Ernst & Young’s Global Information Security Survey 2015, entitled ‘Creating Trust in the Digital World’ provides a comprehensive insight into how organisations view their cyber defences.
The data presented reveals a number of inconsistencies that illustrate a lack of real awareness or understanding as businesses adapt to a new paradigm of increased cyber threats.
The survey canvassed the opinions of 1,755 respondents in 25 industry sectors spanning 67 different countries. Some 31 per cent of respondents were Chief Information Security Officers, 19 per cent were Information Security Officers, and 17 per cent were Chief Information Officers.
As the survey states, too many organisations are taking an ad hoc approach to managing their risks and vulnerabilities. To move to a safer, more sustainable place in the digital world “it is necessary to apply a cyber lens to everything you do” wrote the co-authors, Paul Van Kessel, EY Global Advisory Risk Leader and Ken Allan, EY Global Advisory Cybersecurity Leader.
According to the survey, to get true value out of their cybersecurity approach organisations should tailor it to fit to their business strategy, risks and priorities. Asked how easy this is to achieve, Allan tells Hedgeweek:
“Partly, this depends on how embedded cybersecurity is in the IT or CIO function. Many organisations continue to treat cybersecurity as a technology or IT issue, which hampers the alignment with business strategy, risks and priorities. However those organisations who already have an enterprise risk approach will naturally find it easier.”
One of the inconsistencies among respondents relates to how organisations assess which information security areas are considered “high priority” over the coming 12 months. While 56 per cent said that data leakage/data loss prevention was their highest priority, 49 per cent viewed insider risks/threats as a ‘medium priority’ issue. At the same time, Social Media, often the cause of many attacks, was regarded by 50 per cent of respondents as a ‘low priority’ item.
When asked what the biggest vulnerability had been over the past 12 months, the highest priority item, according to 18 per cent of respondents, was “careless or unaware employees”. In terms of threats, phishing (19 per cent) and malware (16 per cent) were considered the highest priority.
These threats were ranked fifth and seventh in the 2014 survey.
That these are now high priority further suggests the lack of proper training and awareness that exists within organisations. Not knowing what to look for in a phishing email can lead to potentially disastrous consequences.
“You shouldn’t underestimate the value of a training course that shows people examples of what to look out for, that explains what the risk is, and that basically raises people’s awareness,” says Allan.
“The quality of phishing emails is getting better all the time. I received one recently that almost caught me out. I noticed that something didn’t seem quite right just before clicking on the mouse button. I ran it through a malware detection program and sure enough it was a highly sophisticated phishing email. They are undoubtedly getting more sophisticated and people need to be evermore vigilant.”
The phishing email that Allan refers to came from someone pretending to be an external party to quote two RFPs. But it quickly dawned on Allan: why did they send the email direct to him? Why was there no preamble explaining the specifics of the RFP?
The warning alarm went off at that point. This is something that proper staff training can nip in the bud.
Allan goes on to share another anecdote, which again serves to illustrate just why phishing emails remain a significant risk.
“I was visiting clients in Helsinki recently going through the survey data and we did a quick poll in the room to ascertain the percentage of people who fall for scams in their individual companies. One client volunteered the fact that they’d run their own test internally. They’d created a phishing email just to see who ended up clicking on the link; there was nothing behind the link, it was just a test. The individual confirmed that 38 per cent of the organisation clicked on the link, even though it was a deliberately obvious phishing email.
“We ran the poll and everybody in the room confirmed that the figure was either the same, or higher, in their own organisations. This highlights just how much need there still is for good quality training and education,” says Allan.
After phishing and malware, cyber attacks to steal financial information and intellectual property were rated high priority.
Inevitably, cyber-criminals will balance risk, reward and cost in determining who and what to attack. It’s a dynamic process. Executives, including COOs and CTOs, need to consider what they have that may be of value to attackers, what they might be able to do to monetise those assets, and then determine what are the appropriate safeguards, including response, in the event of a breach.
Of course, setting the threshold to detect small changes in one’s network that could signal the early stages of a cyber attack is no easy task. It will depend on the individual organisation. But as Allan suggests: “Our view is that small changes are indicators of attacks so rather than setting a threshold (to create a manageable data set) the focus should be on using analytics and big data techniques to take advantage of this.”
