Data defence

30, March 2012 | News Alert

From data breaches to industrial espionage, cybercrime can take on many forms. Neil Hodge tracks the recent growth in cyber attacks and highlights the role CFOs can play in protecting their organisations.

Cyber security issues now feature in the list of the top five risks to watch, almost on a par with greenhouse gas emissions and ahead of water supply crises, according to the World Economic Forum “Global Risks 2012” report.

Cybercrime also now ranks as one of the top four economic crimes, after asset misappropriation, accounting fraud, and bribery and corruption, according to PwC’s “Global Economic Crime Survey”, which was published last November. While it is difficult to determine the actual financial impact of a cyber attack on an organisation (the vast majority do not disclose such details and are not compelled to do so in most countries), the reputational damage can be calamitous.

For example, in April 2011 electronics company Sony admitted that the personal data of more than 100 million customers had been breached, prompting compensation claims and lawsuits.

Hacker group LulzSec targeted the company just two months later, purely to show how vulnerable it still was to “simple attacks”. And although organisations may be investing in the latest IT to protect themselves, their customers’ details can still be at risk if third-party contractors have vulnerable systems.

Last April saw marketing firm Epsilon suffer a breach of its extensive database, which contained the names and emails of customers at high-profile partners such as hotel group Marriott, fashion group Lacoste, retailer Marks & Spencer and financial groups JP Morgan Chase, Barclays, Citibank and Capital One.

Epsilon initially downplayed the breach, but its partners could not. They began issuing warnings to millions of their customers, cautioning them to be on the lookout for subsequent spam and phishing.

Reuters put a $100m price tag on the incident, which falls directly on Alliance Data Systems, Epsilon’s parent company.

All organisations are potentially at risk from cyber attacks. Verizon’s 2011 “Data Breach Investigations” report found that the hospitality and retail sectors suffered the most breaches (40 per cent, and 25 per cent of total breaches), possibly because they are deemed soft targets and are less likely to seek prosecutions compared to banks or government agencies.

Financial services followed in third place (22 per cent). Government came fourth, accounting for four per cent of breaches.
But experts believe that financial services firms are among the most likely to be attacked because they hold such valuable customer information. Cyber attacks can take many forms.

Perhaps the most serious cyber threats for organisations are “advanced persistent threats” (APTs), carried out by well-resourced hackers, such as governments, which bombard IT systems with sophisticated malware and malicious codes, such as the “Stuxnet” worm (which is believed to have been launched by the US and Israel against Siemens controllers used in Iran’s nuclear facilities).

Targeted attacks, such as spear phishing, which was used in what was thought to be a Chinese attack on Google last year to get the passwords of Gmail accounts so they could be monitored, are also becoming increasingly common.

Another example is GhostNet, a cyber tool discovered in 2009 to have infected more than 1,000 computers in organisations such as government ministries, embassies and news media in 130 different countries.

The virus could send documents from infected hard drives back to its creator, record keystrokes as users typed, and even covertly activate the computer’s camera and microphone.

Yet experts say that the vast majority of cyber attacks use simple, inexpensive and readily available malware – software designed to disrupt computer systems and provide access to information for hackers.

Bimal Parmar, vice president of marketing at Canadian IT consultancy Faronics, says that email-based scams, like those asking for payments in advance (so-called “419” frauds, often linked to Nigeria), are one of the most common forms of cybercrime.

There has also been a noticeable increase in account takeovers that enable fraudulent transfers from a victim’s bank or customer account to an account under the control of the perpetrator.

Neither relies on particularly sophisticated or expensive tools. Other threats, which Parmar says are becoming increasingly common, are “zero-day attacks” – so-called because they take place before the software security developer knows about the vulnerability or issues a patch to fix it – and “unauthorised applications”, which users unknowingly install after visiting insecure websites.

Again, these types of attacks can vary in complexity. Eric Hemmendinger, head of managed security solutions at Tata Communications, an India-based telecommunications company, says that in many cases, hacking tools need to be cheap, particularly if hackers want to escalate their resources.

“The tools available to attackers are far easier to use than just a few years ago, and far more easily accessible,” he says.

