How to prepare for serious cyber attack

NTT Com Security’s Risk:Value 2016 report reveals only 45 per cent of UK busi­ness has any kind of insur­ance to cov­er the finan­cial impact of data loss or a secu­ri­ty breach. How­ev­er, 37 per cent admit­ted that poor secu­ri­ty could inval­i­date that cov­er. Which begs the ques­tion why are so many organ­i­sa­tions unpre­pared for a seri­ous cyber attack, giv­en a quar­ter are expect­ing one to hit them in the next 90 days?

That the threat-scape has evolved from hack­ers look­ing for noto­ri­ety into a well-organ­ised, and high­ly prof­itable, crim­i­nal enter­prise is beyond debate. Yet many organ­i­sa­tions still per­ceive cyber secu­ri­ty as a tech­nol­o­gy issue rather than a busi­ness mat­ter. “This asym­met­ri­cal nature is why cyber secu­ri­ty must have input at a strate­gic busi­ness lev­el,” says Greg Sim, chief exec­u­tive at Glass­wall Solu­tions.

“Risk mit­i­ga­tion should be inte­grat­ed into core busi­ness process­es, as opposed to being an after­thought in which only the bare min­i­mum of man­ag­ing, and not solv­ing, the impact of a breach is done.”

There’s even an argu­ment to be made that attack­ers should be seen not sole­ly as crim­i­nal adver­saries, but as com­peti­tors in the mar­ket. “Busi­ness lead­ers must under­stand cyber crim­i­nals’ busi­ness mod­els, strengths, weak­ness­es, oppor­tu­ni­ties and threats just as they would their com­peti­tors in the mar­ket­place,” says Tim Grieve­son, chief cyber and secu­ri­ty strate­gist, for Europe, the Mid­dle East and Africa, with Hewlett Packard Enter­prise.

Many organ­i­sa­tions still per­ceive cyber secu­ri­ty as a tech­nol­o­gy issue rather than a busi­ness mat­ter

With some organ­i­sa­tions still not hav­ing cracked who “owns” secu­ri­ty, be it the chief tech­nol­o­gy offi­cer, the chief infor­ma­tion offi­cer or even the chief exec­u­tive, it’s hard­ly sur­pris­ing busi­ness is often so unpre­pared for attack.

Who’s to blame?

“When own­er­ship, respon­si­bil­i­ty and account­abil­i­ty are con­fused,” says Adri­an Craw­ley, region­al direc­tor for North­ern Europe, the Mid­dle East and Africa at Rad­ware. “It dilutes the effec­tive­ness of the strat­e­gy and in most cas­es under­mines the bud­get need­ed to put in place the right process­es, poli­cies, peo­ple, part­ners and tech­nol­o­gy.”

Which is why we end up with sit­u­a­tions such as a case recount­ed by Kroll’s glob­al inves­ti­ga­tions and dis­putes prac­tice man­ag­ing direc­tor Ben Hamil­ton, where a large ener­gy com­pa­ny was in the mid­dle of an attack. “The com­pa­ny was not able to pro­tect its key process­es or quar­an­tine the hack­ers who were still in the sys­tem,” says Mr Hamil­ton, “because it did not know what data or process­es were being man­aged on what servers.”

As Richard Horne, cyber secu­ri­ty part­ner at PwC and a for­mer cyber secu­ri­ty direc­tor with Bar­clays, says: “A unique fea­ture of cyber-relat­ed crises, as opposed to phys­i­cal ones, is the often total lack of facts in the first 72 hours, such as answers to seem­ing­ly obvi­ous ques­tions like what data has been tak­en or what sys­tems are affect­ed?”

But it’s not just at the busi­ness end of things that such con­fu­sion exists; the com­plex­i­ties of cyber have led to a con­fused insur­ance mar­ket­place as well. While some insur­ance bro­kers are undoubt­ed­ly mak­ing sure they are well edu­cat­ed with cyber risks, that’s not always the case.

“I think the insur­ance sec­tor is shy­ing away from cyber because it’s very com­pli­cat­ed and we don’t ful­ly under­stand what the expo­sures are or how the insur­ance poli­cies can respond,” says Tim Ryan, exec­u­tive chair­man at UNA Alliance, which is owned equal­ly by 11 of the UK’s largest region­al insur­ance bro­kers. Mr Ryan says his organ­i­sa­tion has seen evi­dence of peo­ple being sold cyber poli­cies that have no bear­ing on what their risk is. “This, in turn, is a risk in itself,” he adds.

Protecting customers

When design­ing cyber cov­er, insur­ers must take into account not only a business’s lia­bil­i­ty to its cus­tomers, but also poten­tial impacts on the busi­ness itself, while the client’s cus­tomers may find their finances, intel­lec­tu­al prop­er­ty or rep­u­ta­tion under threat due to a leak of per­son­al details or com­mer­cial­ly sen­si­tive infor­ma­tion.

Ben Rose, insur­ance direc­tor at Dig­i­tal Risks, says: “The busi­ness itself also has to con­sid­er issues such as web­site down­time, loss of sales and long-term rep­u­ta­tion­al dam­age.” The cumu­la­tive cost of all these issues can make cyber insur­ance par­tic­u­lar­ly com­plex and expen­sive.

