Cyber (in) security - Common ways to get it all wrong
The risks posed by the modern day cyber-attack are large and damaging for any organisation. Recent surveys and reports show that cyber-crime is increasing rapidly and is fast becoming a key area of concern for many organisations, making ‘cyber’ a hot topic in boardrooms. Defending against these cyber-risks can be both time consuming and expensive.
A losing strategy with the weakest link
Attacks come in multiple forms, shapes and sizes. Some attacks are highly technical and sophisticated such that only experienced attackers or state-sponsored agencies are capable of executing such attacks. Other attacks can be carried out by virtually anyone from anywhere using easily and freely available tools. The most common type of cyber-attack over the last few decades are social engineering attacks, which, rather than being highly technical, target people in organisations to assist (often unknowingly) the attacker to procure information, or access to systems. This information can then be used by an attacker to gain further information or be leveraged to begin another attack.
Social engineering attacks take numerous forms, from phone calls or emails through to appearing at an organisation’s reception desk and asking the right questions. Any weak link can disclose information that can be further leveraged, perhaps to initiate a follow-on attack. Modern cyber-criminals are not the movie depicted teenagers in dark rooms, but are much more likely to be slick, well-dressed smooth talkers calling at your door.
Attackers don’t operate a nine to five business day; they are active at all hours, from all locations, and using techniques that could be unavailable to legitimate security defenders. Securing the weakest link is essential to improve the security posture of any organisation. Organisations need to invest in upskilling and training their employees, making sure that their organisation’s culture is one of being proactive at identifying and responding to cyber-threats.
Watch Deloitte’s cyber-security video here for an example of how these attacks can work.
100 per cent security?
A common misconception is the idea of complete, or 100 per cent security. At a time when new vulnerabilities are being identified daily, , it is not enough to simply reach a level of apparent security and then to get back to business as usual. Cyber-security requires constant vigilance. The idea of perfect security is long gone, preferred and rightly replaced by a risk-based approach targeting areas of high risk, with constant review.
Organisations should carry out accurate cost/benefit analyses on any security measures with a view to securing value for money, as well as a high level of security. Even with significant investments in security, risks remain, but managing this risk is the key challenge, as is preparation for any potential cyber-incident. Having the correct mechanisms in place to deal with the fallout from incidents will help you recover and while 100 per cent security is not feasible, this preparation serves organisations well in the event of an incident.
We are compliant, therefore we are secure
There is a constant push to be compliant with various standards and ‘up and coming' cyber-regulations. While these provide some level of assurance on the processes and procedures in place in an organisation, they do not provide the level of security that many assume. A common oversight for organisations is becoming compliant, and then not properly maintaining compliance. The cyber-standards and regulations set the minimum standard. They are an audit/compliance mechanism to showcase that an organisation has reached a minimum defined standard and that it is managing its security posture; however, simple compliance doesn’t mean that an organisation is secure.
Risks still exist and there are a number of issues that are not covered by standards and regulations, such as the threat profile of the organisation, and other such areas that are unique to the organisation. Every organisation has different needs, depending on the nature of the business function being carried out. As such there is no single standard or compliance mechanism that, being met, can establish complete security.
Tone from the top – Enforcement or leadership and direction?
Cyber-security is a group effort – the overall security posture of the organisation is only as strong as its weakest link. This requires ‘buy in’ and active engagement from employees at all levels within an organisation. To this end, staff education and awareness is key. Alongside other areas of education, security awareness should be an ongoing topic with constant refreshers, to remind employees of the importance of cyber-security. Awareness and education, however, are only effective if pushed through from the top. An organisation’s top management, including the board, must have an interest in cyber-security and lead by example.
Focused, risk-based approach
Focused security efforts have both advantages and disadvantages. Across wide infrastructure environments it is not always feasible to provide a high level of security assurance; however, this may be required in some areas (e.g. if credit card, personal information or business trade information is being stored). Defining high-risk areas is challenge for any organisation; for example, high-risk areas may consist of all public-facing network gateways or web portals – anything that the public can access and utilise, an attacker can access and abuse. Nevertheless, targeting areas of high risk to focus security efforts is not only a valuable, but often a necessary, task.
A key issue with focusing efforts on high-risk areas means other areas and possible entry points could be left exposed, thus possible areas may still be at risk. Therefore, keeping efforts both broad and focused is a big challenge; but, if done correctly, the results can lead to a more-effective security program for a fraction of the cost.
Tooling up – “Best in Class”
Security investment is a constant battle. Staying up to date with defensive tools requires proper planning and maintenance. The value of investing in the latest tools and devices is, however, significantly reduced if they are not configured and managed correctly. Every organisation has a different environment, with unique strengths and weaknesses. The value of a misconfigured security product may be nil; in fact, it may be negative due to the false sense of security.
Proper investment and planning at the start is essential to obtain value from any security system. The costs of a tool are only justified if the benefits outweigh them. The costs also need to take into account the total cost of ownership and not just the initial costs, as well as any resourcing costs (e.g. are staff required to monitor and tune any products being procured?). An unmonitored security solution is akin to installing a house alarm, but ignoring it going off.
Cyber security is a clear, increasing global concern for organisations of all shapes and sizes. What is true is that attacks are common, no one is fully safe, and unfortunately a large number of attacks are successful. The takeaway and important point for management is to appreciate the gravity of cyber security in the modern business world, to respond appropriately and to always be vigilant in our chaotic, connected world.
Deloitte Cyber Risk Services
Cyber Incident Response - Hotline - 01 417 3000
For more information please contact;
Camilo do Carmo Pinto