Securing our online presence: the threats and some solutions.

The Conclusion: Some final thoughts and considerations.

The global cost of cybercrime, in 2015, was estimated to at US$450b[1]. The average global cost of a data breach for small to medium businesses, is US$38k and for enterprise organisations; US$551k. Added to this direct cost, 60% of businesses that suffer a breach find their ability to function severely impaired[2]. These costs are likely to be much higher as, not unsurprisingly, business don’t like to advertise their security breaches.

· 205 billion emails are sent daily — more than 50% of these are spam
· 39% of attachments contain malicious files
· 35% of all malware is installed via email
· malware by type: 52% are in PDF documents
· 44% are in .exe formats
· 90–95% of all successful cyber-attacks start with phishing[3] the first victims fall within two minutes of the campaign starting and 50% of victims occur in the first hour[4].

The cyber criminals are very well organised; they have developers, sales people, finance people etc. they are in-fact a business, a very well organised illicit business. In 2015 Trustware[5] reported that, during one malware campaign, one ‘business’ earned approximately US$84k from an initial investment of less than US$6k. That’s a return of investment of ~1425%, in 30 days. So if you’re living a life of poverty and have some knowledge why would you not use it; especially if your nation state turned a blind eye to your antics (as we know a number do just that — they shall of course remain anonymous).

“It’s not personal, Sonny. It’s strictly business.” Michael Corleone, the Godfather

Just to add to the ‘doom and gloom’ between 2014 and 2015 there was a 22% rise in compromises attributed to business partners. So remember, anyone connected to you needs to adhere to your security policy[6].

Be under no illusion here, this is a global issue. Just because you’re tucked away in some quiet corner of the globe don’t be fooled or tricked into a false sense of security. These attacks aren’t just targeting the US and its allies:

45% of attacks were aimed at the US
27% were aimed at Asia Pacific
15% Europe, The Middle East and Africa
13% Latin America and the Carribean[7].

What else can be done to help minimise the threat?

I’ve already talked about staff awareness training, but I’m something of an evangelist on this topic. A recent study proved staff awareness training works. From a baseline of 15% failure rate, three rounds of training took this number down to a fail rate of 2%[8]. So not only does this prove it works but also you need to keep the training fresh in the minds of your staff — this is an iterative process, habits take time to form. You are going to have to grow your own technical security experts too. Many reports from many industry leaders tell us the same story (e.g. ISACA[9]) — there is a global cybersecurity skills shortage, and there will be for some years to come. Ensure that your training actually targets your audience; on this one size definitely does not fit all. For policies, processes, guidelines and training the make up of your target audience must be of prime consideration, this is especially important for multinational companies trying to push a single message globally.

The world is a wonderfully diverse place. It’s this diversity of national culture that needs to be accounted for when designing documentation for your company, the policies, training etc. The culture of any particular country as a whole may be classed as masculine/patriarchal (e.g. Germany) or feminine\matriarchal (Canada/China). The higher the masculinity of the culture the more the focus is on work tasks, roles and mastery. The feminine cultures tend to emphasise the blurring of gender roles, mutual cooperation and support[10]. Added to this are the characteristics of individuals; (and of course this is a generalisation) females acquire more information cues than males before making a decision, males are likely to use the recommendations of experts for their decisions[11]. What I’m trying to say here is don’t assume you know how your overseas office (or the one way down south) think. The differences are at a national and individual level, so have a ‘native’ take your global policy, training etc. as a template and re-write them to fit the local culture. In doing this you will find the understanding, uptake and trust of the wider organisation is greatly improved[12].

Culture also plays a part in the tolerance a country has for risk adversity. A country, such as Thailand, is very risk adverse and does not accept change readily. This has led to them being years behind other countries with regard to cybercrime laws. Those laws that are in place are very strict and tend to want to control everything, to try and avoid the unexpected[13]. If we want to make a lasting change against cybercrime we need to lobby our governments to come up with tighter laws and harsher sentences against these criminals. These crimes occur across borders so there needs to be a framework where investigations and prosecutions can also cross borders. It is only by governments getting together and agreeing on legislation and enforceable international treaties, that these safe havens can be torn down and these criminals brought to justice.

