Cyber security risks and their management
In this article we look at the different types of cyber risks that exist, the scale of the problem and the steps that can be taken to address those risks.
What is it? Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. Cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative (Cisco Systems).
Cyber risks need to be assessed and measures put in place to manage them by all organisations, regardless of their size, as well as by individuals. Whilst security breaches at the largest organisations get the most publicity, such as the one at the Marriott hotel chain, the targeting of the remainder is very widespread. Arguably this second group suffers the most damage as there are often inadequate precautions taken and, after an attack, there are likely to be less funds available to make a full recovery. The consequences of these breaches can include theft of money and data, damage to an organisation’s reputation as well as fraud, and in the worst case, the destruction of a business.
How big is the problem?
Cybersecurity Ventures predicts that cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015.
Some notable instances in the recent past include up to 500 million user accounts being exposed in 2018 in the Marriott Group; all 3 billion user accounts were thought to be affected at Yahoo in 2013; around 57 million drivers and users had their data stolen from Uber in 2016; and in 2017 148 million customers were said to be affected at Equifax.
According to the Cyber Security Breaches Survey 2019 undertaken by the UK Government’s Department for Digital, Culture, Media and Sport (and bearing in mind some attacks are hidden or go unidentified), 32% of businesses and 22% of charities surveyed reported having a cyber security breach or attack in the previous 12 months.
The same survey found that the most common types of breaches or cyber-attacks are phishing attacks (see below) and after this the others are evenly spread.
The same concerns apply in respect of individuals, the National Cyber Security Centre (NCSC) in the UK published its first UK Cyber Survey in April this year, the key findings include
The various types of attack
Threats can take many forms, including the following:
Denial of Service (DoS)
A denial of service aims to shut down computers or networks making them inaccessible to users. They do so by sending information that triggers a crash or by overwhelming the target with traffic. Whilst these attacks do not normally involve theft or fraud, they do cost the target a significant amount of time and money when dealing with the consequences.
Malware is a form of software that can be hidden within a file or a program, the objective being to cause harm to a user at some future date using for example viruses, Trojan horses and spyware. Ransomware is a type of malware through which the attacker prevents the user from accessing his files using encryption, then demanding money to unlock those files.
Phishing is where the sender of an email or message attempts to trick the recipient into disclosing confidential information which can then be used later, for example to gain access to their bank account. There are many different variations of phishing, for more information see our article on how to avoid such scams. The best protection against these types of attack is a combination of technical controls and, very importantly, staff awareness – those employees who are not IT specialists tend to be the ones who are targeted.
In a similar way, social engineering aims to obtain passwords, PIN numbers, account numbers and such like. This is done by impersonating possibly a CEO, a customer, a bank or a supplier. In the case of a CEO the goal may to put pressure on an HR department to hand over the personal details of employees.
Spoofing is also a form of impersonation, this time of another device or user on a network, then used to launch attacks against the network, steal data, spread malware or bypass access controls. There are numerous ways this is done including IP spoofing, email spoofing, website/URL spoofing and caller ID spoofing to name a few.
An attempt to gain access in a target system to which a user is not normally entitled or permitted is called privilege escalation. The attacker might then use those privileges to deploy malware, steal money or data or cause damage or loss to the organisation. In reality this is the most common way for an organisation to be attacked, and usually occurs because of weak controls in relation to passwords. It may be that a user leaves a company without his access being revoked, passwords are shared between employees, or through the use of easily guessable passwords.
Eavesdropping attacks happen where network traffic is intercepted, thereby obtaining passwords, bank details and other confidential information. Data encryption is the best way to deal with this threat.
A way of getting around normal security and authentication measures to gain high level access to a system, network or application is known as a backdoor. Backdoors are commonly put in place by malware, or may have been written by the programmer who was responsible for the original code. Once in, the attacker can use the backdoor to hijack devices, steal data or install more malware.
Direct access happens after the hacker has gained access to a system and is able to download data from it. They can then install devices to compromise security including the modification of operating systems, keyloggers and listening devices.
How well are the risks understood?
The Cyber Security Breaches Survey 2019 demonstrates a lack of understanding, at least in UK businesses, of the risks of cyber-attacks and what form they are likely to take. It was found that 44% of the businesses that responded, and 48% of the charities, that identified breaches or attacks in the last 12 months did not know what factors lead to their most disruptive case. The source of the breach or attack was an even greater unknown.
