January 2019 Issue
At a time of great change for business, organisations and governments, the cyber risk landscape is becoming ever more complicated, persistent and data centric. Today, cyber criminals have substantial resources at their disposal, such as malware, hacking and phishing, and are motivated by everything from profitability and scale to political gain. Borderless in nature and impacting all users and organisations, the harmonisation of cyber crime laws across the globe is increasingly viewed as essential to security.
FW: Could you provide an overview of the cyber risks currently facing businesses, organisations and governments across the globe? What are some of the common types of cyber threats, and how have they evolved in recent years?
Lanois: Cyber security is becoming an increasingly important issue for businesses, organisations and governments, as evidenced by the fact that data breaches are regularly making the headlines. For example, a data breach at HSBC Bank made headlines in November 2018 when the bank announced that some of its US bank accounts were compromised by hackers who may have gained access to bank balances and statements, as well as account holders’ personal information. Data breaches have also become an international issue. For example, the airline Cathay Pacific announced, also in November 2018, that it is working with 27 regulators across 15 jurisdictions in relation to an investigation into a data breach which affected roughly 9.4 million of its customers.
Coleman: The World Economic Forum’s latest survey put cyber attacks as one of the top five risks for businesses globally. At the Global Future Council in November 2018, it was cited as the number one risk facing business in Europe. We are in an exciting digital revolution, but at the same time digital adversaries are increasingly moving to exploit those very spaces for their own or others’ gain. We are now in a phase of the ‘industrialisation of cyber crime’. The once-perceived teenager in their bedroom is no longer the reality of the risk or the threat landscape. Attackers are able to scale in size and operation with increased capabilities. Today, automated bots have evolved to constantly scan for vulnerabilities which leave organisations wide open to attack. We also see targeted campaigns of attacks which go from organisation to organisation. Risks have grown from stealing data, to disrupting infrastructure, to exploiting infrastructure for economic gain. And what happens in one part of the world is now spreading across the globe faster than ever before. Information that was held by one lone hacker is now in dark marketplaces, where information and exploits are traded.
Hardoy: A rising number of connected devices and the rapid expansion of cloud-based services has opened unlimited opportunities for businesses, governments and consumers worldwide. Emerging cyber threats could undermine this ever-evolving ecosystem. Cyber crime is border-agnostic and impacts people and organisations globally. We have seen the evolution of cyber crime over the last few years; today it is increasingly being characterised as a cross-border issue, with safe havens for cyber criminals who operate outside of the jurisdiction of law enforcement agencies. Unsurprisingly, 88 percent of companies were concerned about cyber attacks in 2017 according to the FireEye/Mandiant report and the number of security threats companies have faced have increased significantly in recent years, as criminals have built increasingly sophisticated operations. The number of ransomware variants, for example, has grown by 46 percent, according to Symantec. Furthermore, the catastrophic impact of the WannaCry ransomware was evident in 2017. Malware is also a significant and growing concern. Ninety percent of all cyber attacks are delivered via phishing emails. And almost all attacks that led to a breach were followed by some form of malware. One of the greatest challenges that companies are facing today is the time it takes to detect an intrusion. Attackers are present on a victim’s network for an estimated median of 99 days before they are detected. We have also seen an expansion in the number of nation-state attacks. Conflicts between nations are no longer confined to the ground, sea and air – cyberspace has become a new and potentially global battleground where nation-states can utilise cyber offensive tools to gain information, influence and advantage over their rivals.
Gu: Cyber risks are evolving at a time of great change for business, organisations and governments. The landscape of cyber risks is becoming more complicated, persistent and more data centric. The most common types of cyber threats companies face today are Trojan attacks, malware and vulnerabilities exploitation, but thanks to the development of new technology, Internet of Things (IOT) attacks, artificial intelligence (AI) brute force attacks and high performance computing attacks, are becoming more widely utilised, as they become more widely available and less expensive to implement.
“A few years ago, many companies were unwilling to move to the cloud because of security concerns. Today, we are seeing the reverse, with more and more industries moving to the cloud for security reasons.”
