Deal­ing with a global threat that sends a chill down the spine

Global fi­nan­cial losses due to cy­ber­crime are thought to be at least €350 bil­lion a year and could reach €1.9 tril­lion by 2019

The Irish Times - Business - - THE CYBERSECURITY CHALLENGE / A SPECIAL REPORT - Barry McCall

The na­ture of the threat posed by cy­be­crim­i­nals was per­haps most pow­er­fully demon­strated dur­ing last year’s US pres­i­den­tial elec­tion. The fact that the com­puter net­work of the Demo­cratic Party, an or­gan­i­sa­tion with ac­cess to some of the best cy­ber­se­cu­rity ex­per­tise on the planet, could be hacked by criminals on the other side of the world sent a chill down the col­lec­tive spine of the busi­ness and po­lit­i­cal es­tab­lish­ment.

More re­cently, the global spread of the Wan­naCry ran­somware, at­tack which in­fected more than 230,000 com­put­ers around the world and crip­pled the UK Na­tional Health Ser­vice, showed just how vul­ner­a­ble even the largest or­gan­i­sa­tions are when it comes to cy­ber­at­tack.

It should come as lit­tle sur­prise then that a 2016 re­port from the Ex­ec­u­tive Agency for SMEs at the Euro­pean Com­mis­sion es­ti­mated global fi­nan­cial losses due to cy­ber­crime to be at least €350 bil­lion a year and pro­jected them to reach €1.89 tril­lion by 2019.

This has led to a change in at­ti­tude to­wards cy­ber­crime in the past few years, ac­cord­ing to KPMG head of cy­ber Mike Daughton. “It was pre­vi­ously seen as an IT is­sue and a lot of peo­ple on boards and at se­nior man­age­ment level didn’t re­ally think about it. They saw it as the re­spon­si­bil­ity of the IT depart­ment but they are now see­ing it as much more of a busi­ness is­sue. If you look at risk registries of many or­gan­i­sa­tions, cy­ber­se­cu­rity is mov­ing up in promi­nence.”

It is also get­ting much more at­ten­tion from reg­u­la­tors, par­tic­u­larly in the fi­nan­cial ser­vices sec­tor. “Reg­u­la­tors are ex­pect­ing much more from com­pa­nies in this area, they want them to be pre­pared for cy­ber­at­tack and be able to de­fend against it.”

Threat land­scape

The EU Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR), which comes into force next year, has also served to sharpen the fo­cus. “This af­fects all com­pa­nies and or­gan­i­sa­tions re­gard­less of size once they hold data on third par­ties,” Daughton adds. “It places new re­quire­ments on them and this is all tied into cy­ber­se­cu­rity. The threat land­scape has changed as well. The criminals are be­com­ing more so­phis­ti­cated, it’s a mov­ing train and it’s get­ting more dif­fi­cult for or­gan­i­sa­tions to keep up.”

Ev­ery busi­ness needs to be aware of the threat, ac­cord­ing to John Bol­ger, se­nior man­ager for IT au­dit and cy­ber­se­cu­rity with BDO. “We are work­ing with clients who face threats on many lev­els, from de­nial of ser­vice at­tacks on their web­sites, ran­somware on their work­sta­tions and net­works, to spear phishing of their CFOs and ac­counts payable de­part­ments, ma­li­cious or care­less and in­ap­pro­pri­ate em­ployee ac­tiv­ity, and old-fash­ioned phys­i­cal theft of mo­bile de­vices with data on board.”

The evolv­ing na­ture of the threats mean that at some point al­most all busi­nesses will face this risk, he con­tin­ues. “Th­ese threats mean there are many ar­eas to de­fend, man­age and pre­pare re­sponses to such threats. SMEs who in­no­vate with bring your own de­vice, mo­bile apps, and use of so­cial net­works or mo­bile work­force tools must think worst-case sce­nario as part of the plan­ning, and im­ple­ment on­go­ing se­cu­rity by de­sign – cov­er­ing tech­ni­cal, pro­ce­dural and end user train­ing.”

Karl Montgomery, head of 3Con­nected So­lu­tions, says that pre­ven­tion is bet­ter than cure when it comes to cy­ber­crime. “We are see­ing an in­creased use of data an­a­lyt­ics to mon­i­tor what’s hap­pen­ing on net­works and to de­tect sus­pi­cious ac­tiv­ity,” he notes. “For ex­am­ple, a re­tailer might put their tills on the net­work and they should only talk to one or two servers. If there are signs of more ac­tiv­ity than that it prob­a­bly in­di­cates that some­thing is wrong. The whole piece around data an­a­lyt­ics is grow­ing in im­por­tance. Tech­nolo­gies like ma­chine learn­ing and ar­ti­fi­cial in­tel­li­gence are be­ing used for se­cu­rity.”

