Cyber-crime on the corporate agenda
Constant innovation by hackers is seeing a surge in attacks. The onus now falls on the industry, government and law enforcement to try and find a solution, reports Kate O'Flaherty
The onus falls on the industry
From solo hackers to Russian syndicates with close government connections, cyber-crime is big business. As many firms are discovering first-hand, the cost of an attack can be massive - and this is about to grow even more.
According to Juniper Research, the cost of data breaches will reach £1.3 trillion globally by 2019—almost four times levels in 2015. On an individual basis, the average price of a major corporate breach will exceed £94 million by 2020, the analyst says.
The fight back has already begun, with governments, law enforcement and businesses starting to implement regulations and initiatives, but it has so far been difficult to keep up. It is often nearly impossible to track where an attack is coming from.
This has seen a change of mindset. It is now widely accepted that perimeter defence is insufficient, and that firms cannot reverse a breach once it has hit. This has led to an increase in the use of monitoring, with experts saying the ability to spot abnormalities in the network—and respond to these - aids in efforts to minimise the damage once a breach has been discovered.
Businesses are already attempting to factor cyber-security into budgets, but are struggling to cope with the costs. Security has gone from between one and two percent, to as much as 20 percent of overall budget, according to Martin Huddleston, principal cyber-solutions architect at Defence, Science and Technology Laboratory (Dstl), a trading fund of the Ministry of Defence (MOD). “Old threat types get recycled, so what's going on is constant innovation by attackers. There has been a change in the last 18 months in that the impact is becoming more serious.”
Digitised records and connected devices are fuelling this murky world of cyber-crime. It is getting worse due to proliferation of tools and better ability to use them for attack, James Henry, consulting practice manager, Auriga Consulting tells SC Magazine UK. “Also people in business are getting more aware that things are happening and using detection techniques.”
This is in contrast to previously, when there was a focus on protect-based control - or “locking the front door”, says Henry. In the UK, this is now shifting to “detect and respond”, he says. “And that's a good thing - it shows as a country we are recognising that growth of malware means we just can't catch them all.”
Globally, Thomas Fischer, principal threat researcher, Digital Guardian says there are currently two main threats: Ransomware - agents trying to take over machines and ask for money - and email phishing attacks. He says. “There is now more sophistication, better production and this is combined with an increase.”
He adds: “We've spent years trying to block phishing attacks, so they have had to become more sophisticated.”
A lack of cyber-security skills combined with reluctance from enterprises and governments to tackle threats is complicating the issue, says Christos Dimitriadis, international president of ISACA.
Peter Jopling, executive security advisor, IBM UK and Ireland, agrees, saying: “Today's challenge is to prioritise where we invest in the right tools to do the job, as having highly skilled security analysts in-house is proving a difficult business challenge.”
The continuing threat posed by cyber-crime is made worse by the fact that it is very difficult to identify and prosecute attackers, says Ernest Aduwa, solicitor at Stokoe Partnership. He explains: “One of the difficulties is, cyber-crime can come from anywhere in the world. That's what law enforcement agencies are having to deal with: cyber-crime is borderless.”
Russia is a known perpetrator of attacks; much of the so-called Darknet is said to be occupied by criminals from the country offering services such as distributed denial of service (DDoS). But the source of cyber-crime is now expanding, experts say. According to Aduwa: “It's expanded out beyond just Russia for example. And no one knows where the underground network is—as you can easily hide your IP address.”
Attribution is extremely hard to do, agrees Fischer. “How do you track the perpetrator? It can take many iterations before you find them. You can start with an IP address that's been attacking you, but it can easily be spoofed by attackers.”
Additionally, he asks: “Are companies actually reporting it? It's down to the level of sophistication of cyber-response. It can be a catch up game, and hard for organisations to invest in being better.”
Cyber-attacks are also getting much easier to perpetrate. Getting a foothold into organisations is akin to “chucking a big net out to see what you catch”, says Dave Palmer, director of technology at Darktrace. He explains: “Yesterday we saw our first customers that had been hacked by ads on Spotify. People are casting a wide net across as many digital viewers as possible. Sometimes it's ads, sometimes spam: they get a foothold first and then see if there is room to monetise.”
This contrasts to the situation previously, where campaigns had an objective - such as stealing bank details. Palmer says: “You see stuff installed and it is then followed with more malware with a specific objective in mind.”
Finding a solution
So cyber-crime cannot be stopped, but what can be done to minimise its impact? Henry says security is about focusing on the “right things” to do, not just the “good things”. “You need to understand the motivation of people attacking your business. Once you've got that, you need to assess the vulnerability landscape in the company - knowing the people, processes, data and controls you have in play. Only then can you do a proper risk assessment of where you are vulnerable.”
Sharing information is key to combating security issues before they spread, experts told SC. For example, threat intelligence helps to make good and timely decisions, says Huddleston. “There are lots of companies that do it, but it's about moving away from a compliance culture to operational risk management. The biggest shift we want to see is using available intelligence.”
It is already evident that the area is becoming increasingly important. Some industries are already sharing threat intelligence—for example in the banking sector; and the UK Cyber Security Information Sharing Partnership (CISP).
Sharing threat intelligence will help prepare for attacks, but this alone is not enough: businesses need to match and better the pace of response, says Huddleston. “The industry is talking about resilience - moving away from just protection. What we need them to head towards is a proactive stance: Using a more active defence approach, taking advantage of the technology available.”
The key is for firms to understand their assets, Huddleston advises. “Understand your strategy for defending these. Know what the impact will be and how to respond when you have an incident, both technically and in terms of reputational protection. Assets are about value to the business - and this is not just material.”
As part of this, businesses need to understand the threats to a particular asset. Huddleston explains: “They need to think about strategy in terms of the whole organisation: one part of the business might deal with industrial control systems and another might be food. A defensive strategy is breaking that down into smaller businesses to protect each part of the company.”
Understanding data is paramount, agrees Henry—and then “you can look at how valuable it is”.
This entails understanding the data landscape of the business, says Henry. “Each part of the company will hold data that's more valuable than another and it's knowing where the information is which might come under the Data Protection Act, for example.”
Additionally, monitoring for unusual activity makes it easier to spot attacks before they develop, says Palmer. “If we can make platforms more secure and things more sophisticated, it will get better. From the bad guy's perspective it is already getting really hard - as we now have algorithmic and mathematical approaches.”
Some industries are further ahead than others in the fight against cyber-crime. Liz Field is CEO of the Wealth Management Association (WMA) - the trade body for the wealth management industry, which represents 190 firms serving more than four million private investors and managing £670 billion of the country's wealth. Due to the personal information handled by these firms, the WMA is a prime target for cyber-criminals.
Among attempts to infiltrate the business, Field says the WMA has seen websites cloned with the aim of extorting money from individuals. She thinks education, on both a business and customer level, is essential as the scope for cyber-crime increases. “The other thing that we find is policies and procedures in the office have to be really tight, so we need to educate or train clients to value their data,” Field adds.
The WMA also takes part in a forum with the National Crime Agency (NCA) to allow it to understand the latest techniques by cyber-criminals. Additionally, it is involved in information sharing which is passed down to members. On top of this, says Field, the WMA publishes guidance on its website and uses an alert system.
She explains: “If there is a DDoS then we will email our members and tell them. It's about intelligence —how is it working; who is doing what; and spreading the word among our members.”