FW: In your experience, how should companies go about identifying, analysing and evaluating cyber risks in order to implement appropriate security measures?
Coleman: The goal for every organisation is resilience – understanding we will not be able to stop all attacks. Having a framework – such as the NIST Cyber Security Framework – helps. It covers five steps: identify, protect, detect, respond and recover. Response is critical to risk management. Firstly, organisations should have an approach that puts the risks in context: what type of business is involved, where is the risk in the supply chain, what kind of assets are at risk, what type of regulation impacts the organisation, and so on. Second, in conducting the actual risk assessment, a 360-degree perspective should be applied. Risk assessments should reflect a test of what a potential attacker could do, techniques they could use, and damage they may look to inflict. Many organisations now realise it is not a case of ‘if’ but ‘when’, and need to ensure weak spots do not make it easy for an attacker to get access. But to be resilient, organisations must be able to spot the attack and be able to respond fast. Increasingly, tabletop exercises to manage risk are evolving to simulated sessions and to create readiness. The latest step in this process is mobile operations capable of travelling onsite for cyber security training, preparedness and response.
Hardoy: Cyber security requires companies to take an integrated approach. Given that the average cost of a data breach in 2017 was estimated at $4m, according to the Ponemon Institute, it is clear that investing the time and the right resources is critical to anticipating, analysing and evaluating cyber risks, and helping companies to stay ahead of the criminals. Companies must implement a security plan which allows them to protect their networks, detect an attack and respond accordingly. Such a plan will allow companies to strengthen their cyber defences and will protect them against threats or help mitigating attacks. Attacks are inevitable, but having strong security measures in place can help reduce negative business impact.
Gu: Companies can leverage many channels to identify, analyse and evaluate cyber risks. These channels can be very diverse. Setting up a framework is the best tool to apply best practices for identification, analysis and evaluation. For example, NIST, ISO 27002 and COBIT 5 are useful frameworks to cover all appropriate security measures and security control objectives, including best practices for management’s cyber security strategy.
Lanois: The starting point would be to identify the organisation’s assets, in order to understand what may be of interest to competitors, state-sponsored hackers or even common criminals, so that appropriate security measures can be adopted. Organisations must also keep a close eye on social or technological changes and trends, not only to identify new opportunities to stand out from the competition, but also to determine how technologies can and are being used by others. For example, the rise of social media has created new ways for companies to engage with their existing customer bases and to reach out to new types of prospects; however, it can also be used to facilitate identity theft through social engineering. In any case, one of the key ways to reduce risks is by raising awareness of security issues, at all levels within companies, to enforce knowledge on information security processes and data protection procedures. Everyone in an organisation has a role to play to ensure cyber security.
FW: Do certain sectors seem to be particularly vulnerable to cyber attacks? In what ways do these sectors need to adapt their preparations to address unique threat vectors?
Lanois: If we take a look at the targets of attacks by malicious actors, it appears that the landscape is actually very diverse. For example, companies such as HSBC, Cathay Pacific, Target, Home Depot, Sony Pictures Entertainment, Sony PlayStation Network, Hilton Hotels, Anthem, Equifax, Uber, Yahoo, Tesco, Ashley Madison and Chipotle, among others, have been victims of cyber attacks, at least once already, thus it is clear that no industry is safe from attack. Government agencies are also attractive targets for state-sponsored hackers. In addition, security teams are increasingly seeing new forms of attack in areas that they had not previously expected – therefore, ongoing vigilance is crucial in order to uncover emerging threats.
Gu: There will be higher risk for some sectors, such as financial services, retail and pharmaceuticals. These sectors must pay more attention to vulnerabilities as their data is both sensitive and confidential. Sometimes, it is not only cyber security to prevent cyber attacks, but also privacy protection to convince regulatory bodies. Companies need to refer to industry compliance standards, international cyber security standards and company-specific cyber security practices in order to prepare for unique attacks that are all too common. Only specific manufacturing or financial system vulnerabilities can be considered as unique threat vectors.
