A lack of awareness is fueling the surge in cyber crime but there are pragmatic steps that organizations can take.
Tucked away in an office block in central London is a room dedicated to finding flaws in organizations' cyber defenses. Many such rooms exist. It's just that few are operated by the good guys.
On the wall, a large screen illustrates the main computer viruses and where in the world they are currently wreaking havoc. Another offers a glimpse into the dark web – the hidden realm of the internet that most people aren't aware even exists – and displays messages from a chat-room where anonymous hackers congregate to boast about their attacks.
Facilities like this are increasingly important because the
stakes are so high. In the Sony PlayStation hack of
2011,[1] some 77 million user accounts were compromised.
Yet even this was eclipsed by an attack on Yahoo,[2]
which lost personal data for 500 million people in 2014 – a
fact that was only disclosed in September 2016.
Such big numbers can sometimes lack meaning, but on the dark web,
email addresses and passwords are highly prized. People re-use
passwords for multiple accounts, including online banking. And
while
blockchain technology may one day prove a solution, the theft
of Bitcoin[3] worth $72 million from a Hong Kong
exchange in August 2016 demonstrates that it's not yet
infallible.
Indeed, the currency is the default payment preference for cyber extortion. It's a problem that is currently rife in the ASEAN region and Latin America with financial services particularly affected. The findings come from the latest Grant Thornton International Business Report (IBR), a quarterly survey of 2,500 business leaders in 37 economies worldwide.
Reputational loss
What's also apparent from the IBR is that the cyber threat is no longer limited to code-breaking teenagers operating from their bedrooms. The total cost of cyber attacks to business over the past 12 months is estimated at $279billion,[4] a 6% increase over the previous 12 months – it's a huge global industry.
A sobering statistic is that financial loss isn't even the biggest consideration. Reputational loss, the amount of management time it consumes, the resulting loss of customers and the costs of putting best-practice defenses in place are rated as more important than direct loss of turnover.
FBI director James Comey highlighted the extent of the problem
in 2014, telling 60 Minutes[5] "There are two kinds
of big companies in the United States. There are those who've
been hacked and those who don't know they've been
hacked."
Comey's focus was on state-sponsored hacking, explaining that
certain countries are "extremely aggressive and
widespread" in their efforts to break into systems to steal
information that would benefit their industries and economic
growth.
The message is clear – if you run a dynamic enterprise, being obsessively concerned about safety is not a sign of paranoia. Someone, somewhere, is out to get you. There are 'hacktivists' pursuing what they see as an ethical agenda, hackers working for organized crime, state-sponsored hackers and terrorists. It's only a matter of time before your organization becomes a target – if it hasn't already.
Realistic resilience
How do organizations begin to combat such threats? The key outcome is to achieve realistic resilience, which is where London's cyber room comes in. Grant Thornton UK's lead penetration tester Nick Smith is what's known as an ethical hacker – a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners to find security vulnerabilities that a malicious hacker could exploit.
Smith says: "Our job is not to make your network impregnable – it's simply not possible. We have skills, but we don't have a very large group of people and millions of dollars to spend and that's what you're up against sometimes. There will always be people coming up with new methods to attack organizations, too. "We will go on the offensive to find all the faults and flaws we can. Then we will write a report and offer recommendations on how to be as secure as possible. Organizations need a pragmatic response to the threat.
"Prevention is far better than dealing with the effects of a cyber-attack. Would you rather spend time on your cyber defenses, or in fraught negotiations with extortionists?"
Human error
Comey highlighted the scale of the challenge when he told 60
Minutes: "The internet is like the most dangerous parking lot
imaginable. If you were crossing it late at night, your entire
sense of danger would be heightened. You'd know where you were
going. You'd walk quickly. You would look for light. But folks
are wandering around that proverbial parking lot all day long,
without giving a thought to whose attachments they're opening,
what sites they're visiting. And that makes it easy for the bad
guys."
Comey's metaphor is backed up by research. IBM's 2014
Cyber-Security Intelligence Index Report[6] noted that
human error is involved in 95% of security incidents. It's a
lack of foresight that was highlighted in a recent experiment by
Grant Thornton Ireland. To raise awareness, it arranged for a
number of memory sticks to be dropped around Dublin. Within
minutes, the sticks had been picked up and were being used by
unwary employees.
The ease with which a malicious hacker could gain access to a
network in this way is something Manu Sharma, head of cyber
security and resilience at Grant Thornton UK, is all too familiar
with. He says: "We're developing an advanced security
center. From this room, we conduct vulnerability-testing exercises
on our clients. We also simulate different client scenarios and
show them what might happen in a cyber attack.
"Not everyone realizes just how easily mobile devices and
networks can be compromised and the risks are enormous. It's no
longer an issue for CIOs alone".
Cyber-security needs to be on the agenda of the entire c-suite and
it needs a company-wide approach. The more companies delay their
response, the more the threat grows. Organizations need to take
action now.
Footnotes
1. https://www.theguardian.com/technology/2011/apr/26/playstation-network-hackers-data
2. http://www.bbc.co.uk/news/technology-37936219
3. http://www.reuters.com/article/us-bitfinex-hacked-hongkong-idUSKCN10E0KP
5. http://www.cbsnews.com/news/fbi-director-james-comey-60-minutes-scott-pelley/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.