Most organisations are defending against yesterday’s threats, adversaries are ahead
Many organisations not taking preventative measures against economic crime
ABOUT eight years ago, I went to a conference for white hat hackers, the computer security experts whose job is to defend against cyber-attacks.
A presentation by a security software company delivered a stark message: Its research showed that the cyberthreat landscape had shifted radically, and the way we defended against cybercrime had to change.
New attackers and threats had emerged. Hackers had formed into groups to share code online and exploit kits were being sold on malware marketplaces. The virus signatures used by anti-malware products were being circumvented by polymorphic attacks that generated new versions of the malware for each infection.
I remember thinking that a perfect storm was not only on the horizon, but that it had arrived!
In the years that have passed since then, cyber risks have continued to evolve. The global business environment leaves us increasingly exposed, attackers have become even more sophisticated, and the number of cybercrime incidents reported by businesses appears to be on the rise.
Yet most organisations are only defending against yesterday’s threats, even as their adversaries look to exploit the new vulnerabilities of tomorrow. While information security risks have dramatically changed, security strategies have not kept pace.
CIOs (chief information officers) must be lying awake at night, worrying about what can be done to defend their organisations, and where the next big threat might come from.
READ ALSO: Linguistics, technology and protecting your data
An interconnected world
The digital revolution has created a more interconnected and integrated business environment that is globally accessible, amplifying the effect of cyber-attacks.
The potential pay-off from a successful attack is high, while the ability to remain anonymous and undetected means the risk to an attacker is low.
The escalation of cybercrime’s prominence and its risk to companies is evident from the steady stream of headlines describing damaged reputations, stolen intellectual property, service interruptions, and even in some cases how companies have been brought to their knees.
This hasn’t gone unnoticed by business leaders. In PwC’s Annual Global CEO Survey 2014, 69% of US CEOs said that they were concerned about cyberthreats including lack of data security, which compares with 48% globally.
Our 6th Annual Digital IQ Survey found that cybersecurity was among the top three technologies identified to be of the most strategic importance in the next three to five years.
Cybercrime on the rise in Malaysia
The Malaysian cut of PwC’s 2014 Global Economic Crime Survey suggested that Malaysian organisations are taking the threat of cybercrime seriously – 40% of survey respondents said that the perception of cybercrime risk at their organisation has increased.
However, this figure is lower than the 2011 results (43%) and is also lower than the global average response of 48%, which begs the question – are Malaysian businesses underestimating the threat? Should we be more concerned given the rapid rise in cybercrime since our previous survey in 2011?
Of the Malaysian companies that told us they had experienced economic crime in the last two years, 31% said that they had experienced at least one incident of cybercrime, compared with just 5% three years ago.
Worryingly, we found that a number of organisations were not taking preventative measures to combat the threat of economic crime, some with woefully inadequate cybersecurity measures and awareness.
I’ve come across Malaysian companies which have failed to set up even the most elementary defences. One medium-sized company was infected by malware because it had no firewall or antivirus software whatsoever.
Increasingly sophisticated security risks
Recent years have seen the emergence of new threat actors, including nation states, organised criminals, terrorists and hacktivists.
Their motivations are varied, with some purely interested in financial gain while others may be driven by the advancement of a political agenda.
The malware itself is increasingly sophisticated. Exploit kits are now widely available, reducing the time to create new malware and enabling more innovative attacks.
Sophisticated criminal groups are able to operate below the radar, targeting individual companies and top executives with a wide range of methods including well-researched phishing attacks. Some criminals bypass perimeter defences to perpetrate dynamic attacks that are very difficult to detect.
Intruders can methodically escalate access over a prolonged period – it can be days, months, or even years – until they reach systems of high value.
A report released by Mandiant on the incidents they investigated in 2013 found that attackers were present on victims’ networks for an average of 229 days before detection. The longest time an attacker was present before being detected was six years and three months.
There will also be some companies which suffer a cyber-breach and will never know what data has been lost or its value.
Further complicating the picture is a lack of transparency; even when breaches are detected, cybercrime often goes unreported.
Preparing for the worst
Defending against cyberthreats has always been more difficult than attack, so organisations need to take action on multiple fronts to build cyber resilience.
There is no such thing as perfect security, so it’s important to accept that incidents will occur and to focus on minimising the potential damage.
A good starting point is to create an overall security strategy linked to the business strategy. Senior executives need to see security threats as enterprise risk management issues that could severely affect business objectives.
Cultural change is also required to ensure that cybercrime is viewed as a business risk rather than a technology challenge.
If your business doesn’t yet have a comprehensive security strategy, you should at least be getting the basics right.
Although compliance-based strategies and enterprise perimeter protection are no longer sufficient, they are still an essential part of a complete defence. Systems must be protected to an acceptable standard, including newer services such as cloud-based and mobile solutions.
Most attacks target old vulnerabilities, so systems should be fully patched. Good security awareness among staff is also essential, such as the use of strong passwords.
An integrated incident response plan should be prepared before a breach comes to light, reducing response times and making crises more manageable.
The plan should clearly define steps for remediating the breach and managing external communications, and should be designed for the worst case scenario and not what you hope will happen.
Understand your enemy, understand yourself
What should you do when you receive a tip-off from a government department or third party, or detect signs that your network has been compromised?
When an incident occurs, the first 24 hours are usually the most critical.
First and foremost, the breach should be contained, control of the network should be regained and any known vulnerabilities closed.
Secondly, you need to investigate who breached your systems and how, as well as the real impact of the breach on your organisation. Evidence should be preserved that enables you to identify the culprits and what methods they used.
For major breaches, professional incident response and software reverse engineering teams should be used to understand the attackers and ensure effective containment strategies. Their assessment of how the breaches were perpetrated should then be used to strengthen your cyber-defences.
Organisations should also establish ongoing monitoring capabilities. Security events, breach indicators and network activity should be monitored to detect attacks and to stay one step ahead of intruders.
Cyber-diagnostics should be undertaken proactively to test your systems and to identify potential areas of weakness. Threat and vulnerability intelligence solutions can be utilised to provide insights on cyber-threats, enabling businesses to quickly adapt to changes in their cyber-threat profile.
Finally, remember that safeguarding all of your data at the highest level is rarely necessary. Publically available data that is stolen will have no impact, but the theft of some types of data can destroy a business.
Instead, identify and protect your key information assets. Know where the ‘crown jewels’ are located and who has access to them.
Make sure that you are protecting your high-value information, and prioritise cybersecurity investments around the data that matters most to your business.
Neil Meikle is an associate director with PwC Malaysia's Forensic Technology practice. He regularly speaks at conferences in South-East Asia on a wide range of IT subjects ranging from big data analytics to cybersecurity and incident response.
Security chiefs call for investments in ‘transformative’ technologies
Smarter, shadier and stealthier cyber-crime forces dramatic change
Govt malware, insider threats to dominate security landscape: CyberArk
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.