Hardoy: A few years ago, many companies were unwilling to move to the cloud because of security concerns. Today, we are seeing the reverse, with more and more industries moving to the cloud for security reasons. The financial services sector is one such industry that has recognised the security benefits of the cloud and the enhanced and integrated resilience against cyber attacks. Earlier this year, the European Banking Authority published a set of recommendations that clearly identified the issues that European financial services institutions should consider when adopting cloud services to help them to make the appropriate risk assessment. Other industries are also migrating progressively to the cloud, but it is clear that those organisations that fall behind in adopting cloud services risk being more vulnerable to cyber attacks without a fully integrated security by design approach provided by a trusted cloud services provider.
Coleman: The financial services sector continues to be a hot target for cyber criminals; after all, that is where the money is. One of our 2018 reports identified the financial services sector as experiencing the most security incidents requiring deeper investigation, and ranked the sector as the third most targeted industry overall. In fact, financial services experienced 27 percent of security incidents and 17 percent of attacks. The information and communications technology sector ranked number one by number of attacks experienced. These companies had one third of all attacks and had the second highest number of security incidents requiring further investigation – with 18 percent of security incidents and 33 percent of attacks. Attackers continue to evolve and the threats diversify. We are now seeing supply chain partners – small as well as large – being targeted as a way of reaching larger organisations.
“Attackers continue to evolve and the threats diversify. We are now seeing supply chain partners – small as well as large – being targeted as a way of reaching larger organisations.”
FW: What considerations should a company make to ensure that the cyber security controls it chooses are appropriate to the risks it faces? How important is a formal cyber risk assessment in this regard?
Gu: A company should deploy security controls which it thinks are appropriate to the risks it faces. It need to define risk, and understand risk appetite, risk tolerance and the risk landscape. Then, after using qualitative and quantitative measurements, it can get a clearer picture of risk. Next, it needs to adopt international security standards and culture-driven security programmes. In order to enable a precise risk assessment, a formal cyber risk assessment is crucial and mandatory. A company needs to appoint external partners and internal security experts to successfully assess risk.
Hardoy: Technology is a disruptive force, enabling the emergence of new business models and reshaping entire industries. Therefore, ensuring security, privacy and compliance is key to realising digital transformation. As people bring devices, apps and data into organisations, protecting company data requires an integrated approach and should be top of mind for companies as they assess the risks. For this reason, companies should consider cloud platforms that look holistically across all the critical end-points of today’s world powered by the cloud, mobile technology and AI.
Lanois: Since the threat environment is always changing, it is important to continually monitor and review the risk environment in order to ensure that the security management process is still relevant and up to date. In order to do that, specific objectives of the security programme should be defined so that measures can be developed and monitored to gauge performance over time. All organisations should also regularly conduct vulnerability scanning and penetration testing in order to test the security configuration and identify, among others, weak security configurations or missing system security patches. A penetration test is an authorised, simulated attack which is performed to evaluate the security of the system. The results of vulnerability scanning and penetration testing will enable the organisation to identify security gaps.
FW: Generally speaking, do corporate IT systems require significant, ongoing reconfiguration to cope with the nature of cyber threats that exist?
Lanois: As vulnerabilities are discovered in existing software and systems, it is crucial to always install the latest software updates and patches. For example, in the UK, the National Audit Office’s official investigation into the WannaCry outbreak, an attack which impacted a significant number of organisations worldwide, found that “all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves”, since the WannaCry ransomware relied on a vulnerability in the Windows code which had already been fixed via a software patch. The same investigation found that “whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection”.
Gu: Ongoing reconfiguration is not an ideal way of coping with changeable cyber threats and cyber risks. We are used to dealing with incidents that have exposed vulnerabilities in our systems, especially manufacturing systems. But this is a very negative solution. Currently, we propose a continuous adaptive risk and trust assessment (CARTA) model to actively respond to cyber threats. This means we think of business value first, and actively monitor critical information assets and leverage Big Data to identify potential threats. A well-managed team is better-placed to do this than the traditional reconfiguration methodology used previously.
