By Ken Allan, EY global cybersecurity leader
Cyber criminals will not wait for your board to reach consensus on your cybersecurity protocols. It’s time to deploy Active Defense to secure your customer and organization data.
Raise the topic of cybersecurity with any board of directors. They would all probably agree it’s a very important issue, but it’s rare that they would all agree what to do about it. Just asking a few pointed questions can create a lot of energy:
"How well prepared are you for a sophisticated cyber attack this afternoon?"
Asking your board challenging questions can be like picking at a thread that can quickly unravel to reveal holes in your planning. If the debate becomes heated, don’t think of the questioner as the "bad guy". It’s a serious conversation that every board needs to have now, reach consensus on and act upon.
Some respond that they can’t afford to invest more into their IT security. Research that we recently conducted for the Global Information Security Survey 2015 shows that 9 out of 10 organizations do not believe their cybersecurity fully meets their needs. If this is your organization, ask yourself, can you afford not to?
Hackers are sophisticated adversariesDon’t think of "hackers" as a homogenous group: the teenage hacker who carries out cyberattacks for their bragging rights is a million miles from the sophisticated criminal operations that steal data and set up scamming operations. Today’s cyber criminals use advanced techniques, for example, "voice morphing" to mimic executives and fool employees into sending emails or make money transfers. Businesses need sophisticated defenses, now that their adversaries have become this clever.
Whenever a story breaks in the media, with customers interviewed on the news expressing fears that their money will be stolen, it’s very apparent that the company was not fully prepared. Or if they thought they were because they had a plan, it didn’t work. It’s time to educate your board today about the necessity of Active Defense.
What is Active Defense?Unless you are in law enforcement, attack is not an option. But with today’s threats, being defensive when an attack happens can be too passive, so it’s important to start taking these proactive steps to actively defend yourself:
– Exploration and detective work to monitor general cyber threat levels– Identifying who is likely to attack you and what they might be trying to steal– Seek out vulnerability points where they might be able to get in
By enshrining this approach, "Active Defense" comes into being.
It’s a simple-sounding concept, but an Active Defense solution for every organization will be unique. Like an off-the-peg suit, if it’s not tailored to you, it won’t be a good fit, and today’s cyber criminals know how to find and exploit every opportunity. For example, attackers like to play upon people’s fears, so an organization in a regulated industry is vulnerable to fake emails purporting to be from the regulator. Or they may take advantage of our instincts to be polite. In your bustling head office, an employee holds open a door for someone who looks like a busy executive. Within minutes they are inside your building and accessing your network.
Active Defense is multi-faceted and multi-talented, bringing together strands of information and intelligence that will help you tune in to the normal background hum of your business. Once you are tuned in, it becomes possible to spot unusual or unexplained events that could indicate an attack.
Spotting anomalies in your organizational systems and behaviorAbnormal blips on the radar can be incredibly subtle and seemingly unconnected. There may be minor operational disruption but without a clear cause or impact, for example:
– Customer or user databases showing inconsistent information– Oddities in payment processing or ordering systems– Unusual employee behavior
Cyber criminals can employ diversion tactics and use a very visible but simple attack, such as a distributed denial of service (DDoS), when multiple systems are compromised to draw attention away from where they are really invading your network. A high profile cyber attack in the UK in 2015 that resulted in customer data being stolen is believed to have used this technique.
Your first round of detective work should have enabled you to build a revised set of defenses and a picture of "normal" patterns for your business. By listening and monitoring, you start a continuous process of evaluating and then adapting your defenses.
Sounds more advanced than simply installing a new piece of security software? Be assured that it is. And then the conversation inside the boardroom gets uncomfortable again. Just because it’s advanced, that doesn’t mean you can’t start working towards it now with the aim of becoming highly advanced in a year’s time.
Act now to strengthen your cybersecurity capabilitiesDoes this sound too fast for your board’s usual decision-making? Consider how quickly things can go wrong when a cyber attack happens. It’s better to mobilize now to improve your defenses than after an attack when your organization will be in a state of shock and, most likely, chaos. Winning back the trust of your customers can then be a strenuous uphill challenge.
So when information security is next on your board’s agenda, fully investigate the strength of your current capabilities and ask the question — are you ready to face a cyber-attack with Active Defense?
Related storyComment: Cybersecurity, top trends in 2016