Cybersecurity is currently dominating the news agenda for all the wrong reasons. The threat from cyber criminals is growing every day, whilst many firms are still struggling to implement effective protection, leading to damaging data losses.
Kevin Hall, Senior Director, Alvarez & Marsal
Kevin spoke at the Enterprise Architecture & Business Process Management Conference Europe 22-25 October 2018 on the subject, ‘Lessons from the Cyber Front Line’
The call for speakers is now open here for our EA Conference Europe 2019 and our BPM Conference Europe 2019, 21-24 October
The data firms hold is the new oil of the digital world. Everything runs on data. But while businesses that collect and process data (especially consumer) have become increasingly powerful and valuable, recent events prove that even the world’s biggest brands are vulnerable if they slip up.
A recent report1 produced by the National Crime Agency and National Cyber Security Centre (“NCSC”) revealed that between October 2016 and the end of 2017 there had been 34 significant cyber-attacks recorded, with WannaCry the most disruptive. 762 less serious incidents (typically confined to single organisations) were also recorded. Recent research shows that the top three causes of financial losses stem from phishing attacks, a compromised business email account and social engineering including manipulating people into divulging confidential information. Three very preventable actions.
Despite the implementation of the General Data Protection Regulation (“GDPR”) in May of 2018, we have seen the trend continue throughout 2018 across a variety of industries including aviation, healthcare, education and retail. So why then, with so much focus on this issue, are organisations of all sizes still suffering from major incidents including data loss, espionage, malware, ransomware and hacking, on an almost daily basis?
Put simply, as cyber protection software increases in sophistication, so too does the behaviours of those committing the crimes. Not only are criminals developing new skills and techniques to breach security systems, they’re also highly likely to continue to exploit long-standing and well-known vulnerabilities in victim infrastructure. This means we’re expecting to see a continuation of cryptojacking and supply chain attacks, alongside an increasingly diverse range of ransomware variants.
The aftermath of these kind of attacks can be shocking and upsetting. The idea that so many different companies in the world are falling victim to cyber-attacks reminds us that we are all vulnerable to this kind of virtual crime.
This begs two questions: How do we know our digital data is safe? And how can we protect ourselves and our data from those who want to exploit it?
The answer? Basics are key.
Granted, in an ever-changing cybersecurity landscape, how you protect your organisation also changes. It is not simply a case of implementing a technological security solution and leaving it. Security should be reviewed on a continual basis, as you would any business process. The rise of the Internet of Things (IoT) and subsequent devices has created an exponential number of entry points for hackers to successfully infiltrate a network through. This is simply the way our digital technologies have been designed – they all have loopholes for access and can succumb to potential threats or hacks. Unfortunately, the internet and additional consumer products are inherently insecure and there will always be vulnerabilities to exploit and launch cyber-attacks.
For example, many IoT devices only have default passwords in place to protect them, and these can often be easily guessed, or brute forced by hackers looking to gain access. This means there are potentially millions of connected devices which can become exposed to everything from data exfiltration to significant attacks.
With this front of mind, it is important for organisations to remember that it’s not just the physical device or information that needs to be protected, as the whole data life cycle becomes vulnerable if a device is breached.
Data must be protected from the point in which it is created, through any devices it is exposed to, and finally to its networked endpoint. If there is a vulnerability of any sort, then data can be altered or stolen – rendering it useless to the organisation that depends on it.
It is also imperative that organisations remember the costs of compromise can be more expensive than preventative measures. While no single mitigation strategy is guaranteed to prevent cyber security incidents, it is recommended that firms implement a baseline of fundamental strategies.
