In this article originally published in Finance Dublin in September 2016, Simon Collins, EY Director of Cybersecurity, explores how companies can stay ahead of evolving cyber threats.
Like it or not, businesses are in an arms race against cyber-criminals, says Simon Collins, and it is a race in which many companies are struggling to keep up. Companies need to put in place the right balance of defensive, detection and responsive measures to protect their businesses he says.
As cybercrime grows in sophistication, organisations need to accept that they are in an escalating struggle with cyber-criminals and will have to work both hard and smart to stay ahead.
Cybersecurity continues to dominate global business governance agendas. While no industry is safe – with sectors such as hospitality, healthcare and manufacturing counting the costs – the financial services industry remains a particularly high-profile target for cyber-attacks, placing it on the front line of cybersecurity conflict.
The impact of a cyber-attack can be severe, both in terms of financial cost and reputational damage. Business leaders are held accountable for such cyber-attacks and are required to take personal responsibility on a number of fronts. They need to be informed about the risks; to implement better governance; and to engage with the markets, regulators, public and the media.
The digital world – with its inherent connectivity between people, devices and organisations – has created new vulnerabilities, which can easily be exploited by cyber-criminals. At the same time, businesses are focused on new digital channels, which are no longer seen as a source of competitive advantage, but merely a way to meet basic customer expectations. Digital technology is a vital and growing part of our personal and business lives.
The evolving threat
As the digital agenda develops, so too does the scale and sophistication of cybercrime. Cyber-attacks have been taking place since the initial development of computer technology. Prior to 2010, such attacks were referred to as computer crime. As the world becomes increasingly interconnected, we used more precise terms, to reflect the diverse nature of the attacks.
Cyber-attacks emanate from a variety of increasingly sophisticated sources:
- Opportunistic attackers: These were hobbyists and opportunistic attackers, who created viruses and worms for their own amusement and to gain notoriety. They still exist today, attacking poorly-protected systems.
- Sophisticated attackers: As computing became more mainstream, so did the emergence of “hackers.” Some did it for money, but most did it for political, social or environmental causes. Today, these attackers are relatively sophisticated and attack because they disagree with your organisations goals and mission.
- Organised crime: Traditional criminals began to understand the possibilities of cybercrime at the turn of the century, starting with phishing scams and spyware infections. It has evolved rapidly, to form a highly-organised, sophisticated and layered criminal ecosystem where tools, techniques and the fruits of cybercrime are widely traded. Everything from denial of service; ransom schemes; sophisticated data theft; and intellectual property theft can be included in this category. In recent years, attackers have focused on “hacking the human” – manipulating or deceiving people in order to compromise organisational security – rather than breaching complex layered defences.
- Corporate espionage: Industrial spies migrated to the digital space just as business operations went online. They tend to be malicious insiders or external competitors and the techniques became more sophisticated as technology became more interconnected.
- Nation-sponsored attackers: The 2010 StuxNet attack was the first high-profile attack that was attributed to a nation state. This attack targeted the control systems of Iranian nuclear facilities. Attacks of this nature tend to be highly-targeted and are driven by political or military objectives. They are sometimes used for the purpose of intellectual property theft, for national competitive advantage.
The struggle to stay ahead
As cyber-crime has evolved, businesses have also been adapting their approach to these threats. The EY Global Information Security Survey, which is now in its 19th year, examines key trends across the sector. Over the past ten years, the responses have evolved in line with the threats.
- Prior to 2006, cybersecurity focused on risk mitigation and meeting compliance requirements. In 2006 and 2007, the scope of cybersecurity expanded to protect organisations in our increasingly globalised world. Organisations grasped that cybersecurity needed to have a clear return on investment, which drove an alignment of risk and performance.
- From 2008 the primary driver was the need to protect the organisation’s brand and reputation, in an environment of escalating threats. Organisations struggled to maintain investments in cybersecurity in the face of the global financial crisis. This tension extended throughout 2009, with a focus on the security implications of co-sourcing, out-sourcing and new technologies, as organisations restructured to remain relevant.
- As the global economy fought to recover in 2010, organisations grappled with sustained cost pressures and scarce resources and began to realise that managing data in the era of globalisation was becoming increasingly difficult.
- From 2011, organisations began moving data into the cloud. While organisations understood the security requirements associated with outsourcing, the cloud required a fundamental rethink of the approach to securing information.
- During 2012, the velocity and complexity of change accelerated at a staggering pace, as organisations embraced technologies such as virtualisation, cloud computing, social media and mobile computing. A wave of internal and external threats appeared, due to emerging markets; continued economic volatility; offshoring; and increasing regulatory requirements, which added complexity to an already complicated information security environment. Organisations made great strides to improve their information-security capabilities, yet struggled to keep up with the speed of change.
- In 2013 organisations came to accept that they were constantly under cyber-attack and that this was the new reality. The focus shifted to how organisations could survive, and look ahead to identify emerging technologies. This continued into 2014 with the realisation that the only way to get ahead of cyber-criminals is to anticipate cyber-attacks.
- An avalanche of high-profile cyber-breaches in 2015 brought cybersecurity to where it is today, right at the top of the agenda for business leaders. Having established the basics, organisations set about pro-actively hunting for attackers in their systems, based on threat intelligence.
It’s clear that the challenges are only becoming greater. We have learned that – at an absolute minimum – it’s critical to cover the basics. In order for a business to thrive in this complex cyber-ecosystem, they need to be forward-looking and flexible to tackle future cyber-criminals. This means being pro-active rather than reactive. All of this must be achieved within the limitations of organisations which need executive buy-in, an adequate budget and highly-skilled but scarce personnel.
What does the future hold?
It’s difficult to predict far into the future, however we are can confidently identify some of the emerging challenges:
- Attackers will continue to use more targeted and advanced techniques, requiring more sophisticated defences, detection and response capabilities.
- The pace at which attacks will be carried out, and the frequency of such attacks, will require that they be managed as an inherent aspect of being in business.
- The convergence of operational technology (OT) and the Internet of Things (IoT) with mainstream IT systems – which will all probably be hosted in the cloud – will see more high-impact attacks with cascading and collateral damage. Businesses will need to identify and manage these risks accordingly.
- There will be more regulation, particularly in the areas of data protection, critical national infrastructure and financial services. Many industries will go from having little or no regulation in terms of cybersecurity in 2010 to having multiple competing regulators to answer to in 2020. Examples include the new EU General Data Protection Regulation and the Network Information Security directive, both of which are due in 2018.
- On-going expenditure will be required to maximise the benefit of existing investments and to ensure that organisations can reach an ever-rising bar. This will require a structured, systematic approach to cybersecurity.
- The most important factor will be increased expectations from every stakeholder, requiring that businesses have a firm handle on cyber-risks. This will include taking steps to fully quantify the risks from a financial perspective and to ensure that they are integrated within the wider enterprise risk-management programmes.
The cyber-security arms race
Like it or not, businesses are in an arms race against cyber-criminals; many are struggling to keep up. Businesses need to accept that they are being attacked right now and that they will most likely be breached at some time in the future, assuming that it hasn’t already happened. With this in mind, it’s important to be able to detect the breach and be ready to respond when the inevitable happens.
The key is to put in place the right balance of defensive, detection and responsive measures to protect your business before a breach can happen. This starts with a rigorous, objective assessment of the current state of readiness, versus the future required state of readiness and the definition of a programme of improvements, which can be tracked over time.