A senior swift systems operator at a leading banking company clicked on an email attachment of his elder son scoring a six in a cricket match recently. He remembered the same picture was published on his son’s public Facebook page, and he was again delighted to see the same image again from someone else. Two weeks later, media reported the bank’s swift system was breached and the impact was in millions of USD.
After the investigation, the systems operator learned that the photo was embedded with malware that allowed an attacker to log every keystroke on his desktop including passwords, every email he sent and finally taking full control of his PC. The cyber-criminal did the same for multiple chief executives, took screen shots and captured every keystroke on their keyboard periodically and they turned on their video camera and microphone, giving those eyes and ears to what was happening in the C-suite.
Frequent headlines announcing the latest cyber breach of a central bank in the region, prominent financial institute, or an organisation are the norm today, bringing the questions of why it happened and will it ever end? The reason cyber-attacks prevail in public media, and receive extraordinary investments and focus from businesses and governments around the world, is the growing realisation that these incidents are putting our very digital lifestyle and stake holders at risk.
These breaches can shake customer confidence and hurt our brand image that was developed hardly over the years. That means higher expenses, recovery efforts and lower profits at the end of the day. Just as every brand is unique with different qualities, principals and customer, the risks of cyber threats can vary widely from company to company.
After all it’s no wonder majority of CEOs and board of directors now view cyber security as a top priority. They also see security threats as a major business disruptor right next to geopolitical concerns, government policy risks, and new business model uncertainties.
As businesses evolve, so do threats
Cyber security is designed to minimise, mitigate and manage risks. Attackers have grown increasingly sophisticated and well organised. They’re often backed by well-funded governments or criminal groups supported by vast underground economy. As businesses digitise everything from financial data to medical records to next quarters marketing plans, the potential payoff of stealing that data has mushroomed. These thefts have become easier than ever, thanks to the globally distributed, always-connected nature of modern business.
Cybercrime as a service (CCAS), a service-based criminal industry is developing to the point where an increasing number of those operating in the virtual underground or dark net are starting to make products and services for use by other criminals for a very cheap price.
Effective Cyber Defence
To combat these advanced attackers, companies must evolve. They need new defensive strategies build for today’s business landscape. This strategy must be able to adapt to the ever changing nature of attacks. It must address a growing shortage of skilled security experts in organisations, as well as vendors and consulting firms providing cyber security services. The traditional approach to cyber security relies heavily on technology. Companies already invested for the finest security technologies such as next generation firewalls and Intrusion Prevention Systems, but as the constant drumbeat of high-profile breaches has shown, this approach is fundamentally broken. Chief executives should seriously consider the expertise and maturity of cyber security professionals (internal/external) they dealing with in parallel to the technology investments.
Protecting against today’s cyber-attacks requires two kinds of defences:
Proactive (before the breach): Detecting threats and stopping them from reaching your environment
Reactive (after the breach): Analysing attacks and responding to them forcefully
To achieve both, companies need the right mix of technology, processes, intelligence and expertise. Working closely together, this blend provides a correlated view of attacks that helps security teams limit damage before, during and after a breach.
Trekking towards a more secure, vigilant, and resilient organisation
Chief executive or a top level decision maker for the organisation should work closely with your senior staff on cyber security. Do we really understand what assets to be protected?, Do we have an independent information and cyber security risk assessment, or are we still depend on conventional IT/ISO/BCP risk assessments? Do we have matured staff or do we need to outsource certain areas if the cost of maintaining skilled staff is too high? Are we still requesting cyber security advices from the traditional systems vendors supporting applications or servers? Do we have an organisational wide cyber security awareness program? The hottest news on town, ‘Ransomware’ and ‘Malware’, are we taken enough precautions? What are the information and cyber security compliance requirements to follow? Do we need to invest further on technologies and what are the missing pieces? Are those Investments performing well? Or optimised properly by the solution provider? How should we respond to media and stake holders during a breach?
The fact that board members or chief executives asking these questions will spur security improvements and better overall risk management. Demand that your officers deliver answers in plain language, not techo-cybersecurity babble. Ask for clear progress reports at all future meetings. The biggest benefit of asking these questions comes from simply asking that they be thought through and debated in the normal course of business.