To help detect these small subtle changes, EY’s survey includes the following examples of indicators that a radar should be tuned to detect:
• Very visible attacks without an obvious purpose: eg, DDoS; details stolen but with no obvious use to them
• Unexpected share price movements
• New products launched by competitors that are uncannily similar to your R&D and IP and reach the market just before yours — indicating IP theft and knowledge of your growth strategy and timings
• Mergers and acquisition (M&A) activities disrupted: rival bids that show similarities and may demonstrate awareness of confidential plans; M&A targets suffering cyber incidents (e.g., their IP stolen)
• Unusual customer or joint venture behaviour: remember that these may not always be genuine customers or partners since cyber criminals can join organisations to gain easier access to your systems and data
• Unusual employee behaviour: managers of staff need to be more aware of changes in behaviour, especially when those staff work in more sensitive areas • Operational disruption but without a clear cause
• Oddities in the payment processing or ordering systems
• Customer or user databases showing inconsistent information
Another obvious inconsistency among respondents was that whilst 36 per cent said that they would be unable to detect a sophisticated attack – a big improvement on 56 per cent in 2014 – at the same time, only 7 per cent of respondents claim to have an incident response program in place that is integrated with their broader threat and vulnerability management function.
‘There are a number of inconsistencies in the report and we’ve deliberately left them as such because the data that we are presenting is what people are telling us, and by implication if only 7 per cent have an incident response program they can’t possibly be in a stronger position to detect sophisticated cybersecurity attacks,” states Allan.
To reduce their vulnerability, and move towards a position where organisations are best able to cope with the growing threat and evolution of cyber attacks, EY’s survey refers to something called “Active Defence”.
“The way I explain ‘Active Defence’ is that each organisation has choices to make. They can be entirely passive and say that it is unfair when they get attacked. Or, they can start to put the capability in place to detect a breach event: uncover it and contain it.
“The active defence phase goes one step further. Not only does this make your organisation effective at detecting cyber attacks when they occur, it actively hunts down and looks for the attacks to try to identify the source; who is behind the attack? What are they interested in? What might the attack path look like and what should I do to properly defend myself again such an attack?” explains Allan.
Think of it as a pre-emptive approach to combating cyber attacks.
Allan is beginning to get the sense that some organisations are starting to adopt this mindset.
In the US, most organisations are well on the way, notes Allan, possibly because there has been greater disclosure of breaches. In the UK market, there is still a lot of complacency out there.
“You read about the aftermath of a company suffering a cyber attack and they often come out saying that they’ve yet to determine the size and scale of the attack ‘but we think we’ve got it contained’. Frankly, that is two-year old thinking,” comments Allan.
One critical component of adopting an ‘Active Defence’ position is having a Security Operations Centre in place that is fully up to the task.
Again, the EY survey reveals that people’s understanding of what exactly an SOC should be varies greatly. Some 59 per cent of respondents say that their SOC did not have a paid subscription to cyber threat intelligence feeds. Furthermore, 66 per cent of respondents who had suffered a recent significant cybersecurity incident that was not discovered by their SOC, said that their SOC does not have a paid subscription to cyber threat intelligence feeds.
“The question that we haven’t asked, and perhaps should, is ‘If you have a SOC in place, what in your mind do you think that means?’” says Allan. “For many organisations, when they talk about having a SOC they are referring to nothing more than a glorified network operating centre. All they are doing is looking at the generic alarms that you get in detection systems; that is not security operations, it is network operations.
“When we talk about having a SOC, we mean having a robust, sophisticated intelligence-gathering capability that’s not just looking at electronics. It’s also engaged in social media trawling, looking at fluctuations in a company’s share price and determining whether that is indicative of anything; basically using a range of non-traditional indicators to build up a picture.”
Whether this is deployed using internal capability or a co-sourced route depends a lot on the skills the organisation has in-house and the speed required to become fully operational. A fully outsourced route is more likely to result in a generic service, which is more focused on the technology rather that the business needs.
To determine exactly what an organisation needs to build trust in a digital world, EY recommends consideration of the following points:
• Knowledge of what can hurt the organisation and disrupt achieving your strategy
• Clear identification of your critical assets, or crown jewels
• Cyber business risk scenarios that paint an accurate picture of how an attack can progress
• A board and senior executives who can accurately determine the risk appetite for the organisation
• An assessment of current cybersecurity maturity and a comparison with the maturity level that is actually required to meet the risk appetite
• An improvement road map
• Tailored threat profiling and advanced cyber threat intelligence
• A more advanced SOC: in-house, co-sourced or outsourced
• A proactive, multi-functional cyber breach response management strategy
“On the upside, there’s a lot more awareness out there in the marketplace. The opportunity to deal with the problem is improving because of this. People no longer need to be persuaded of the benefits of having an effective cybersecurity program in place.
“The downside is that our survey suggests that there is still some organisational complacency. There is a fear that in the next 12 to 18 months we will see a catastrophic failure of a household name,” concludes Allan.