The insur­ance indus­try needs col­lec­tive­ly to set pre­mi­ums that tru­ly reflect the risk, but how do you put a price on a breach? The chal­lenge is to achieve an objec­tive mea­sure­ment of the true costs incurred. “This is where, by work­ing with the infor­ma­tion secu­ri­ty indus­try, they can gain a bet­ter under­stand­ing, so that insur­ers can more accu­rate­ly cal­cu­late a risk pro­file and what the poten­tial impact cost would be for dif­fer­ent events,” says Kir­ill Slavin, man­ag­ing direc­tor at Kasper­sky Lab.

Attack patterns

Paul Simp­son, prin­ci­pal con­sul­tant with Ver­i­zon RISK, reveals that his organisation’s research points to a high per­cent­age of all secu­ri­ty inci­dents being traced back to just nine basic attack pat­terns. These are mis­cel­la­neous errors (such as send­ing an e‑mail to the wrong per­son), crime­ware (mal­ware aimed at gain­ing con­trol of sys­tems), insid­er mis­use, phys­i­cal theft or loss, web-app attacks, denial of ser­vice, cyber espi­onage, point-of-sale intru­sions and pay­ment card skim­mers.

“These vary from indus­try to indus­try, with each indus­try hav­ing three spe­cif­ic attack pat­terns con­nect­ed to it,” Mr Simp­son says. What this means is that busi­ness­es can effec­tive­ly shape their secu­ri­ty strate­gies to com­bat these spe­cif­ic threat pat­terns. He gives the exam­ple of 88 per cent of attacks in the finan­cial ser­vices sec­tor fol­low­ing a denial-of-ser­vice, web-app attack or crime­ware pat­tern.

Good things also often come in threes, such as a three-step cri­sis man­age­ment strat­e­gy as Ryan Kalem­ber, senior vice pres­i­dent of cyber secu­ri­ty strat­e­gy at Proof­point, explains. “A crit­i­cal first step is an organ­ised pro­gramme to com­pare actu­al risk to crit­i­cal infor­ma­tion assets against senior management’s lev­el of tol­er­ance for the risk of loss­es due to cyber,” he says.

“Next, the secu­ri­ty team needs to cre­ate an inci­dent response and reme­di­a­tion plan to ensure they have the prop­er pro­ce­dures in place to pre­pare for a cyber inci­dent, such as a data breach, ran­somware infec­tion or a denial-of-ser­vice attack.”

And final­ly, a coali­tion of key inter­nal stake­hold­ers needs to cre­ate a cri­sis com­mu­ni­ca­tions plan. Usu­al­ly head­ed up by cor­po­rate com­mu­ni­ca­tions, this team includes cyber secu­ri­ty, IT, cus­tomer sup­port, web, legal and an exec­u­tive spon­sor.

“This team should devel­op a list of worst-case sce­nar­ios and out­line which response process­es an organ­i­sa­tion will fol­low, and how the organ­i­sa­tion will han­dle cri­sis com­mu­ni­ca­tions with media, cus­tomers, employ­ees and part­ners,” Mr Kalem­ber con­cludes.

RISK MITIGATION

Scott McVicar, gen­er­al man­ag­er at BAE Sys­tems for Europe, the Mid­dle East and Africa, out­lines five top mea­sures for mit­i­gat­ing cyber risk

01. Under­stand the risk

Under­stand where your busi­ness is and make sure your cyber secu­ri­ty strat­e­gy is tak­ing all move­ments into account. Review and update it con­stant­ly as your busi­ness changes and don’t be caught out by the evo­lu­tion of attack­ers.

02. Have the right secu­ri­ty con­trols

The perime­ter is gone and the secu­ri­ty con­trols of yes­ter­day won’t work. You need the secu­ri­ty con­trols of today, pro­tect­ing all the end-points with inte­grat­ed, con­fig­ured and patched secu­ri­ty con­trols. Once the defen­sive con­trols are in place, con­tin­u­al­ly mon­i­tor for a breach in the defences.

03. Bal­ance busi­ness and risk

Busi­ness­es need to have the courage to make the right deci­sion that bal­ances secu­ri­ty risk against com­mer­cial return, and does the right thing by the busi­ness and cus­tomers in the long term. Take those dif­fi­cult deci­sions on what sys­tems and ser­vices are pro­tect­ed, and at what lev­el.

04. Build a defen­sive cul­ture

Secu­ri­ty needs to be ingrained into the com­pa­ny cul­ture. It isn’t a check­list, but some­thing which should be ever-present. Secu­ri­ty by design involves every­body mak­ing sure they are work­ing secure­ly, what­ev­er role in the com­pa­ny they have.

05. Pre­pare a response

What makes the dif­fer­ence between a full-blown cri­sis and a prob­lem to be tack­led is the plan you have in place to respond and repair. There needs to be a thor­ough, rehearsed response plan known to clients and employ­ees. With the right plan­ning, there’s absolute­ly no need to make a bad sit­u­a­tion worse.