intelligence or were unsure about attempted attacks and their impact
Already a member?
Login to view this content