The Chief Information Security Officer (CISO) is a relatively new role around the C-suite table. However, those companies that have such positions are finding this role critical. The CISO’s expertise needs to extend further than just cyber security and encompass risk management, corporate governance and business objectives[14]. This role is only truly effective though, when all of the senior management team wholly engage in the overall security strategy of that company. I’ve deliberately kept this role description gender free, as described above, males and females are different, and in the case of the risk assessment process, women tend to respond intuitively to any given situation[15]. The CISO needs to conduct a comprehensive security assessment of the organisation and create a clear road map for the future. The critical assets, the crown jewels, of that company need to be identified and have the greatest level of protection. The risk appetite of the organisation should be determined alongside the C-suite. Policies, procedures and standards that relate to security need to be reviewed and updated at regular intervals. Cybersecurity controls need to be designed and implemented, and a detailed cyber breach response strategy will need to be developed. Finally, Implement a SOC.

A Security Operations Centre (SOC), either in-house or outsourced needs to be a major consideration, make sure your SOC subscribes to multiple cyber-intelligence feeds, e.g. industry peers, information sharing and analysis centres, governments agencies and law enforcement, to keep abreast of threats and solutions etc. make sure they are firmly tied into the operation of your company. They should be on the lookout for subtle indicators that may show you are being targeted; e.g. unusual employee behaviour, unexpected share price movements, databases showing inconsistent information, to name but a few. The SOC must actively defend your network, the first step in this is to identify the weaknesses in your own organisation, detail how these may be exploited and provide counter measures. They need to look to the attackers and identify who they are likely to be and the capabilities they have[16].

When all your hard work in protecting your assets fail and with the determination and skill sets of thankfully few hackers, all defences will fail, you should consider cybersecurity insurance. Policies can cover anything from data destruction, denial of service attacks, theft and extortion through to data recovery and forensic examination/investigation. This, the fastest growing sector of the insurance market, also offers additional coverage such as intellectual property and brand image protection. PWC forecasts that this market will achieve annual sales of US$7.5b by 2020[17].

These criminals are some of the most innovative people in the world of technology and they are not going to stop any time soon. Especially given the ‘prizes’ that are on offer for very little outlay. Companies and individuals need to increase their comprehension of the threat and maintain a high level of awareness. We all need to look to the future of cybercrime, and to the threats that have yet to emerge, if we are to have any change of curtailing the efforts of the more nefarious types in society.

Remember — if you are connected you are a target

Finally, to paraphrase an oft used adage:
“They only have to be lucky once. We have to be lucky all the time”

Footnotes:
[1] www.knowbe4.com
[2] www.kaspersky.com
[3] www.knowbe4.com
[4] www.slashdotmedia.com
[5] www.trustwave.com
[6] www.pwc.com/gsiss
[7] www.trustwave.com
[8] www.knowbe4.com
[9] www.isaca.org/cybersecruityreport
[10] Marcus, A., & Gould, E.W. (2000). Cultural dimensions and global web user interface design. Interactions, 7(4), 33–46
[11] Cleveland, M., Babin, B.J., Laroche, M., Ward, P., & Bergeron, J. (2003). Information search patterns for gift purchase: a cross examination of gender differences, Journal of Consumer Behaviour, 3(1), 20–47
[12] Ciganek, A., Jarupathirun, S., & Hangjung, Z. (2004). The Role of Culture and Gender on Information Elements in E-commerce: A Pilot Study on Trust. AMCIS 2004 Proceedings. Paper 67
[13] Ciganek, A. and Guillermao, F.A. (2009). The impact of Culture on Global Information Security Regulations. SAIS 2009 Proceedings. Paper 19
[14] www.pwc.com/cybersecruity
[15] www.gcsp.ch/knowledge/publications
[16] www.ey.com/giss
[17] www.pwc.com/giss