The threats are real and the cyber criminals are getting more organised. Firms need to not just defend but also prepare to respond, says Tom Burton, KPMG in the UK's Cyber Security Director
Organised crime is utterly rational. It is motivated in the same way as the most capitalist FTSE company and has quickly grasped the financial opportunities that can be realised by cyber-attacks.
Cyber criminals are attracted to the low risk and low cost of transaction with disproportionately high returns when compared to conventional crime. As a result, they are escalating the scale and range of attack methods from malware to denial of service (DDoS).
For example, in recent years we have seen significant growth in ransomware attacks and this has been verified by warnings from, amongst others, the FBI. This type of attack is easy to launch against multiple potential victims. Surveys show that a high proportion of people have paid the ransom or would be willing to pay; a recent one by antivirus software provider Bitdefender identified the UK as willing to pay the most when compared to the US and the rest of Europe, which may be a factor in the UK being one of the most attacked nations.
This growth in this type of crime, and the threat it presents to confidence in the internet as a critical part in the economy, are why the risk is at the top of the agenda for both Government and business. The announcement by the UK government that they are setting up a National Cyber Security Centre (NCSC) to act as a one-stop-shop for companies seeking advice and support when dealing with cyber security issues is evidence of that priority.
In many ways though, the use of the term “Cyber” has been a double-edged sword. On the one hand it is a term that has attracted attention and media coverage. On the other, it often distracts attention away from the business risks and causes organisations to see it as a technology problem. When considering major cyber risks, it might help to take “cyber” out of the sentence and just think about “risk”. What do I have that is most valuable to me, my customers and my stakeholders? How would these assets be of value to criminals and my adversaries? How would they realise that value; could criminals monetise it? What would the impact be to my business if they were stolen, destroyed or changed? These are not new questions to a business, but they now need to be considered in a new context.
A critical element of managing that risk is being prepared when it impacts. A lot can be done to reduce the likelihood of a successful attack, but it cannot be eliminated.
Responding to an attack involves a lot more than remediating the technical issues. HR may be involved to deal with issues relating to the employees involved; legal counsel may have to address contractual and legal issues with customers and suppliers; there may well be a backlash in media and social media to turn around; and market regulators and law enforcement agencies may need to be managed.
The difference between a good and a bad response can have a significant impact on reputation and potentially share-price. Leading organisations have gold, silver and bronze levels of incident management teams depending on the severity of the crisis, with gold led by the Board. They are well equipped and are exercised regularly to ensure mistakes are made and learnt from in practice, not when the “bullets” are flying.
When a data breach is discovered, the first thing an organisation must do is evaluate how severe it might be. This will often be done without knowing all of the facts, so it is important to consider what you don’t know as well as analysing what you do. There are past examples of companies attempting to be proactive but instead delivering confused, inaccurate and changing messages; which have had a greater impact on reputation than might have been the case if they had taken a little longer to develop a more considered plan.
Cyber does generate nervousness among investors and customers alike, so companies are well advised to ensure they have a tight grip on the facts, the progress of their investigation and mitigation processes. The fines that may be levied when the EU General Data Protection Regulations come into full force in May 2018 are only likely to increase investor sensitivity.
Legal counsel, security, IT, marketing and PR departments must all be tightly involved in the process of responding to a cyber attack, to make sure the right coordinated actions are taken and the correct information is publicly released, where appropriate.
For the most severe incidents it is often the chief operating officer (COO) who is expected to chair the response team. This recognises the multiple business functions that will need to be involved in the response, often extending into the supply chain and customer community.
The initial first steps will have an impact; as soon as the attacker is aware that you know about the incident, they are likely to respond themselves. If they become aware too soon the situation may become worse as they accelerate their plans or take the lead with the media. The response has to be run as a business operation, bringing in outside specialists as required to conduct technical investigations and digital forensics to help discover the extent of the breach and who is responsible for it.
The role of marketing and PR is key where customers and other external stakeholders are potentially affected. You have to plan what relevant information is to be released, deciding what has to be publicly known and stopping other information from leaking out. In addition, any designated company spokesperson must be fully briefed to ensure technically accurate information is communicated.
This is not about burying bad news and certainly not about avoiding regulatory obligations regarding the notification of attacks and data breaches. It is about making sure undue panic and confusion is not created and that what you say publicly is not then contradicted as soon as the next update is released hours later. The more contradictions to the story of the incident, the more difficult it is to demonstrate you have the situation under control to protect customers, suppliers and others affected. This is not easy PR but requires a plan to ensure regular updates don’t leave too many gaps in the story. Otherwise the press may fill them for you.
While bringing the perpetrators to account is important, there is a lot more that needs to be done once the attack has been verified, assessed, contained and eradicated. What we can learn from an attack is just as important and this has to be fed back into the business in a process of continued cyber security improvement.
It's not just about cleaning up the network. Certain security controls may need to be reviewed. What you know about this attack will help you to prevent similar ones in the future, or at least identify them earlier giving you more time to prevent them impacting.
The threat from the cyber-space is similar to an arms race, with adversaries able to continuously evolve their tools and techniques as defences are put in place. But by knowing what the threats are, conducting the right advanced planning, and having the correct systems and staff in place, you can stay ahead and be confident that the damage to your business will be minimised by having mature plans in place to help you respond.