By Mark Stollery, PA cyber security and risk expert
In September 2013, police arrested several people in London for allegedly using computers to divert money from two UK banks. Fake engineers reportedly fitted devices (keyboard/video/mouse, or KVM) to give external access to IT systems. The attacks were foiled but show how creative criminals can be. They also show that cyber-crime usually requires non-cyber elements such as deception – in this case helpful employees were apparently deceived into admitting the ‘engineer’.
Large organisations – whether banks or other industries such as energy or retail – might imagine they are always at a disadvantage. They need processes, structures, audit trails and records, and sometimes face a demanding compliance regime. These can reduce initiative and imagination; in big organisations it is also hard to train all staff in a way that ‘sticks’.
Criminals, however, are not constrained by policies, ethics or the law. They are entrepreneurial, spotting chances and responding nimbly with a clear ‘eye on the prize’. There are many examples of criminals using novel, daring and imaginative methods, and the recent KVM attacks are just one example. A Chinese gang ran an entire network of fake Apple stores; and a former bank IT administrator bet his redundancy money on the share price falling and then remotely deleted the trading systems.
But you can improve the odds and reduce criminals’ inherent ‘attacker’s advantage’ by seeing things through their eyes. Assess your vulnerabilities like they do, and you stand a good chance of plugging gaps before they are exploited.
First, identify your business-critical information.
This can include such diverse categories as intellectual property, strategies, lawsuits or customer data. Next, identify where it is held and who has access, recognising that your security boundaries are defined by the location of your information and assets – which may not always be within your organisation. Suppliers, partners and sub-contractors may legitimately hold much of your sensitive information. Attackers look for any access route, however indirect – we know, for instance, that they target much high-value corporate information indirectly via companies’ external lawyers.
Secondly, identify your cyber, physical, cultural and procedural vulnerabilities.
This requires bold thinking and imagination, underpinned by knowledge of current criminal techniques. It can be valuable to create a ‘red team’ – employees picked for their imagination and willingness to challenge – to think like attackers and identify how to target the organisation. Penetration testing – whether physical or for IT systems – can check that cyber defences are robust; they are often not. A FTSE 100 client recently asked PA to try to enter a firm’s HQ building and get to the Head of Security’s desk; we reached it in just 10 minutes. External penetration testing of IT systems is valuable because testers know the latest attack techniques, which change rapidly.
Thirdly, plug the gaps.
Most technical attacks can be thwarted by good ‘housekeeping’ – such as fixing software vulnerabilities, patching and limiting access rights. Outcome-based cyber-security standards such as the new PAS 555 provide a proportionate and business-relevant framework.
Increasingly, your employees are your best defence. Training will reduce the remaining risks but only if designed to change behaviours not just satisfy the auditors. We have found the smart use of 'nudge theory' (positive reinforcement and indirect influence) and story-telling (looking at real-life examples) to have much more impact than, say, requiring staff to read policies and undertaking computer-based training.
Underpinning everything, however, is security culture. The Centre for the Protection of National Infrastructure has developed SECURE2, an assessment tool which is valuable in helping senior business leaders understand and implement the right culture for their organisation.
In conclusion, criminals have the advantage but you can erode it by intelligent analysis, self-awareness and smart remedial action. Attackers prefer easy targets, so don’t be one.