He points to a re­port from Gart­ner which has pre­dicted that by 2020 zero-day vul­ner­a­bil­ity to cy­ber­at­tacks will be a frac­tion of 1 per cent. That is, the chance of ex­pe­ri­enc­ing a brand new type of at­tack will be in­finites­i­mally small. By then, al­most ev­ery­thing will be a known form of at­tack, so much of the de­fence will come down to keep­ing tech­nolo­gies up to date and train­ing peo­ple.

Train­ing is crit­i­cal, Montgomery adds. “An IDC re­port has shown that phishing is the big­gest sin­gle in­ci­dence of cy­ber­crime, with 38 per cent of re­spon­dents say­ing they had fallen vic­tim to it. A lot of this comes down to staff train­ing so that they know not to click on un­known or sus­pi­cious links and not to open at­tach­ments if they are not sure of the iden­tity of the sender.”

First­li­ne­ofde­fence

Peo­ple can ac­tu­ally be an or­gan­i­sa­tion’s first line of de­fence, ac­cord­ing to KPMG di­rec­tor of foren­sic prac­tice, Will O’Brien. “More fo­cus is needed on peo­ple and train­ing,” he con­tends. “Peo­ple can be your great­est risk but they can also be your great­est as­set in the fight against cy­ber­crime if they are trained prop­erly. They will be the first to no­tice sus­pi­cious ac­tiv­ity and re­port it so that an ap­pro­pri­ate re­sponse can be put in place.”

Greater co-op­er­a­tion be­tween or­gan­i­sa­tions is also needed, says BDO’s John Bol­ger. “We be­lieve that Govern­ment and busi­nesses need to open and fa­cil­i­tate se­cure two-way com­mu­ni­ca­tions chan­nels for cy­ber­se­cu­rity pol­icy and up­dates. The frame­work to sup­port this re­quire­ment is in progress. The Govern­ment has im­ple­mented a Na­tional Cy­ber Se­cu­rity Cen­tre (NCSC) and Com­puter Se­cu­rity In­ci­dent Re­sponse Team (CSIRT) as part of the 2015-2017 Cy­ber Se­cu­rity Strat­egy. A key fac­tor in the suc­cess of this will be the shar­ing of in­for­ma­tion. There is a re­luc­tance among busi­nesses to share ‘bad news’ due to rep­u­ta­tional risks. This needs to be cir­cum­vented by the pro­vi­sion of se­cure and confidential com­mu­ni­ca­tions chan­nels.”

Peo­ple, process, technology are the es­sen­tial in­gre­di­ents of a good de­fence, ac­cord­ing to Mike Daughton. “Or­gan­i­sa­tions should take a holis­tic ap­proach to th­ese ar­eas and build out the con­trols from there. There is also an el­e­ment of plan­ning for the worst. They need a re­sponse and re­cov­ery ca­pa­bil­ity as well. If you do get a breach such as a de­nial of ser­vice at­tack, you need

Wan­naCry ran­somware at­tack: Cy­ber­crime is very much a global phe­nom­e­non but the so­lu­tions be­gin at home.

Peo­ple can be your great­est risk but they can also be your great­est as­set in the fight against cy­ber­crime if they are trained prop­erly

good frame­works in place to re­spond, deal with it and re­cover. This needs to be done with ref­er­ence to all the crit­i­cal data as­sets which need to be pro­tected.”

There are op­por­tu­ni­ties for Ire­land amid this elec­tronic bat­tle­field. Es­to­nia, one of the small­est coun­tries in the EU, has es­tab­lished it­self as a global leader in cy­ber­se­cu­rity and a re­cent trade visit to this coun­try jointly or­gan­ised by En­ter­prise Ire­land and En­ter­prise Es­to­nia gave Ir­ish firms the op­por­tu­nity to link up with their Es­to­nian coun­ter­parts to gain ac­cess to their ex­per­tise and pos­si­bly form joint ven­tures. “One of the aims of the Ire­land-Es­to­nia Tech Bridge was to en­cour­age more Es­to­nian cy­ber­se­cu­rity com­pa­nies to con­sider Dublin as a vi­able al­ter­na­tive to other lead­ing Euro­pean cities,” says Bar­tosz Siepracki, En­ter­prise Ire­land’s Warsaw of­fice man­ager.

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.