FW: Do businesses, generally speaking, pay enough attention to the reputational damage associated with a cyber attack? What can they do to mitigate the fallout, maintain confidence and credibility, and demonstrate that they have responded speedily and appropriately?
Hardoy: The hardest learned lessons in history come from analysing, in hindsight, what could have been avoided. Businesses should approach the potential risk of reputational damage associated with a cyber attack, on the assumption that attacks are inevitable and have a strong incident response plan in place to help mitigate both the business and brand impact encompassing technology, legal and communications concerns. Trust and transparency are vital – trust takes many years to build and can be lost quickly. In line with regulation governing mandatory breach reporting, it is crucial that businesses impacted notify and engage with customers in a transparent way keeping them apprised of the impact to their data and the necessary measures taken to address, secure or mitigate the situation.
Gu: Business has not been accustomed to responding to the reputational damage associated with a cyber attack. Nowadays, however, the situation has changed. All businesses need to consider the damage caused by regulatory breaches. In Europe, we have the General Data Protection Regulation (GDPR), and China has its cyber security law to enforce compliance. The attacks on Sony and Target were followed by a drastic drop in business for these companies. How can such companies make things better? From a cyber security standpoint, they need to define their risk and security posture, cascade it from business goals to cyber security goals, and embrace security by design.
Lanois: It is no longer sufficient, in today’s connected world, for an organisation to only protect its own network. It is crucial to also ensure that the networks used by third-party vendors and contractors are also secured, since these may be used as an entry point by hackers. For example, a 2015 attack affecting a large fast food restaurant chain was conducted through the login credentials of a third-party service provider, providing the hackers with access to the point-of-sale system used by over a thousand restaurants of the franchise and customers’ debit and credit card information. Another common threat to organisations is the ‘insider threat’, which sees an employee or contractor doing something damaging to the organisation, either intentionally or unintentionally. A lot of data incidents originate from a lack of awareness of security fundamentals. It can be quite challenging to guard against such incidents.
“Companies can invest heavily in top-of-the-line software and state-of the-art systems, but if there is a lack of resources dedicated to security awareness within the organisation, all of these efforts will be for naught.”
FW: With cyber risk and security issues becoming part of a stricter regulatory environment, how well are businesses coping with increasing compliance requirements?
Gu: Business does not like regulatory compliance because it is a barrier to rapid development. Businesses struggling to cope with compliance is a common scenario. With the launch of the GDPR as well as data privacy laws in other countries, cyber security management should engage with businesses in order to deal with increasing compliance requirements.
Lanois: In the US, since 2018, all states have required organisations to notify their customers, immediately or without unnecessary delay, if personal data has been exposed. Depending on the state, a notification sent to law enforcement, consumer reporting agencies and state attorney general or other regulators may also be required. In the European Union (EU), the GDPR also requires organisations to communicate the data breach to customers “without undue delay” and to the regulator within 72 hours of having become aware of the data breach. Sanctions may be high if an organisation fails to disclose a data breach, including fines of up to €20m or up to 4 percent of the company’s total worldwide annual turnover, whichever is higher. Other countries, such as Canada and Australia, have recently adopted strict data breach notification requirements. Organisations with international operations will have to juggle the different compliance requirements of the various countries or states in which they do business, which can be quite challenging since the requirements are often not the same in each country.
Hardoy: In the context of stricter regulatory and compliance requirements, the recent implementation of the GDPR was a major step forward for data protection and privacy in the EU and it is becoming a de facto standard for the rest of the world. However, there can be no private data without secure data – the two are inextricably linked and the GDPR comes with increased duty on protecting data. Europe is taking the lead in this crucial area and companies must be making their products and cloud services compliant with the GDPR. Regulators have indicated several times since 25 May that the implementation of the GDPR will be a joint learning curve, and their powers are broader than just imposing the prescribed fines for breaches. However, they must also make sure companies implement the right principles in good faith to protect and secure data.