“For example, BotNets, a collection of computers infected with a virus that can be controlled by a hacker, can be rented for less than $20 per hour, and we’ve seen pricing as low as $9 per hour. Furthermore, they are being creatively leveraged through such user-friendly resources as social media.”

“If you take a look at most of the breaches over the past year – some very major – they have not typically taken advantage of complex vulnerabilities,” says UK-based Garry Sidaway, global security strategy director at information risk management company Integralis.

“Instead, they have been characterised by their patient exploitation of known weaknesses over a long period of time. The resulting exploitation may have been complex, and required significant skill, but the initial breach was not so difficult,” he adds.

While cyber attacks predominantly target PCs, mobile devices are soon likely to see a massive increase in cyber hacking.

Bjoern Rupp, chief executive at Germany’s GSMK CryptoPhone, a company that develops encrypted telephones, thinks that the smartphone is going to be the cyber criminal’s device of choice in 2012.

“Modern mobile phones are essentially computers in hand-held form and users are often unaware of how easily malware can be planted in the operating system’s software,” says Rupp.

“Criminals will increasingly exploit mobiles and tablets by intercepting voice communications and stealing confidential data, and even turning them into mobile bugging and tracking devices.”

Despite a vast array of anti-virus and security software on the market, experts agree that IT investments alone are not a panacea. Instead, organisations also need to make sure that boards are more tuned in to the financial risks associated with cyber breaches, and that they have strong internal controls about who can access specific systems and data.

Experts believe that finance managers can play a vital role in ensuring that cyber risks – and risk management – are taken seriously throughout the organisation.

Henry Harrison, technical director of cyber security experts BAE Systems Detica, part of the UK defence giant, says that finance departments should put numbers against the organisation’s cyber risks so that executive management can see properly just how exposed it can be to an information security breach.

Once the threat is given a value and put on the balance sheet, he says, more targeted investment in the necessary IT infrastructure and data management protocols will follow.

“Boards have the responsibility to sign off risk-management programmes, but the problem is that cyber risks aren’t always qualified in financial terms from the IT or risk functions. Finance departments need to make sure that changes,” says Harrison.

“Finance is the bridge between the operational side of the business and the executive board, so they have a role in ensuring that boards understand the financial consequences of failing to act properly, and of making sure that the organisation feeds the relevant information upwards in financial terms,” he adds.

Rik Ferguson, the UK-based director of security research and communications (EMEA) at IT security developer Trend Micro, says that the trick to mitigate the effects of industrial espionage is to have continuous monitoring in place, rather than relying on reactive reporting.

This means, for example, having a corporate dashboard to monitor network activity, being able to aggregate that information from various security products, and to log management tools into one place.

“With this in place, if an attack or breach does occur, there’s a chance of seeing it in a timely fashion. It also means that since the aggregated information is in one console, the attack or breach can be profiled easier than if the intelligence only provided information on disparate events across separate systems,” says Ferguson.

Finance managers should also consider data leakage prevention, he says. “They should be monitoring what kind of data flows between which individuals in the company, how and when this data leaves the network, as well as what exit points it leaves from (such as a USB stick, email, uploads and so on). This information should be another part of the overall objective of being able to continuously monitor the network, and having central visibility of all events."

Marc Lee, EMEA sales director at US risk management software vendor Courion, says that adopting effective access risk management solutions can help organisations maintain a clear view of who is accessing sensitive financial data and how it is being used. It is also important to only grant access to the right people, he says.

“Quite often, security risks arise from access rights being granted to the wrong people, or not being revoked once the user leaves the job or changes their position within the company. Monitoring who is using sensitive financial data, how it is being accessed – and when – is essential in preventing security breaches,” says Lee.

Unfortunately, finance departments cannot provide the board with assurance that cyber risks can be prevented – only that the organisation should be able to continue to operate if systems are hacked.

“Finance managers should be designing their security on the assumption that a breach will happen, rather than assuming that they’ll be able to stop one from happening,” says Ferguson.

Neil Hodge is a regular contributor to Financial Management