Emerging trends in cyber security

November 2019  |  COVER STORY  |  RISK MANAGEMENT

Financier Worldwide Magazine

November 2019 Issue

Every day, the scourge of cyber crime affects companies across many industries. It has developed into one of the greatest threats companies face.

The number and size of successful breaches is increasing. Between 2005 and 2017, significant data breaches, the type that affected millions of users, rose from about 200 per year to more than 1300, according to Experian. Cyber attacks are among the fastest growing crimes in the US, and they are increasing in cost to businesses. The threat is only going to grow as cyber criminals become smarter and more sophisticated with each passing year.

According to Cybersecurity Ventures, cyber crime will cost the global economy $6 trillion annually by 2021, up from $3 trillion in 2015. Ransomware alone will cost businesses $11.5bn in 2019 and $20bn by 2021, disrupting business operations and critical services. “Numerous cities have been hit,” notes Dorothy E. Denning, an emeritus professor at Naval Postgraduate School. “One recent attack affected about 10,000 computers in Baltimore, Maryland, causing over $18m worth of damage. Another led to the loss of electricity in Johannesburg, South Africa. The ‘NotPetya’ ransomware attack caused massive disruptions to the Maersk shipping company in 2017, costing it over $250m.”

Criminal sophistication

Today, cyber criminals are more adept at carrying out attacks than ever before. Their profile is also evolving, with nation states and state-sponsored activity becoming more prevalent. “Arguably, the greatest cyber threats today result from the efforts of state-sponsored actors,” says Rick Fischer, a senior partner at Morrison Foerster. “For years, China and Russia have engaged in an increasing number of cyber attacks. Now other countries, such as Iran and North Korea, are also actively involved in cyber attacks. As a result, even though companies are investing ever increasing amounts in cyber security compliance, there still is no such thing as perfect cyber security. Specifically, even the most sophisticated companies that have made the greatest investments in cyber security compliance are still at risk of cyber attacks. At the same time, the failure of companies, like credit reporting company Equifax, to employ available patches to address commonly known security system weaknesses has resulted in major breaches, impacting tens, if not hundreds, of millions of people.”

If companies are to successfully defend themselves from these attacks, they must have the right policies and procedures in place. Businesses must adopt both proactive and reactive security solutions. According to Wipro, 65 percent of organisations globally are now tracking and reporting regulatory compliance to ensure that their data protection practices match up to the strict cyber security guidelines in the EU, for example. And 49 percent of C-level executives participating in Deloitte’s ‘Future of cyber survey 2019’ have cyber security issues on their board’s agenda once a quarter. Seventy-seven percent of chief information security officers (CISOs) report that cyber security issues are on their board’s agenda at least quarterly.

“It would be fair to say that there has never been a higher appreciation of the importance of cyber security than there is today,” says Kit Burden, a partner at DLA Piper. “Although it seems sometimes as if data breaches are being publicised on a near daily basis, in part due to recent changes introduced via the General Data Protection Regulation (GDPR) in Europe, we have not yet reached the point of ‘information overload’ and the PR impact of such incidents is still considerable. The key overall trend is the growing willingness of regulators to get involved in setting out ever more prescriptive requirements, and to apply sanctions to those who they do not think comply.”

While cyber security is beginning to feature more prominently on corporate agendas, the level of focus and preparation applied by companies varies greatly depending upon the industry in question. “Highly regulated industries, like financial institutions, generally have well-developed cyber security compliance programmes,” explains Mr Fischer. “Many other industry segments have yet to focus sufficiently on cyber security compliance. However, the increased frequency and sophistication of data breaches, and the substantial fines now imposed on companies that have suffered a data breach, will force companies to invest far more into cyber security compliance programmes than was the case a decade ago.”

Insider threats must also be addressed. Disgruntled or dishonest employees, contractors or other third parties can present a huge risk. Human error or carelessness can be damaging, but losses resulting from the actions of an individual who knows exactly where to look to obtain access and circumvent existing security measures can be catastrophic, according to Mr Burden.

One of the most significant trends that we have seen in recent years is the exploitation of zero-day vulnerabilities and attacks on a target’s supply chain. “These attacks are no longer the preserve of elite cyber criminals; so-called ‘exploit kits’ are now available fairly widely, and these allow people with relatively little technical knowledge to carry out sophisticated attacks in a more-or-less automated fashion,” says Joel Harrison, a partner at Milbank.

Even though companies are investing ever increasing amounts in cyber security compliance, there still is no such thing as perfect cyber security.

Attack vectors are changing. The sophistication of malicious actors is being accelerated by the level of communication and information shared among them. “The use of malware that leaves little, if any, trace increasingly permits attackers to roam systems for weeks or months before detection,” says Peter McLaughlin, a partner at Womble Bond Dickinson. “Email continues to be a highly effective delivery method, as phishing and social engineering in their various forms remain highly successful. As people become more aware of email risk, we are also seeing this expand via texting and social networking attacks. The opponents keep shifting their approaches.”

The quantum computing question

Cyber defence tools are also expanding and evolving. Firewalls, antivirus software, public key infrastructure (PKI) solutions, staff training and penetration testing are all likely to feature in a modern cyber defence programme. However, developments in new technology, such as artificial intelligence (AI), machine learning (ML) and quantum computing, may completely change the business of cyber defence.