FW: What advice would you give to boards and senior management in terms of protecting their company networks and the data housed within them? What key questions should they ask when reviewing and reinforcing frameworks, policies and processes?
Coleman: The key for boards and senior management is to understand the organisation’s cyber security capacity and understand whether that capacity aligns to their risk. To achieve this, a principles-led approach is key. A critical principle is to have oversight and assurances of what is happening in practice, and how to ensure that policies and operations are delivering where needed. Companies also need to have an active understanding of how the threats and risks are evolving, and how business strategy and operations can change in line with these business risks. This creates cyber business resilience. Cyber business resilience ensures cyber security is translated into business language that leaders can understand. It also allows risk appetite to be expressed and managed when preparing and responding to risks.
Lanois: Companies can invest heavily in top-of-the-line software and state-of the-art systems, but if there is a lack of resources dedicated to security awareness within the organisation, all of these efforts will be for naught. It is crucial for the tone to be set at the top of the company in order to demonstrate that the board and C-suite care about building and maintaining an effective cyber security risk management programme. One way to achieve this is to establish a cross-organisational team which would be a forum to discuss, coordinate and communicate on cyber security issues.
Hardoy: The first question to ask inside a company is whether you have enabled multifactor or two-factor authentication. When people sign into the network or use email, do they have to provide not only their password, but something like a device or a biometric identification, such as facial recognition or a fingerprint? You also need to closely monitor where exceptions are granted to this rule. The second question is, what is your practice for updating and patching systems? How frequently do you patch your computers? It is not always convenient but it needs to be done regularly. How many of your computers are using up to date operating systems? Thirdly, how do you manage systems access? It is worth stepping back and thinking, what do you have in your network that would be most interesting to a criminal? This, of course, is a different question from asking what is it that you regard as being most valuable. Finally, how do companies protect the security of IoT devices? They must think about the weakest links. If someone can hack their way into a thermostat and jump from there to a power grid and take down the electrical plant, then you need to better protect the device concerned.
Gu: Cyber security personnel need to know what data the company holds. They need to be a partner of business and work closely with them to gain insight about data propriety. Then they can decide what the appropriate countermeasures should be. My advice is to inject cyber security into business and implement appropriate systems to protect all data. Questions need to be asked, such as do we have a good framework, policies or processes? How can we guarantee our data security? What is our risk appetite and cyber security posture? These questions should prompt boards and senior management to enhance cyber security measures.
FW: To what extent do D&Os need to consider the personal risks and liabilities that might arise from their failure to adequately address cyber threats?
Gu: Directors & officers (D&Os) handle all privacy-related incidents and personal data compliance. They need be the first point of contact in the event of a cyber attack. D&Os are not technical experts, but they need to be able to manage the flow of personal data and respond appropriately to an incident. In addition, D&Os need to clearly understand the damage that can be caused by a data breach and the importance of escalating to upper management and notifying governance bodies.
“Ongoing reconfiguration is not an ideal way of coping with changeable cyber threats and cyber risks. This is a very negative solution.”
FW: In what ways has the appetite for cyber insurance increased in recent years? How would you describe trends in the coverage, limitations and premiums on offer?
Gu: Cyber insurance is increasing as cyber attacks become ever more common. Many companies like to share the risk with third parties, so cyber insurance is a way of receiving compensation should a company fail to protect information from a cyber attack. That said, premiums are not easy to obtain. A company needs to convince insurers that it has good procedures and sufficient cyber security controls in place to protect its data. If not, an insurance company will not consider a plan. In addition, how to measure security maturity is a key question. A small coverage of incidents and some limitations means new cyber insurance is not as popular as it is designed to be.
Lanois: The cost of dealing with a data breach is getting higher. The escalation in costs is due to new laws and regulations on privacy and cyber security, including the cost of dealing with mandatory data breach notifications to regulators and customers located in as many countries as the company is doing business in, expenses related to the management of an incident, the investigation and remediation costs related to the data incident and credit checking for impacted individuals. Cyber insurance is becoming an attractive option for many businesses, just like business insurance policies for fire, flood and theft have become common today.
