What actions can boards take to prepare against the threat of cyber-attacks?
Instances of high profile cyber-attacks seem to be proliferating all the time. The risk is increasing as several factors combine to oblige boards to ensure the issue is managed and under control. According toKPMG partner Michael Daughton the factors driving this increased risk include the growing capabilities of attackers; the increased resources available - often free or at very low cost on the public Internet as well as the so-called dark web; the vastly increased connectivity of devices as a result of developments such as the Internet of Things; the growing reliance of organisations on third parties and supply chains; and cost issues that put pressure on the resources available to IT departments.
“The result is what we might term a readiness gap in which the threat is increasing while companies’ preparedness struggles to keep up”, he says. “And yet, clearly, it is a risk that every organisation quite simply must be armed against. Every institution needs to be able to detect and respond to the cyber security threat - and boards must take the lead in equipping the organisation in this battle.” So how can boards and their teams set about doing this? Daughton believes it can be extremely instructive to put yourself in the shoes of the cyber attacker - to understand how they work and what they are looking for. The first step is to think about the different types of cyber attacker out there, and which ones are most relevant for your organisation. Daughton says that the main classes of attacker can be grouped as: criminal gangs, hacktivists, corporate competitors, nation states, and disgruntled employees. The next step is to identify what they might be targeting and how they might go
about the attack.
“One key thing to appreciate right from the outset is that cyber
attackers are highly organised”, he points out. “It is their business after
all. So they are likely to invest quite some time researching your
organisation, its security posture, systems and employees. They will also be
able to use publicly available search engines through which they can identify
potentially vulnerable corporate devices, and exchange information with other groups of attackers. Tools available, such as open-source intelligence and forensics applications, enable them to then collate and analyse the huge
amounts of data they have collected - the big data of hacking perhaps.”
The online world is not the only issue. “Don’t overlook the physical threat”, Daughton warns. “Gaining access to your premises could be a quick way to gain access to your data.” Once the hacker has done their research and established their target, they will make a plan around how to reach it. “Essentially, they will be looking to establish a virtual foothold within your
organisation as a first base”, he explains. “Likely methods of gaining this
foothold include sending phishing emails to members of staff with links that
have malware embedded or attached, or setting up a ‘watering hole’ - finding a site that is commonly used by staff and compromising it by embedding malware there. Once they have tricked some victims, they can then digitally ‘move around’ within your organisation and try to reach their target.”
Having considered things from the attacker’s point of view,
the focus should then shift to defence. “It’s crucial to know what your crown jewels and where they are located”, he advises. “Thinking about what you are defending also means thinking about the dependencies: what do your systems rely on, have you given copies to anyone externally or in the cloud?” He points out that defending is essentially attacking in reverse - so organisations should map out possible routes of attack and make a matrix of actions to defend against them based on the “five D’s”: detect, deny, disrupt, degrade, and deceive.
Deceiving can mean the creation of honeypots – false targets
such as apparently vulnerable devices or applications designed to lure
attackers in to identify and catch them. Some organisations set up fake
executive profiles on LinkedIn for this purpose. Daughton believes there are
certain pre-requisites for a successful defence strategy. “You will need to be
able to capture all of your data in order to analyse and learn from it. In the
same vein, you will need to build a knowledge base - logging phishing emails
for example, creating a database that you can interrogate and analyse. It’s
vital of course to have the necessary in-house skills - a capable cyber
security team, and perhaps the services of outside consultants who can be
called in as and when necessary. And finally, there is no getting around the
fact that you will need to make the right amount of investment in order to do all of this - which means that getting the board on side is essential.”
Having done all of this, it’s critical to put it into practice. “You have to test your systems through drills and realistic attack simulations. This may involve hiring a ‘red team’ of external attackers from your advisers to put your systems through the mill and identify weaknesses and areas of priority - while your ‘blue team’ of defenders seeks to repel the attacks. If you don’t test your defences, then you are effectively closing your eyes and hoping. Testing will open your eyes as to where you really are and what you need to address and provide the evidence that the cyber threat must be
a significant boardroom priority.”
This article was originally published in The Irish Times Innovation Digital Magazine on May 11 2016 and is reproduced here with our
© 2017 KPMG, an Irish partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.