• Register
Return to: Home > Comments > Is your board ready for a cyber attack this afternoon?

Is your board ready for a cyber attack this afternoon?

By Ken Allan, EY global cybersecurity leader

Cyber criminals will not wait for your board to reach consensus on your cybersecurity protocols. It's time to deploy Active Defense to secure your customer and organization data.

Raise the topic of cybersecurity with any board of directors. They would all probably agree it's a very important issue, but it's rare that they would all agree what to do about it. Just asking a few pointed questions can create a lot of energy:

"How well prepared are you for a sophisticated cyber attack this afternoon?"

Asking your board challenging questions can be like picking at a thread that can quickly unravel to reveal holes in your planning. If the debate becomes heated, don't think of the questioner as the "bad guy". It's a serious conversation that every board needs to have now, reach consensus on and act upon.

Some respond that they can't afford to invest more into their IT security. Research that we recently conducted for the Global Information Security Survey 2015 shows that 9 out of 10 organizations do not believe their cybersecurity fully meets their needs. If this is your organization, ask yourself, can you afford not to?

Hackers are sophisticated adversaries
Don't think of "hackers" as a homogenous group: the teenage hacker who carries out cyberattacks for their bragging rights is a million miles from the sophisticated criminal operations that steal data and set up scamming operations. Today's cyber criminals use advanced techniques, for example, "voice morphing" to mimic executives and fool employees into sending emails or make money transfers. Businesses need sophisticated defenses, now that their adversaries have become this clever.

Whenever a story breaks in the media, with customers interviewed on the news expressing fears that their money will be stolen, it's very apparent that the company was not fully prepared. Or if they thought they were because they had a plan, it didn't work. It's time to educate your board today about the necessity of Active Defense.

What is Active Defense?
Unless you are in law enforcement, attack is not an option. But with today's threats, being defensive when an attack happens can be too passive, so it's important to start taking these proactive steps to actively defend yourself:

- Exploration and detective work to monitor general cyber threat levels
- Identifying who is likely to attack you and what they might be trying to steal
- Seek out vulnerability points where they might be able to get in

By enshrining this approach, "Active Defense" comes into being.

It's a simple-sounding concept, but an Active Defense solution for every organization will be unique. Like an off-the-peg suit, if it's not tailored to you, it won't be a good fit, and today's cyber criminals know how to find and exploit every opportunity. For example, attackers like to play upon people's fears, so an organization in a regulated industry is vulnerable to fake emails purporting to be from the regulator. Or they may take advantage of our instincts to be polite. In your bustling head office, an employee holds open a door for someone who looks like a busy executive. Within minutes they are inside your building and accessing your network.

Active Defense is multi-faceted and multi-talented, bringing together strands of information and intelligence that will help you tune in to the normal background hum of your business. Once you are tuned in, it becomes possible to spot unusual or unexplained events that could indicate an attack.

Spotting anomalies in your organizational systems and behavior
Abnormal blips on the radar can be incredibly subtle and seemingly unconnected. There may be minor operational disruption but without a clear cause or impact, for example:

- Customer or user databases showing inconsistent information
- Oddities in payment processing or ordering systems
- Unusual employee behavior

Cyber criminals can employ diversion tactics and use a very visible but simple attack, such as a distributed denial of service (DDoS), when multiple systems are compromised to draw attention away from where they are really invading your network. A high profile cyber attack in the UK in 2015 that resulted in customer data being stolen is believed to have used this technique.

Your first round of detective work should have enabled you to build a revised set of defenses and a picture of "normal" patterns for your business. By listening and monitoring, you start a continuous process of evaluating and then adapting your defenses.

Sounds more advanced than simply installing a new piece of security software? Be assured that it is. And then the conversation inside the boardroom gets uncomfortable again. Just because it's advanced, that doesn't mean you can't start working towards it now with the aim of becoming highly advanced in a year's time.

Act now to strengthen your cybersecurity capabilities
Does this sound too fast for your board's usual decision-making? Consider how quickly things can go wrong when a cyber attack happens. It's better to mobilize now to improve your defenses than after an attack when your organization will be in a state of shock and, most likely, chaos. Winning back the trust of your customers can then be a strenuous uphill challenge.

So when information security is next on your board's agenda, fully investigate the strength of your current capabilities and ask the question -- are you ready to face a cyber-attack with Active Defense?

Related story
Comment: Cybersecurity, top trends in 2016


Top Content

    Addressing tax challenges and the digitisation of the economy

    As the economy becomes even more globalised through digital sources, the tax systems currently in place need to be scrutinised to examine whether they are still fit for current and emerging business models. Joe Pickard reports on the OECD’s approach to this issue.

    read more

    Primary financial statements: a game changer in reporting?

    International Accounting Standards Board chair Hans Hoogervorst delivered a speech at the Seminario International sobre NIIF y NIF, organised by the Consejo Mexicano de Normas de Información Financiera in Mexico. The Accountant presents the highlights.

    read more

    FASB readies standards for the netflix generation

    The US Financial Accounting Standards Board (FASB) has updated its accounting standard for entertainment, with a specific eye on keeping up to date with how episodic content, such as television programmes, is consumed in the modern world. Jonathan Minter reports.

    read more

    Brexit: why it takes two to tango

    Former TA editor Vincent Huck, now editor of Insurance Asset Risk, looks at why Brexit might unleash geopolitical intrigue in Europe’s accounting standard-setting scene – and why IFRS 17 will be an incredible source of opportunity for firms in the coming years.

    read more
Privacy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.