FW: How do you envisage cyber security evolving over the coming years? Do you expect to see any particular trends and developments that are likely to have a major impact?
Hardoy: Today’s cyber criminals have substantial resources at their disposal and are motivated by everything from profitability and scale to political gain, and we expect this to continue in the years ahead. Seventy-four percent of the world’s businesses expect to be hacked in the next year. Security breaches will impact all users and organisations. Cyber security continues to be core to the strategy of any company and it is not an option for businesses to do otherwise. There is no doubt that the borderless nature of cyber crime will also continue to create challenges for law enforcement and makes the harmonisation of laws defining access to digital evidence around the world essential. To maintain global trust in technology, and to secure cyberspace against new and emerging threats, public policy must continue to evolve.
Coleman: Cyber security will evolve to be more automated, and more tailored. Organisations will benefit from applying AI into their defences. In fact, IT professionals surveyed in a Ponemon Institute study earlier this year said that, on average, 45 percent of security alerts could be handled by AI without human supervision. Self-healing systems will mean defences will be faster to respond, and remove low-level vulnerabilities faster. Simultaneously, AI and other automation will be used by adversaries. They will manipulate technology to exploit increasing numbers of vectors and use AI to scale and tailor attacks faster and cheaper. In essence, we are entering a world where AI will be used for protecting and responding faster, which will be essential as the attackers, threats and risks grow in volume and sophistication.
Lanois: The GDPR has attracted media attention and business awareness due to sizeable fines, and it is likely that other countries or states in the US will adopt new laws and regulations to strengthen privacy and cyber security requirements. For example, California has already enacted the first IOT security law in the US, in addition to the California Consumer Privacy Act (CCPA), and industry groups are awaiting further movement on federal legislation of cyber security.
Gu: In the coming years, cyber security will evolve as emerging technologies become more practicable. Hackers will become actively engaged with new technologies leading to an increasing number of cyber attacks. We need to enhance governance systems, build regulation and not rely on automatic solutions. In other words, we need get ethical solutions and a practical bottom line.
Great Gu is a cyber security, risk management and IT governance expert. He won the (ISC) 2017 Asia-Pacific Information Security Leadership Achievements (ISLA) award, as well as the only one from China mainland. He is frequently invited to speak on cyber security topics for online seminars and large-scale conferences across Asia-Pacific (APAC), and host elite cyber security panels. He can be contacted on +86 189 1652 7303 or by email: wgu01@amgen.com.
Paul Lanois is a global privacy, data protection and information security law professional. He was previously vice president and senior legal counsel at Credit Suisse and was an attorney at the law firms Simpson Thacher & Bartlett, Allen & Overy and Linklaters. He has spoken at numerous conferences across Europe, the US and Asia. He was named a "Cybersecurity & Data Privacy Trailblazer" by the National Law Journal and an "Innovative Corporate Counsel" by Law 360. He can be contacted on +1 (650) 422 9122 or by email: paul.lanois@fieldfisher.com.
Nick Coleman is Global Head Cyber Security Intelligence at IBM. He is a member of the World Economic Forum’s Global Future Council on Cyber Security. He was formerly the UK Government National Review of Security, and authored ‘The Coleman Report’ published in the Houses of Parliament. He is visiting professor at Lancaster University and holds an MBA with Distinction from Manchester Business School. He is also a Fellow of the Institution of Engineering and Technology and a Fellow of the British Computing Society. He can be contacted by email: coleman@uk.ibm.com.
Juan Hardoy is assistant general counsel leading Microsoft’s Digital Crimes Unit (DCU), overseeing the company’s Europe, Middle East and Africa (EMEA) enforcement and intelligence efforts against organised criminals and other illicit organisations engaged in cyber crime and other illegal activity. He can be contacted on +33 (1) 5775 3263 or by email: juanha@microsoft.com.
© Financier Worldwide