Video: Managing e-crime risk in a changing landscape 

What is the threat landscape like today? How has ‘the enemy’ evolved?

The threat landscape today is perceived as massively different from what it was 12 months ago and I think is probably best summed up from a conversation I had with one of the Heads of Security at one of the world’s largest banks recently. He said he looked back nostalgically the days when his worst enemy was organised crime, and his rationale for that was organised crime runs a P&L, and if you build defences strongly enough to defend yourself against them they will either go away to another organisation or find some other form of criminal activity to make money from.

Unfortunately, the criminal landscape is now made up of two other players, one of is ‘hacktivist’ and the other is ‘state sponsored’ attacks, and both those enemies are very different from organised crime because they have much more time and they potentially have far more resources at their hands.

So organised crime you could kind of guess where they would attack, it would typically be where money was or where some assets were that can be translated into money. It’s much harder to define where these enemies are going to attack and how they’re going to attack, and therefore it’s going to be much more difficult.

“Cyber attacks from organised crime were more predictable because they ran a P&L and basically operated like a business. That is not the case with government agencies.”

Telecommunications  

What threats does the future hold?

Well nobody can predict the future, particularly so in this area. But there are two potential developments that people worry about in particular. The first one is around the cascading of sophisticated techniques from the state sponsored attackers into the criminal world. Now in some ways, the good news about state sponsored techniques are that they are typically used to attack government or organisations that are close to government.

The danger here is that some of those techniques get into the hands of criminals and are used to perpetrate financial gain or other criminal activity.  The second area is around the democratisation of hacking, hacking is now much easier to do than it was 5 or 10 years ago, there are techniques that almost anyone can pick up. So you now you don’t know who your attackers could be, anybody who takes dislike to you and your organisation, could perpetrate an attack on you and predicting that is really difficult.

“It’s not about just about sophisticated cyber criminals any more. The capability to cut through IT defences like butter is now the domain of 19 year olds from Essex.”

Financial Services

What specific issues do new emerging technologies face?

There are three technologies drivers here, the first is the mobile workforce, the second is cloud computing, and the third is the increasing use of social media.

92% believe that mobilisation and consumerisation (i.e. smart phones) of business and personal IT hardware will increase e-crime.

87% believe that internet-hosted software such as social networks (that are more user friendly than in-house IT products) will increase e-crime.

69% believe that the cloud will lead to an increased level of e-crime.

So if we start with the mobile workforce, and this is the increasing use of ipad,  ipods and other tablets or other devices the workforce bring into the office from their daily life. The two key factors are that you cannot stop this, you have to recognise that these are useful devices for people, they are part of their lifestyles, their part of keeping connected, and if you try to stop them it’s like standing in front of an express train holding up a red flag when its travelling at 120 miles per hour.   You have to embrace them and work out when they can and when they can’t be used, and make it very clear what the limits are and how those limits are going to be enforced. 

The second area is cloud computing and cloud computing can be a threat or an improvement to security. The truth is organisations that are providing cloud computing, those service providers need to get security right if people are going to buy their services, so they are capable of providing a higher level of security than most organisations are able to provide themselves.  The key is how do you use the services they provide and the second question you need to ask yourself is as an organisation you have to maintain responsibility and control of your data and your information, and you need to satisfy yourself that you can do that when you are using a cloud service. 

The third driver is the increasing use of social media which is a fantastic tool for business, for marketing purposes, for reaching out to employees, for recruitment. The dark side of that is that unfortunately people are putting massive amounts of personal data on social media and social networks and increasingly that data is used to launch attacks, typically called spear phising attacks.   The reason their called spear phising attacks are that they are very tightly targeted at individuals and we have come across quite a number of incidents where senior executives in organisations have been targeted using data that has been found on social media often put there by their family members or friends of theirs and used as a technique to catch their attention and to get them to download malicious software into their organisations systems.

“We live in an era of low predictability and changes happen very fast.  IT security has had to evolve at the speed of the internet.”

Oil and Gas 

What does this mean for senior security and risk management executives?

Well the first thing you need to do is completely refresh your risk assessments. We talked earlier about how the actors in this space have changed.  That means the data and infrastructure they go after has changed.  You have to work out what the risks are again and where you need to spend money on putting up your defences.

The second area is refreshing your monitoring simply because the potential areas of your organisation that can be hacked is now just so wide and it is almost impossible to predict where that attack is going to come in so you need to improve the way you monitor your defences, so it’s a little bit like a house. In the old days an alarm system that set off an alarm was fine, these days you now have to have something that is linked to the police and monitoring service otherwise an old fashioned alarm in many parts of London for example is completely ineffective. 

The third area is industrialising your approach to security.  Traditionally a lot of organisations have taken what I would describe as a craft approach to security. They have taken point solutions, they have one problem and fix that problem and take very talented skilled people to fix that problem. The reality is now the defences have to be so wide spread you have to take a much more process based, a much more industrialised, automated approach to defending yourself.

Finally, you have to fundamentally get the basics right. The sad fact is that most successful attacks exploit very simple loopholes in an organisations defences, and you need to make sure that you understand that you’ve got the basics right and you have the processes in place to tell you that basics are in place and are working.

“You can spend a lot of time thinking about unknown unknowns, I’m interested in the known knowns and why they are not fixed. Getting the basics right is essential before you start to think outside the box, so show me the problems that are high probability, high risk. When it comes to high risk, low probability black swan events it’s about how you respond to them, not how you prepare for them.” 

Financial Services

I think there is a very simple answer here. This is now a board level issue, and only the board can make the decision about the risks they are undertaking in the area. In the past IT function or security professionals have second guessed what they think the board would decide if they fully understood the risk. You know you need to make sure the Chief Executive, CFO, the COO fully understand the threat landscape, level of risks the organisation is facing, and the levels of investment in terms of capital and operational expenditure that you need to undertake

“What is the business appetite for being proactive in terms of security? When times are hard, refinery goes by the board. You look at what can reasonably be dispensed with and start asking questions like; ‘How could we get the regulators to agree that a solution path which is the bare minimum represents a proportional response to their requirements?’”

IT Service Provider

There are three key things to think about here.   The first one is making effective use of scenario planning. We’re finding that more and more organisations are practicing the responses, making sure the decision processes are right, making sure the right people are involved well in advance of a receiving end of an attack and they do that by imagining scenarios of what might happen in an event of an attack and practicing their organisations response to them. The second area is building intelligence into your defences, so increasingly government agencies are now  able to collect data, information and intelligence around potential attack areas so it’s important you build links with those agencies, so you understand how the threat landscape is evolving and in particular they can sometimes help you by telling you in advance that they suspect that they may well expect you to be a target in the short term or medium and being able to predict that makes your response much more effective. 

“Investment priorities are shifting to bolster the capabilities to ‘detect’ and ‘respond’ with the aim of minimising the impact of an event when it does occur, rather than fighting a losing battle to completely negate the risk of compromise.”

Oil and Gas

The last tip I would give here is don’t go it alone, this is not an area that can be managed purely by the IT function or by the security function, it needs to be managed by the whole organisation from the CEO, COO, and CFO, the HR function, the Marketing function and Public Relations as well. Ultimately, getting ready for a situation like this should not be done when the crises happens.  There is absolutely no point in putting your seatbelt on after the crash has happened.

Include www.kpmg.co.uk/security