Quantum computing has the potential to revolutionise the cyber security industry as quantum computers are more powerful than current computer systems by orders of magnitude, and the power at their disposal could remake fields including science, medicine and financial services, among others.

From a cyber security perspective, quantum computing may represent both an important opportunity and a threat. For example, it is expected that modern encryption techniques will soon be undermined by quantum computing. In response, quantum-safe encryption algorithms are already being developed by companies including Google and Microsoft. Without these algorithms, cryptography and security, all information that is transmitted on public channels now, or in the future, would be vulnerable to attack or theft.

“Quantum computing is a potential game changer,” suggests Mr Burden. “Current levels of encryption-based security could simply be swept away if the predictions as to the potential processing power of quantum computing prove accurate. However, the data security industry will not stand idle and will instead look to respond, with greater application of multi-layer authentication methods, including more biometric measures, looking to offset the potential increased processing power available to wrongful actors.”

Quantum computing will likely break the public-key cryptosystems in use today for secure communications, web security, digital signatures, certificates, and the like. “When that happens, we will need new methods to replace the ones in use,” says Professor Denning. “However, at this stage, companies and regulators should sit tight until National Institute of Standards and Technology (NIST) and other standards organisations adopt replacements. Then, the tech companies that incorporate public-key crypto in their products should start integrating the new standards into their products as options. At that point, we will have a better idea of the actual threat of quantum computing, and regulators can take appropriate actions.”

In the short term, it is unlikely that hacktivists and cyber criminals could afford quantum technology. However, nation states do have this ability, and a number of them, including China and Russia, have been making important strides in the quantum computing space in recent years.

Avoiding breaches

In the future, it will become increasingly difficult to avoid cyber breaches. It is vital, therefore, that companies ensure that they are prepared for an attack. “Companies must not only examine and test their external firewalls, but also must examine and test their internal firewalls in an effort to promptly identify and address the potential impact of a data breach,” says Mr Fischer. “It is no longer sufficient to have internal employees conduct security tests. Instead, it has become necessary for companies to employ external experts to test both external and internal firewalls and to assist internal compliance personnel in examining possible intrusions.”

Financial considerations also come into play, and companies need to allocate appropriate budget for IT security and defence. “It is not enough to have measures in place if they are not properly updated, with patches applied as soon as possible after release, and older tech replaced in line with the current state of the art,” says Mr Burden. “Proper attention must also be applied to ensuring full compliance with relevant standards and policies, backed with regular audits and spot checks. Engaging the services of ‘white hat’ ethical hackers to undertake supervised penetration testing should also be considered.”

Regardless of the steps taken by organisations, there is no such thing as perfect security, so companies are working to reduce the risk and impact of incidents rather than eliminating them, which is simply impossible in today’s environment. “Firms should focus on a security programme and process built upon one or more security frameworks,” says Mr McLaughlin. “In anticipation of the inevitable incident, a firm should strive for technically and legally defensible security. This means that beyond reducing the likelihood and scope of an incident, an organisation should be able to demonstrate that the event did not arise from any systemic failure of the security programme.”

The future

Boards should consider requiring management to provide a set of key performance indicators (KPIs) and key risk indicators that can enable them to quickly ascertain the state of cyber security within their organisation. The board has a vital role to play in defining a company’s cyber defences. Firms are still coming to grips with what the ‘proper’ level of involvement is for the board concerning cyber security. “While there is talk of whether there needs to be specific ‘cyber’ expertise on the board, that is likely neither necessary nor sufficient,” says Mr McLaughlin. “The board needs to be proactive about risk, and the nature of risk has changed to become more inclusive of technology and information assets than before. The board should regularly engage internal and external cyber security resources in the same way it has historically engaged financial and legal resources.”

From a legal perspective, there may be an increase in the volume of enforcement action and civil litigation, including by representative groups. “The levels of monetary penalties and compensation are also likely to rise, with regulators gaining increased enforcement powers and legislation explicitly providing for compensation for non-material damage,” says Mr Harrison. “As this happens, we expect to see these claims challenged by the companies involved, particularly in cases where they have been the targets of sophisticated attacks and they have strong grounds for arguing that they had appropriate preventative measures in place.”

Problems surrounding data security and cyber crime will not go away. An area of particular concern is Internet of Things (IOT) devices which continue to flood the market without adequate security, and there will be more of them and more ways of causing harm by hacking them. “We will also see new methods of attack,” says Professor Denning. “Just recently we have seen stories reported in the media of a drone that could hack a smart TV and a low-cost computer that could be ‘warshipped’ to a company for a close-up attack on its Wi-Fi network.”

For Mr Fischer, the frequency and impact of data breaches will continue to increase. “Similarly, the costs of cyber security compliance programmes also will increase, as will the penalties imposed by government agencies on companies that suffer data breaches,” he adds.

Technological change will present opportunities and risks for organisations. The roll out of 5G mobile technology, for example, will transform internet communication and will allow billions of new devices to come online. For consumers, businesses and society in general, 5G is likely to be a boon – its potential applications are legion, with developments such as AI, ML and autonomous vehicles likely to revolutionise many aspects of daily life and business. However, from a cyber security perspective, 5G will present new challenges. With new risks emerging and more devices potentially threatening networks, organisations will have to change or restructure their cyber security strategies accordingly.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.