These findings would suggest that more can be done by organisations to identify and understand the risks they face, along with steps that can be taken to manage those risks, something we will now explore.
Managing cyber risk
According to the 2019 Verizon Data Breach Investigation Report phishing and the use of stolen credentials are the main causes of cyber breaches – essentially human error. This means that in order to defend against such threats educating staff and improving their awareness of these risks has to be the first priority. As well as bringing the various forms of attack to the attention of staff, simple measures should be taken without delay, such as ensuring the use of more secure passwords that are then changed on a regular basis. In addition, it should be understood that caution is essential when using public WiFi, taking care to not log onto either company systems as well as personal accounts where there is a risk of loss, such as an individual’s online banking. Remember always that employees are the weakest link. Cyber security should be a mindset, and be an important part of any HR policy, the importance of which should be emphasised whenever the opportunity arises.
Having implemented these basic measures, a plan should be devised that adopts a risk based approach, but prepared on the basis that not everything can be protected. Priorities will need to be established, as follows:
1 Audit of key digital assets critical to the business
Given it is impossible to cover all eventualities, 100% security is neither possible nor should it be the goal. There needs to be a list of all those “technical assets” (systems, data, services, networks and software applications) that are critical to the success of your business, thinking in terms of what might happen to those assets and how that could come about.
These critical assets are the ones that, for example, impact confidentiality and integrity, that support the business mission and functions. They can include patents, copyrights, corporate financial data, customer sales information, human resource information, proprietary software, scientific research, schematics and internal manufacturing processes. Identifying these assets can be done by using risk assessments, asset tracking via a service or hardware inventory, and network traffic monitoring that would highlight the most frequently used network and system components (SEI, Carnegie Mellon University).
Not only is protecting everything not an option, but a cybersecurity budget will be competing with other investments in technology that need to be made in order for an organisation to grow.
Having identified these assets a register should be made detailing their location, who has responsibility for them and who has been allowed access to them, noting especially the existence any third parties.
2 Risks associated with critical digital assets
As well as some digital assets being more critical than others, some are more exposed to risk, meaning they are more likely to be targeted by hackers. Risk is a combination of threats and vulnerabilities and is established by considering the potential impact of the latter being exploited by the former.
The goal is, having determined which assets need protecting most, to decide how likely is an attack on those assets and then, after that, to devise a plan as to how to protect them.
Having identified the business critical assets, consider how those assets can be compromised. Try to put yourself in the shoes of an attacker, and having thought who they might be, what skills they might have and, most importantly what is their motivation. Only then is it possible to start thinking about the protection that is necessary.
Critical assets and the risks associated with them vary across sectors, some examples being as follows:
In civil aviation emphasis is placed on the safety of passengers and cargo. Unauthorised access to the complex information systems inside and outside aircraft, in addition to threats for financial gain and competitive advantage, have a direct impact on safety and can lead to loss of life.
For hospitals, critical assets are those defined as being necessary to provide healthcare and without which functions and processes will fail. Typically they will therefore include medical records and the infrastructure and systems needed to maintain its daily operations.
With banks, vulnerability to fraudulent transactions will be a major concern, and with the prevalence of online banking, the protection of digital platforms.
The huge amounts spent on R&D in pharmaceutical companies creates their lifeblood: intellectual property – namely patents, technology, manufacturing processes and clinical trials data. These are what drive their growth and without them their future existence is at stake. Not only that, the integrity and availability of products can also make the difference between life and death.
To determine the risks to your own critical assets, it is necessary to understand how systems, processes and assets are contributing to the objectives of your business.
3 What are the current controls and security in place for each potential threat
Having identified the critical assets and considered the associated risks, it should be fairly straightforward to document the current controls and security in place, or not, for each. It may be useful to have some form of checklist that may cover the following, depending on the size of the organisation:
Personnel: such as ID badges with access permissions listed; background checks for employees and contractors; processes for ending access to facilities and systems on termination of employment or project completion
Physical: policies and procedures to limit physical access to secure areas, systems and facilities; automatic logging out and screen locking; policies to cover laptop security (secure storage etc); evacuation plans; and areas to be sealed in emergencies
Account and password management: policies and standards covering electronic authentication, authorisation and access to systems and data; policies on passwords, including enforcement and regular changes
Confidentiality: data classification between sensitive and non-sensitive; defining responsibilities when protecting sensitive data; data encryption; procedures to manage personal private data; shredding and disposal of documents; secure disposal of old/obsolete equipment
Awareness and Education: provision of information; regular training and encouragement of attentiveness to risks; ensuring employees can identify and protect data, media, documents etc.
