The 2015 US State of Cybercrime Survey published by PwC with the support of the US Secret Service, CSO and the CERT® Division of Carnegie Mellon University’s Software Engineering Institute, commences with the statement that: “It’s been a watershed year for cybercrime.” It goes on to report that, “almost half of boards still view cybersecurity as an IT matter rather than an enterprise-wide risk issue” before discussing seven reasons why cybersecurity is a board oversight issue. Prominent among these is the potential for significant financial impact “which may reflect on boards’ fiduciary responsibility to preserve corporate financial value.”
The US National Association of Corporate Directors (NACD) noted, in June 2014, that the potential effects of a data breach (a cybersecurity incident in which private or confidential information is lost or stolen) go well beyond the simple loss of information and can have much greater ramifications for the organisation as a whole. It observes, however, that competing pressures to increasingly deploy cost effective technology to support the business can affect investment calculations. It suggests that: “These two competing pressures on corporate staff and business leaders mean that conscientious and comprehensive oversight at the board level is essential.”
What is cybersecurity and why should directors care?
Cybersecurity, also referred to as IT security, is a set of processes, practices and technology solutions that are designed to protect IT infrastructure (such as computers, smartphones, networks and communication links) together with software programs and confidential or personal data, from unauthorised access, use or destruction.
According to a Worldwide Threat Assessment of the US Intelligence Community presented to the Senate Armed Services Committee in February 2015 by James R Clapper, the US Director of National Intelligence, “cyber threats to US national and economic security are increasing in frequency, scale, sophistication and severity of impact.”
The likely annual cost to the global economy from cybercrime is more than US$400 billion to a possible maximum of US$575 billion.
The report continues with the observation that: “[T]he ranges of cyber threat actors, methods of attack, targeted systems, and victims are also expanding.” In 2015, the first unclassified Australian Cyber Security Centre (ACSC) Threat Report was released. The ACSC brings together input from many agencies of government including the Australian Crime Commission (ACC), the Australian Federal Police (AFP), the Australian Security Intelligence Organisation (ASIO), the Australian Signals Directorate (ASD), Computer Emergency Response Team (CERT) Australia and the Defence Intelligence Organisation (DIO).
The report provides the following clear guidance: “[T]he cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of the iceberg.”
Cybercrime is now big business
According to a recent report by the Center for Strategic and International Studies (CSIS), which was funded by Intel, the likely annual cost to the global economy from cybercrime is more than US$400 billion to a possible maximum of US$575 billion.
Although there has been a traditional view of computer hackers as lone activists, the reality is that hacking has given way to cybercrime. Malicious activity is now targeted at generating financial returns for criminals. A good illustration of this is the black market price list for stolen information which was reported recently by the Symantec Internet Security Threat Report from April 2015. A sample of quoted prices in US dollars is:
- 1,000 stolen email addresses $0.50 to $10;
- credit card details $0.50 to $20;
- scans of real passports $1 to $2;
- custom malware $12 to $3,500;
- stolen cloud accounts $7 to $8; and
- one million verified email spam mail-outs $70 to $150.
Custom malware includes the outsourcing of cybercrime attacks using what has been described as “Malware as a Service” or sometimes “Hacking as a Service”. This has lowered the technical barriers for cybercriminals to carry out attacks by outsourcing their attack using specialised.
[T]he cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of the iceberg.
Although organised crime is the most likely motivation for cybersecurity attacks, other motives can include intellectual property theft by competitors, political activism, social activism (for example, defacing a website to draw attention to a particular social cause), thrill seeking and state-sponsored activity. An example of activist attacks occurred in June 2015, when a group known as “Anonymous” attacked the websites of several Canadian Government agencies, in protest at the Canadian Government’s proposed C51 Security Bill. The attacks made several websites inaccessible.
The high costs of remediation
A security incident can take significant time and money to deal with effectively while also posing a substantial reputational risk to a company. One of the biggest contributors to this cost is the time taken by staff to remediate an incident, but loss of business is also a significant contributor. According to a survey of organisations in seven countries in Europe, Asia and North America by the Ponemon Institute, the average time taken for remediation varies by incident type from 2.6 days for viruses, worms and trojans to 58.5 days for malicious insiders. Each incident can require multiple staff members to resolve or manage and this rapidly escalates to a large cost. This does not count the cost of reputational damage which is difficult to quantify or the potential cost of criminal or civil action, resulting from the theft of personal information.
Typical external cybersecurity threats
Viruses, worms and Trojans
These attack a computer and are usually designed to steal data from the computer, gain an insight into the activities of the computer user or simply take over a computer for the attacker’s use. This threat is usually mitigated by the use of anti-virus software.
If there is a vulnerability or weakness in computer software, which is unknown to the developer of that software but known to an attacker, then the software is at particular risk from what is known as a zero-day attack. By their nature, these can be hard to detect and mitigate against.
Phishing is an attempt to trick recipients of a message into revealing sensitive, confidential or private information, such as passwords. Deceptive emails are often used for this purpose. Raising awareness of security for all stakeholders will help to alert people not to be deceived by this type of attack.
A Denial of Service (DoS) attack is an attack on a computer or network which attempts to make them unavailable to the legitimate users. It is usually mitigated through collaborative action between an organisation’s network administrators and its internet service provider (ISP).
Social engineering tricks victims into divulging confidential information, or access to sensitive computer systems, through psychological means such as impersonating legitimate users of the computer system. It is a common means of gaining unauthorised access. These attacks bypass many of the technical and policy defences for the target organisation. As with phishing, which is a particular variant of social engineering, raising awareness of security for all stakeholders will help to alert people not to be deceived by this type of attack.
This exploits weaknesses in computer systems’ security arrangements to gain unauthorised access to that system or to confidential or private data on the system. Security awareness training for all stakeholders is an excellent way to mitigate both internal and external threats.
This is an edited extract from A Director’s Guide to Governing Information Technology and Cybersecurity, by Nicholas Tate and Alexander Tate, published by the Australian Institute of Company Directors earlier this month.