How long would your business survive if your IT systems were incapacitated from a cyberattack? It is now an accepted maxim that cyber breaches will happen. Many businesses are therefore focusing on how they could be resilient to the outcomes of a cyberattack and minimising the impact.
Cyber resilience includes the agility of both defence and recovery capabilities. Resilient systems help companies reduce the likelihood of a successful attack, sustain operations when possible amid cyberattacks, and rapidly recover in the event of disruption. From our Digital Trust Insights 2018 survey we found that globally only about half of medium and large businesses in key sectors say they are building resilience to cyberattacks and other disruptive events to a large extent. And fewer than half of them say they are comfortable their company has adequately tested its resilience to cyberattacks.
New Zealand small and medium enterprises (SMEs) often assume they are safe from cyber breaches as they don’t have the appeal of larger organisations to attackers. However, cyberattacks are often unsophisticated, indiscriminate and untargeted, searching widely in the hope of finding systems or a device with a recognised vulnerability to exploit.
According to New Zealand’s National Cyber Security Centre, common attack tools include phishing emails (to deliver malware or to dupe the user into making a payment), spoofed (fake) websites (where users enter their login details, which are then captured) and the exploitation of network device vulnerabilities.
Our survey showed that the cyber threats New Zealand respondents were most concerned about related to suppliers, staff, competitors, mobile devices and ransomware.
You only have to look at recent news stories about health records for potentially a million patients being hacked, or a Commerce Commission contractor’s computer being stolen with sensitive information on it (with no password protection), or the stories of businesses losing all their data due to a ransomware attack and then finding they cannot recover their backups, to see the implications of not getting the basics right.
Our survey showed that New Zealand respondents lagged behind other territories when it comes to having programmes in place to address security, privacy and testing their resistance to a cyberattack.
Globally, only 34 percent of our survey respondents said their company has an employee security awareness training programme.
Have you considered the risks of not having your technology infrastructure (hardware/software/data) available? Do you have plans for what to do in case of an attack?
While compliance with good practice is important, the real cyber security challenges are to make business and technology choices that reduce exposure and minimise opportunity for attackers.
Increasing business resilience
Conventional approaches to technology resilience focus on enabling continued operation in the event of physical disasters, but these can be inadequate in the face of cyberattacks where all connected systems are rendered inoperable. The consequence is a need for different thinking around what is required to construct a resilient business.
These include, for example, understanding and minimising single points of failure due to reliance on a single technology or provider, holding more stock through a distribution channel, moving critical functions and data to one or more cloud service providers, and having a separate technology environment for the most critical functions to be invoked in a worst-case scenario of total technology outage.
The decisions need to be based around business structure, rather than just purely security controls, and rely on an understanding of your particular risks and critical processes and how they could continue to operate or be recovered in the event of technology failure.
Adopting a risk mindset, focusing on the potential threats and your exposure to them will put your business on a better footing and reduce the opportunity for attackers to interfere with your business operations. The following nine areas should be key focus areas:
1. Authenticating people – a common feature of almost every cyber security attack is exploitation of static passwords. Multi-factor and biometric authentication are becoming standard for remote access and privileged access (for both applications and data).
2. The security basics – many security breaches are made possible by one of a small number of basic security failures. Examples of these ‘basic’ security measures include: patching applications and operating systems, what systems and applications can connect to a network (application whitelisting), who has access to what systems and data, application configuration to block common settings/features/applications that are popular methods of delivering/executing malware, and backups.
The Australian Signals Directorate provides advice on the essential eight strategies that are the starting points to improve an organisation’s cyber resilience (www.cyber.gov.au/publications/essential-eight-explained).
3. Protecting data – in today’s world data can flow across many systems (some may be outside of your control – eg, cloud service provider). Data encryption allows the owner of the data to retain control of who has access to their data.
4. Validating inputs – innovative attackers targeting a particular process or system may not attack that system directly, but may instead seek to corrupt the inputs (e.g. altering/spoofing the fingerprint scanner on your phone).
5. Anomaly detection – conventional approaches to security monitoring focus on finding known, identifiable threats (e.g. anti-virus software). To enable new attack types to be blocked in real-time, your security monitoring should also be capable of identifying patterns of activity that deviate from the norm.
6. Culture – empower your staff to protect the business through awareness and knowledge. Attackers use social engineering as a common attack avenue to comprise your systems.
7. Third-party oversight – there are countless examples of attackers breaching a supplier in order to leverage its position in the supply chain of the eventual target. Ways to mitigate this risk include, simplifying the supply chain, audit and review suppliers and asking suppliers to attest to the security measures they have in place.
8. Untrusted apps – often the risks presented by applications are a result of errors in coding and poor software development processes. Organisations need to ensure that any applications they create, especially those used by customers and/or capture personal information are developed with security in mind from the outset and are rigorously tested.
Resilient business – in today’s world organisations rely on their technology systems being available 24/7. Therefore, the focus has to be on how an organisation can minimise the impact of a cyberattack. This starts with assessing the risk and not making yourself an ‘easy’ target.
The comments in this article of a general nature and should not be relied on for specific cases. Taxpayers should seek specific advice.