Technology gives us many advantages, but it also offers great advantages to those who seek to steal from us. Many security problems are still caused by the random transmission of viruses or malware. But a worringly high number are the result of attacks carefully targeted at companies of a higher profile than you might expect.
In September 2012 the UK government published Cyber Security Guidance for Business in partnership with CESG (the information security arm of GCHQ) and the Centre for the Protection of National Infrastructure as part of the government’s National Cyber Security Programme launched in 2011. Its key message: this issue requires board-level attention.
“We know that… one in five FTSE-listed companies has been compromised... including several major names we would all recognise,” said foreign secretary William Hague at the launch of the guide.
Many cyber attacks can go on for some time. Some go on for years before being noticed
Some of the cautionary tales are frightening. In June 2012, Jonathan Evans, director general of MI5, cited a “major London listed company” that had lost about £800m in revenue following the theft of intellectual property in a state-sponsored cyber attack. Evans said MI5 had uncovered industrial-scale cyber espionage and other criminal activities sponsored by foreign governments and organised crime. “The extent of what is going on is astonishing,” he said.
Attacks may be conducted by political activists — known as hacktivists — or by current or former employees with a grudge. Any organisation holding valuable information is a potential target.
Attacks are becoming more subtle; we’re not just talking about denial of service attacks that bring down corporate websites, disruptive and costly though they are. More dangerous are those targeting vulnerabilities in widely used software of which even the software vendor is unaware.
In September US security company Rapid7 discovered a vulnerability in Microsoft’s Internet Explorer browser which allowed malware to implant itself on a computer if the user visited a malicious website, giving an attacker control of the computer. The vulnerability could be exploited in several versions of Internet Explorer running on Microsoft’s XP, Vista and Windows 7 operating systems.
“Many cyber attacks can go on for some time. Some go on for years before being noticed because they use one part of an organisation to get into another to reach the real assets,” says James Alexander, partner in the security and resilience practice at Deloitte.
Many are initiated by someone downloading an infected attachment or clicking through to a malicious website. The problem is exacerbated by the practice of staff using their own mobile devices at work, which are not always equipped with enterprise-grade security systems.
Cloud technologies also offer attackers a route into the network. The cloud may or may not be less secure than the corporate network but using it can make assessing security more tricky.
Accountants may be targeted because of the trusted access they have to private data, says Paul Vlissidis, technical director at security company NCC Group. “Accountants, lawyers and PR agencies have access to sensitive information – for example, regarding M&A activity. That’s gold dust if you’re a competitor.”
The best way to start tackling threats is by spreading awareness of how attacks work and recognising that some will succeed. “If you’re targeted by a well-organised threat, there may be little you can do to stop it,” says Alexander. “Use existing solutions to build up intelligence about what’s happening in your environment. The organisation must understand the risk to assets and the overall threat landscape.”
With basic cyber security systems in place, at least 80% of cyber attacks would be defeated
Vlissidis says many organisations do understand the need for security audits. “People don’t appreciate the speed at which the threat landscape shifts,” he says. “Whatever you were looking at last year is almost certainly not what you should be focusing on now.”
Alex Church, technical director at Context Information Security, says most attacks begin with an email. “Eighteen months ago it was attachments with dodgy Word or PDF files. Now a small majority are with web links. So the advice is to be slow to click on anything. Make sure there’s nothing in an email that raises suspicion.”
Just as important as understanding the threat is the need for an organisation to understand what its digital assets are and what the risks are to them. Then they can muster preventative and reactive measures, including the use of simulated attacks to test defences.
Smaller organisations may find it hard to afford such measures or even to spread awareness of best security practices among staff. The government’s publications and its Get Safe Online initiative can help, as can industry bodies such as ICAEW. Larger companies may support suppliers seeking to improve security – it is in their interests to do so.
For organisations of any size, the key element is straightforward information risk management. “With basic cyber security systems in place, at least 80% of cyber-attacks would be defeated,” says Richard Anning, head of the IT Faculty at ICAEW.
“Cyber security has been prioritised as one of the top four national security threats to the UK, which is why the government is investing £650m in the National Cyber Security Programme,” says universities and science minister David Willetts.
Willetts highlights the government’s recently completed Project Auburn pilot scheme for a joint public/private sector cyber security hub, which has enabled defence, telecoms, finance, pharmaceutical and energy organisations to exchange information.
“One of the key challenges for government and industry is facilitating the release and distribution of sensitive information,” says Willetts. “This will undoubtedly prove challenging but it will enable UK industry, working with government, to raise levels of cyber defence.”
Willetts sums up the key steps that organisations should take. “Companies need an understanding at board level of why their information may potentially be so attractive to others.
“Boards need regular intelligence from the CIO or head of security on the nature and origins of any attacks.”
He continues: “They should also encourage trusted information sharing with other companies to improve situational awareness and to benchmark cyber security against their peers.” So, concludes ICAEW’s Richard Anning: “Get this issue on the board’s agenda.”
Top tips for cyber security
Identify your digital assets and associated risks.
Develop and regularly review technical security and information risk management processes. Keep software up to date and keep refining security testing.
Develop, enforce and review usage policies for mobile devices and establish procedures in the event of these being lost or stolen.
Develop, enforce and review user account management processes to control account privileges.
Build security processes into any bespoke IT solutions developed in-house.
Introduce security considerations into due diligence processes for external suppliers and service providers.
Invest in awareness-raising campaigns and staff training.
Plan responses to security breaches.
• BIS publications: bis.gov.uk/policies/business-sectors/cyber-security
• Guide to IT security for the small business from the Information Commissioner’s Office
• Additional support information from www.getsafeonline.org
• Research on enterprise use of cloud computing, smartphones and tablet