Understand the current cyber threat landscape and how to mount an effective defence.
The advent of the internet has closed the gap between organisations and individuals and those who want to attack and damage them.
Dr Darren Brooks – executive manager, Cyber Security Consulting, BAE Systems Applied Intelligence – told delegates at a recent ACCA UK Internal Audit Network event in London that the significance of this was underlined by NATO’s recent announcement that it saw no distinction between a cyber attack and a physical attack.
Attach instigators So far, the most significant actors in the cyber-domain appeared to be nation states, he said, with many examples of their activities. Cyber attacks against the Ukraine, for example, were used some six to 12 months before the first shot was fired in its conflict with Russia.
There is also an increasing crossover between criminal attacks on the corporate world and what was being seen from certain states, he added. Many sources cited China and Russia as aiming attacks at Western companies, with this behaviour now spreading to involve other groups from across the world.
Turning to criminal, rather than nation state attacks, Dr Brooks said that the ‘bad guys’ had been trying to steal money from banks for as long as the banking system had existed. The internet had simply made it easier. Most of the criminal activities centred on harvesting bank account and credit card information, but corporate fraud was also increasing.
‘The attacks we are seeing are generally on mid-sized companies where there is some confusion around the sign off of money, less robust procedures or procedures they can intercept,’ he explained. ‘Fraud is the most common motive for a cyber attack, but others include sabotage and market manipulation.
‘In the case of corporate espionage, the targets are usually market information, IP and information around mergers and acquisition. People have always been after this sort of information but it’s now easier to steal it.’
The last group of people using cyber attacks were campaigners, who instead of camping out on corporate doorsteps to make their protests could now launch attacks from home that could disrupt organisations by taking down websites or putting messages up on them.
Recent years have seen a proliferation of sophisticated cyber attack tools, such as steganography where a message, image, or file is concealed within another message, image, or file. This was effective because the intended secret message did not attract attention to itself as an object of scrutiny. Criminal organisations are also deploying pluggable tools, such as Shylock, that anyone can use.
Alongside new techniques, there is a re-emergence of old technology, including a technique which invites people to click on a spurious link which bypasses all the controls and downloads software that allows the attacker to do whatever they want.
Phishing and spear phishing is also rife. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, while spear phishing – also an email spoofing fraud attempt – targets a specific organisation and seeks unauthorised access to confidential data. As with the email messages used in regular phishing expeditions, spear phishing messages appeared to come from a trusted source.
‘We are seeing all these techniques being used and via lots of different channels,’ said Dr Brooks. ‘Using them in combination dramatically improves the success rate of the attacks.’
Mounting a defence So what should organisations being doing to defend themselves? An awareness and understanding of the dangers is obviously paramount and this includes recognising that an attack can come through an organisation’s supply chain.
‘It is particularly hard to stomach if a small company working on your behalf is hit,’ Dr Brooks pointed out. ‘Nobody cares if it was the printer who lost the details of your pensioners – it will be your brand name that appears all over the BBC. Those attacking you will usually focus on the weakest door, so review the controls your suppliers are putting in place for you and check how they are managing your data. This is absolutely vital when you have sensitive data on their systems.’
Dr Brooks shared his cyber attack management rules with his audience. ‘Be clear whose responsibility this is,’ he said. ‘It is not the IT department’s or even the security department. It lies with the board, which must manage the risk of doing business online and being part of the connected world. But it may need help in understanding what risk looks like and what is a good investment in terms of protection.’
Understanding cyber risk is specific to each organisation and is based on its history, where it is based, the sector it operates in and who it does business with. The risks are many and varied and included censure and embarrassment, client loss, direct fraud, sabotage and espionage.
‘Take active decisions about cyber security and plan for resilience,’ Dr Brooks urged. ‘Be clear, in the event of an attack, should make the decisions, who should get involved in the clean up and who explains what’s happened to your client.
‘Make sure that cyber security measures support the strategic priorities of the business because cyber security should never be a blocker to what the business is trying to achieve. Late decisions around security tend to offer a poor balance between costs and risk – get in early because shoe-horning them in later can be very expensive. Good risk management focuses your spend where it is needed most.’
Dr Brooks concluded by saying that auditors needed to ask themselves three key questions:
how do we know we are being attacked?
have we got the right monitoring systems in place?
are controls blocking or delaying the organisation’s progress?
By addressing these questions you’ll be able to play an active part in ensuring your company is protected from the threat of a cyber attack.