"The scale of the risk deserves to be managed at board level within companies yet typically it isn’t ."
EDWARD SAVAGE, EXPERT IN CYBER SECURITY, PA CONSULTING GROUPEdward Savage and Alan PhillipsThe Future of Business6 March 2012
Cyber business is considered a main engine for future economic growth and the opportunity to use related technologies, such as the cloud, to reduce costs is a key part of the agenda for many organisations. Yet cyber crime is also increasing as are the indications that it is still not being treated seriously or is simply regarded as a problem for the IT department to worry about.
London Stock Exchange figures indicate that nearly £125 trillion is traded electronically in London in a typical month, which makes the UK a significant target for cyber-attack. At present, this risk is not being fully managed, creating fears that the country could be being systematically pillaged in cyberspace. Yet because the hype often drowns out the facts, because there is a clear vested interest behind many of the reports on the scale of the problem and because most people think risk is primarily an IT problem, the issue is not getting the attention it deserves and not being treated as one that concerns people, reputations and brands.
Roughly 80 per cent of the value of a typical company is exposed in cyberspace. There have been enough cases for us to know that a typical advanced attack costs the victim in excess of £100 million, with an average of 12 per cent wiped off the market cap of a company in the immediate public aftermath.
The scale of the risk deserves to be managed at board level within companies yet typically it isn’t – or not at least until after a major attack has been discovered, when the cost of resolving the problem becomes much greater than it would have been had adequate protection measures been in place. As with so many things, taking proactive action is a better strategy than battening down the hatches and hoping to avoid it.
To tackle the problem the UK Government is investing £650 million in a national cyber security programme. One of the top challenges will be how to persuade the private sector to do more in this area. Options being considered include regulation, tax incentives, sharing more information about ongoing attacks, new standards and accreditation schemes and mandating suppliers to raise their game. Yet there are some simple practical steps that every organisation can take to mitigate against the risk.
Enabling a targeted response. Working in the digital age has increased the exposure of a business and its assets, and in ways that are not always recognised. For example, by using an iPhone application, someone can feasibly assume remote control of certain types of car, starting and stopping the engine, applying the brakes, controlling its speed and retuning the engine. This is made possible because the alarm system for the car uses a 3G mobile phone module, which links its electronic management system to cyberspace. In a typical office, similar technology can be used to compromise a photocopier. As a result, businesses need to think very carefully about how they are vulnerable and the degree to which risks are being taken. It is worth remembering that technical security solutions in the market can generally only respond to problems that are already known about. A “zero-day attack” – which exploits IT vulnerabilities unknown to the software developer – will usually succeed. Furthermore, in cyberspace, it is possible for one person to bring a company down, and from the convenience of their sofa at home: there are enough people out there who might be tempted and the tools they need are often just a click away.
Most attacks are opportunist in nature and not targeted, so simple “hygiene measures” such as keeping software patches up to date will provide good protection. However, research organisation Gartner estimates that one in 20 pieces of executable code on the typical corporate network is malware that has escaped all technical controls.
Addressing the people problem. In almost every major cyber-attack, there is evidence of a perfectly good policy or security control not being followed. So cyber is not just a technology challenge: the people and cultural aspects have to be fixed too as there is little value in implementing measures that are counter to the way people behave and think. For example, randomly generated passwords may be hard to crack, but most people have to write them down to remember them, which defeats their purpose. In addition, the technical bit of an attack – breaking into a network – is usually relatively easy for a professional and can be a five-minute job. At the same time, finding and extracting something of value is more difficult and time consuming and may take up to two years of work. In these instances, insider help (whether knowing or manipulated) is often used to short-cut the process. This happens in around half of all advanced attacks. To counter this organisations need to evaluate who can be trusted most and balance controls with appropriate monitoring and after an incident track back and identify things that should have been spotted before which may help both deter and prevent such problems.
Over many years, the threat has changed in terms of its prevalence and complexity, but the underlying methods are largely the same as they have always been. This is why we should come to expect an increase in custom malware attacks like Stuxnet, the worm discovered last year that targets controls of industrial facilities. Obviously greater connectivity is leading to wider opportunity, and the tools for hackers have become commoditised, making it easier for anyone to enter the market. For example, social media is making it easier for hackers to connect and orchestrate crimes together, and on a much larger scale. As a result attackers increasingly take advantage of the tendency of (especially younger) people who volunteer their every personal detail to social networks by committing large-scale fraud and identity theft. This is why social media companies will increasingly come under scrutiny as they attempt to balance making profits against the need to protect their subscriber data.
The ubiquity and growing reliance on smart phones is driving a massive demand for third-party apps, many of which are functional yet highly insecure, giving rise to software that has access to people’s contacts, tracking where they are and where they go on the web. Yet as we look to the future, improved awareness is likely to reduce the number of opportunist attacks. Moves to improve international co-operation and to introduce new legislation around privacy and better online identity management will, over time, help to act as a brake. However, the capability and resources available to certain governments and to organised crime gangs suggests that targeted cyber-attacks will continue to occur, and that inevitably some will be catastrophic.
Good social responsibility is already proving key for large organisations in avoiding becoming a target. The rise of intelligence-led security and better focused investment based on a risk and resilience approach is also likely to pay dividends. As is the expected consolidation of supplier markets, as many SMEs are acquired and merged into larger players, so diversifying and rounding their security offers to customers.
Conclusion. The market is shifting slowly, as the limitations of technology are better understood and as more experts learn to work with the new paradigms. Suppliers are waking up to the additional value of offering safer products and services, which feature appropriate security from the outset. Customers are seeking better protection and governments are looking to make places like the UK safer place to do business. Ultimately, however, success will depend upon persuading the people in an organisation that cyber security is something that must be taken seriously.
Edward Savage, cyber security expert, PA Consulting Group and Alan Phillips, cyber security expert, PA Consulting Group.
Visit The Future of Business blog here.