This baseline makes it much harder for cybercriminals to compromise systems. Before implementing these strategies, organisations need to:
- Identify which assets require protection;
- Identify which adversaries are most likely to compromise their information; and
- Identify what level of protection is required
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies that include a total of 35 controls, however at Alvarez & Marsal, we refer to the eight ‘essential’ cornerstones of developing a security programme known as the ‘Essential 8’ baseline. This helps us to develop practices which shape the basic foundations of an organisation’s approach to cybersecurity and better protect businesses from the vulnerable “human” factor who are the natural target entry point
For the most part, cybersecurity frameworks such as the Centre for Internet Security Critical Security Controls (CIS CSC) Top 20 and the UK’s Cyber Essentials all align with ASD guidance as they understand the importance of not only getting the basics right but also learning from real life events.
The main eight controls in the ‘Essential 8’ of cybersecurity are:
- Application whitelisting – By creating a whitelist, organisations can make sure that only specifically selected software applications run across all the computers in their individual networks. This stops all other applications and their respective software from running – helping to lessen the amount of potential malware entry routes.
- Patch applications – Patches fix security vulnerabilities in software applications, preventing adversaries from using known security vulnerabilities to hack into computers.
- Patching operating systems – This part of the baseline mimics the above: by keeping software up to date, organisations can prevent unwanted malware and intruders from entering their systems as they will not have any “known” vulnerabilities that leave them open to attack. It should be noted that these patches must be installed at regular intervals for this defence mechanism to work.
- Restrict administrative privileges – Although this may seem like an obvious control, it’s also one which can easily be overlooked. Administrator privileges should be utilised sparingly for things like managing systems, installing legitimate software and applying software patches. The administrative rights themselves should only be restricted to those who need them – as keeping the rights on lockdown will help to prevent hackers from gaining full access to information and systems under the guise of an administrator account.
- Disabling Microsoft Office macros – Microsoft Office applications can use pieces of software known as “macros” to make routine tasks automated, which are designed to save users time. However, macros are now being sold to help hackers to push malware into unsuspecting systems – allowing them to extract sensitive information. Thus, macros should be disabled to prevent yet another possible point of entry.
- User application hardening – This means removing unnecessary programs which can act as gateways for hackers and malware to gain entry to a system. Hardening techniques include blocking web browser access to Adobe Flash player, blocking out web advertisements and creating barriers against untrusted java codes. This prevents malware from entering through these mediums via the internet.
- Multi-factor authentication – Utilising multi-factor authentication means preventing access until users have presented multiple, separate pieces of evidence to verify their identity to a computer. This is commonly seen in the form of answering personal questions alongside providing passwords to gain access to a system. This is an obvious yet excellent protection method, as multiple levels of authentication makes it much harder for adversaries to access your information.
- Backing up data on a regular basis – This should be common practice for most IT departments, who should be regularly backing up their data and storing it securely offline. This helps to prevent data loss after a cybersecurity incident, ensuring that a business always has up to date records to work with.
Whilst the ‘Essential 8’ might seem at first to be obvious guidance when it comes to mitigating an attack and protecting an organisation from potential cyber threats, the recent deluge of global attacks has only highlighted the need for rules to be implemented and adhered to. In fact, now more than ever, we must take responsibility for ensuring that these steps are commonplace. This guidance enables businesses to fill the gaps and better enable a security programme to identify, detect and protect their data from threats.
It is important to remember that if data falls into the wrong hands and your organisation took no prior measures to protect it, then your words will hold no weight in the wider world and the implementation of GDPR only emphasises this. There is nothing you can do to be 100% safe but exercising due diligence today will better protect your data, ensuring any negative impact to your business, from both a legal and brand-reputation perspective, is mitigated when, not if, disaster strikes.
Kevin Hall is a Senior Director with Alvarez & Marsal’s Disputes and Investigations London practice and has worked on cyber breach investigations for corporates, solicitors and high net worth individuals, helping them determine the extent of the compromise, as well as providing a means to strengthening their defences. Kevin has also been engaged to analyse the information security frameworks and defence management for clients in various sectors and jurisdictions.
Copyright Kevin Hall, Senior Director, Alvarez & Marsal