Cyber-security breaches are inevitable, says F-Secure
By Edwin Yapp December 10, 2019
- Enterprises need proactive detection as they will be breached
- Humans should not be blamed for slip-ups as awareness is the key
ENTERPRISES operating in today’s highly connected world must make cyber-defence and detection a top priority rather than believe that they are impervious to any form of cyber-attack, according to Finland-based cyber-security company F-Secure Corp.
Speaking at Cyber Nordic Finland recently, F-Secure chief executive officer Samu Konttinen (pic) warned that there is no way any company can defend against the relentless attacks of cyber-criminals and that today’s top management must switch their mentality away from “if we’re attacked” to “when we’re attacked.”
“One of the biggest challenges today is that too many organisations are incapable of combating advanced attacks because cyber-criminals are extremely persistent and they take time to attack,” he said at a briefing at F-Secure’s headquarters in Helsinki.
“[The truth is] practically, you can’t stop all the attacks and given time, cyber-criminals will succeed in breaching,” he argued. “So If you can’t stop attacks you must at least know when you’re being attacked or hacked,” he added, noting that every company must have a mitigation plan.
Held annually in Helsinki, Finland, Cyber-Security Nordic is northern Europe’s cyber-security event attracting executives, leading decision-makers and government officials. The event comprised a site visit to F-Secure’s headquarters and a conference presenting keynotes and panels by international and Finnish experts aimed at discussing problem solving strategies and solutions for cyber-security professionals.
Konttinen said the situation is exacerbated by the fact that some of the tools cyber-criminals use today aren't designed by these criminals but by intelligence agencies of nation states, which have advanced, military-grade cyber-security capabilities.
“This is what we call the ‘trickle down effect’. The most advanced attacks consist of organisations that engage in surveillance and intelligence of nations,” he claimed. “They have unlimited resources and they can spend hundreds of millions, even billions, to create cyber-warfare technology.
“The challenge is that some of these technologies have leaked and will continue to leak into the hands of cyber-criminal groups, which are being equipped with these tools and are used to attack companies. This is a very worrying phenomenon we’ve seen for quite some time.”
Konttinen also revealed that according to F-Secure’s research data, 68% of attacks remain undiscovered by enterprises for a month or more, on average. Also, it takes an average of 69 days to fully resolve cyber-breaches and that the average cost of a breach to an organisation is about US$3.86 million (RM16.04 million).
“Two years ago, we believe that some 90% of companies didn’t even have any means to detect if they are breached,” he claimed. “But companies are waking up and investing more in cyber-security than before; nevertheless it’s still alarming as by the end of next year, up to two in three companies will still be blind to attacks.”
Konttinen said enterprises crucially need to have a mitigation plan where they can quickly act, restore systems, and prevent further compromises in the event of a breach, noting that companies needed to expect the unexpected.
The conclusion reached by F-Secure generally falls in line with what another leading security researcher said about the current state of security.
Rik Fugerson, vice president of research at Trend Micro, noted that current security practitioners like to believe that they’ve invested in the right technology, built the right processes and are managing their information properly.
“Unfortunately the current reality is like this: we don’t like to admit it and want to pretend we’re better than this… but unless we shift the way we do things as a security industry and as security practitioners, and unless we start planning for the future, it [cyber-security] does become an unmanageable ask [of us],” he pointed out in his keynote at Cyber Security Nordic.
Don't blame people for breaches
According to renowned cyber-security researcher Mikko Hypponen, business email compromises remain one of the greatest challenges facing enterprises today as it can create maximum impact without people knowing about it, even when business executives exercise caution.
The chief security researcher at F-Secure related a case in the United Kingdom where one legitimate real estate business wanted to acquire another, and were going back and forth making changes to a legal contract via Microsoft Office 365.
“The CEO of both companies knew each other, and they’ve met [multiple times] to hash out the deal, and they were making changes over email until both parties were happy with the terms.
“Finally, the acquiring company’s CEO sends a crucial email to the seller informing that he wanted to pay the downpayment and asked the seller to please forward his bank account details. What both parties did not know was that cyber-criminals were waiting patiently, sitting in their compromised systems, and doing nothing for long periods of time until they were alerted to this crucial [payment] email.
Hypponen said the hackers then stopped all outbound email from the sellers’ Office 365 account, commandeered the account to send a spoof email to the buyer purporting to be the seller, giving an account number.
“The buyer than instructed his CFO to pay [into the spoofed account], and lost its downpayment to the hackers,” he said.
Hypponen said these kinds of attacks aren’t because of “stupid users,” as everything leading up to that last email was a real business transaction.
“I'm fed up with users always getting the blame. It's not stupid users but stupid systems and lack of education," he argued.
Hypponen also argued that modern business email compromises cannot be handled by being clever, but mitigation can only be done through education and by understanding how the attackers work.
“If nobody has educated them in these kinds of attacks, they are not going to figure it out by themselves, so how can they be blamed? Clever attack tactics only work until the victims know how they are done so it all goes back to awareness,” he said.
Asked how educational campaigns are to be undertaken, he told DNA, “Companies should start by first figuring out all the people in all of their offices that could become a victim of attacks. Then explain to them how these attacks are done and what the processes are to fight these attacks."
Previous Cyber Security Nordic stories