Compliance checking: regular reviews of security, policies, standards and guidelines; testing of disaster plans; review of individuals and their access to sensitive facilities or electronic systems
Threats come in several forms. Those from humans include unauthorised access, sabotage, vandalism, hacking, fraud, and theft as well as negligence or human error. Other threats include fire, flooding, power failure, pollution and contamination of processes.
4 Highlight weaknesses then define and implement controls to protect those assets
Only after having understood what controls are in place for those critical assets that, if compromised, can cause the most damage to an organisation, is possible to then focus on weaknesses, i.e. what makes those assets vulnerable to an attack. Ranking threats can be achieved by assessing the scale of the impact and the probability of it happening – the bigger the impact and the higher the probability will result in a higher priority.
A table that identifies remediation actions for high risk threats and vulnerabilities is one approach to use when deciding next steps. Each action should be considered in terms of its cost, benefit and associated risk and then ranked, possibly in terms of cost (low, moderate, expensive) to help decide the order in which the various actions that are available are implemented, or not.
For example, establishing and enforcing a password policy has a low cost, with high benefits that addresses a high risk threat. The introduction of an intrusion detection infrastructure has a moderate cost but comes with high benefits to address a significant threat. Encryption systems are moderate to expensive in terms of cost but the benefits are again high against a significant threat. Ensuring one has a fully staffed Computer Security Incident Response Team can be expensive but in terms of benefits and risk, it has high value.
5 Cyber incidence response (CIR) plans
Detection and quick response will help minimise damage and thereby reduce the impact of an incident. Having a plan already in place is critical. Readiness, response and recovery constitute the three phases of that plan.
In times of crisis, decision making is tested and responsibilities can be blurred. An organisation must be ready to detect and respond without delay in order to prevent damage escalating. Where an organisation has a high public profile, being able to handle the situation well in the media will minimise long-term reputational damage.
Readiness: Attackers rarely make a successful breach known, so continuous monitoring, in the form of data and logs that show patterns and highlight anomalies, is essential to identify malicious activity. Alerts should be set up from intrusion detection, prevention and monitoring systems. Events will include attempts to gain unauthorised access, unauthorised use of systems, changes to systems without consent and disruption or denial of service. Readiness means not only vigilance but also having resources ready and a team ready to mobilise at short notice. Crisis simulation on at least an annual basis will help determine whether an organisation is adequately primed. Responsibilities will need to be determined in advance with team members being available 24/7 and receiving training on a regular basis.
Response: this has the ability to either curb or escalate an incident into a crisis, depending on how well it is executed. A brisk, coordinated response can serve to contain losses in time, money, customers and reputations. Communication with all stakeholders will be essential to reassure them that the situation is under control.
Recovery: these are the steps needed to return things to normal as well as limit damage after the incident. This will also include an investigation into the causes of an incident, how it was managed and what lessons have been learned.
Having all the necessary expertise, resources and capabilities in house to both develop and then maintain a defence against cyber threats is likely to be beyond most organisations. Outsourcing may therefore be a preferred option instead of attempting to deal with what is an immense challenge alone, one with such significant implications. Alternatively, for those not willing to completely pass such services over to a third party, co-sourcing might be a more acceptable solution, allowing access to external expertise without giving up total internal control over processes.
In summary: Attacks are becoming more frequent, more sophisticated and they take many forms. It is therefore essential that cyber risks are assessed and measures put in place to manage them by all organisations, regardless of size. Unfortunately the evidence is that the risks are not well understood.
Employees are the weakest link, therefore educating staff and improving their awareness must be a priority. Beyond that a detailed plan should be developed, outsourcing when the relevant skills are not available in-house. To not be ready for a cyber-attack with a carefully thought out plan, that is tested regularly, and has available the necessary resources to make it work, puts your organisation at risk of significant losses.