Cybersecurity remains a growing problem
Learn the lessons or pay the price
Every week seems to bring another very prominent company experiencing a very public cybersecurity breach. Within just the last two years, some of the biggest names in retail, manufacturing, consumer business and telecommunications have made the wrong kind of cybersecurity headlines. The cost of these incidents routinely runs into the hundreds of millions of dollars. That is on top of sometimes incalculable reputational harm.
And our interconnected world means all of us are literally just clicks away from being compromised. In 2013, cyber crime cost Canadian businesses $3.2 billioni and 36% of Canadian companies reported being victims of a cyberattackii.
Know your foe
Identifying your organization’s potential attackers, their targets and techniques are critical first steps. Behavioural analysis aimed at understanding the motivations behind specific potential threats to your organization can help you focus on your areas of greatest concern.
In public sector areas such as healthcare and education, client confidentiality is a top priority. The retail and financial sectors must zealously guard payment data and account information. And most industries have trade secrets or proprietary knowledge to protect. Knowing what cyber criminals are likely looking for or motives why they may want to disrupt your business can also assist you in deciding how to allocate precious resources.
A good starting point for any organization are Deloitte’s five steps to improve cybersecurity. They are:
- Focus on what matters: your crown jewels and relationships – Understand critical assets and interactions.
- Proactively assess your cyber risk – Know what to look for and how to detect threats – whether conventional or emerging.
- Focus on awareness to build a multilayered defense – Develop a cyber program that addresses a combination of defenses for your organization, employees, customer and partners.
- Fortify your organization – Have a plan to patch holes, manage patches, develop software securely and address physical security.
- Prepare for the inevitable – Focus on incident management and simulation to “test your gates” and your response
It’s about time
Preparation is especially important given the speed and sophistication of today’s cyberattacks. At present, many breaches go undetected for extended periods of time. The focus should be targeted on proactive detection. In the past, detection programs could root out signature-based malware. Modern asymmetrical attacks are harder to identify. Social attacks and credential theft are on the rise. And destructive code can idly sit inside networks for days, weeks, months or years until it starts wreaking havoc. In today’s online world, 100% security is impossible. But detecting malicious patterns and suspicious behaviour is a critical starting point for everyone.
More troubling is what happens once an attack is underway. A 2014 Verizon study, analyzing 63,000 security incidents in 50 global organizations, revealed some startling facts, including:
- 72% of initial compromises occur within minutes.
- 46% of data leaks occur within minutes.
- 72% of attacks take weeks or longer to discover.
- 59% of attacks take weeks or longer to contain.iii
In very simple terms, systems are frequently compromised within minutes. Sometimes it takes just seconds. Meanwhile detection and mitigation usually take weeks, months or more. That kind of math does not inspire confidence.
Nine basic patterns account for 92%iv of all incidents. Web application attacks, cyber-espionage and point-of-sale intrusions are the three variations which, on average, account for 72%v of all hacks. But people remain the weakest link in the security chain. As such, they are increasingly the targets to begin attacks.
Nefarious intent from insiders is not required to put networks at risk. Errors and omissions such as failing to update a security patch can cause massive harm. Deloitte’s own readiness testing of clients illustrates the problem. Our teams sent client employees “spear phishing” emails designed to resemble common cyberattacks. About 65% of users opened these messages and roughly a third actually provided credentials in a response.vi Clearly, awareness remains a work in progress.
Most alarming are all-too-frequent examples of people gradually coming to accept cybersecurity red flags as normal. In two of the most high-profile attacks in recent years, people identified – and then ignored – obvious warning signs. Adequate responses could have eliminated or contained the damage in each case. But instead of building intelligence from these indicators, they were treated as minor blips. The organizations continued metaphorically inching towards a cliff. Eventually, each one suffered a hard fall. Businesses must prioritize responding to and learning from these warnings to prevent groupthink from having catastrophic consequences.
Another crucial measure is involving entire organizations in cybersecurity planning. Going beyond Risk and Internal Audit to include departments such as legal is essential. Often when cyberattacks involve third-party data, first responders must wait to get a legal opinion before they can begin to act. The result is like having firefighters arrive at a burning building, only to turn off their hoses while waiting for lawyers to chime in. Establishing legal frameworks before an incident occurs can help ensure more effective containment in a crisis.
Clearly, cybersecurity is a daunting task. Simply keeping up with evolving regulations is a full-time job, one which diverts scarce resources away from cyber threat management. Organizational boundaries are blurred by “bring-your-own-device” policies and partnerships. All this adds further complexity to the security equation.
What’s critical in the fight against cyber threats is an organization’s ability to find the right operating model to be more secure, vigilant and resilient. Cost and business imperatives will drive the right operating model whether you insource, outsource or co-source your cyber defenses. But all prevention models must deliver on three key metrics:
- Security – Fundamental effective information controls.
- Vigilance – Proactive threat monitoring that looks for patterns and behaviours; intelligence gathering including cyber chatter and updating threat scenarios and technology.
- Resilience – Preparing to contain any type of breach and continually updating response policies, testing with simulations and developing dynamic recovery plans.
Despite the very apparent risks, attitudes towards cybersecurity often remain “It doesn’t happen here. It doesn’t happen to us. It doesn’t happen to me.” Too many companies, including more than a third of Canadian ones, already know better. The reality of cyberattacks is a matter of “when,” not “if.” So what organizations really must ask is if they prefer preparing before an attack happens or paying dearly to clean up after one occurs?
i Nelson, Jacqueline. Cost of Canadian cybercrime reaches $3.2-billion in 2013. The Globe and Mail. Date accessed: March 10, 2015. http://www.globeinvestor.com/servlet/WireFeedRedirect?cf=GlobeInvestor/config&vg=BigAdVariableGenerator&date=20140609&archive=rtgam&slug=escenic_19071035
iii Verizon 2014 Data Breach Investigations Report