Download the Longitude research white paper: Cyberrisk in Banking.
Five steps you can take to beef up cybersecurity
It used to take an army to invade a country. Today, an Internet connection and some programming skills create what Ray Boisvert calls “asymmetrical threat factors” that are likely behind some of the most headline-grabbing data breaches of the past two years.
But it isn’t just credit card numbers that are at risk. Municipal water supplies, the power grid, and critical research and innovation are all potential targets of cybersecurity attacks. “Small, previously insignificant actors who would normally have very little capability now have disproportionate power,’’ explained Boisvert, CEO and founder of I-Sec Integrated Strategies (ISECIS), and the former Assistant Director of Intelligence for the Canadian Security Intelligence Service (CSIS).
Cybersecurity: The grim realities
“Western countries used to own all the tools – the communication infrastructure, the best attack and defense systems – but no longer,’’ he said. “Cyberterrorists, including groups such as ‘hacktivists’ with political or ‘moral’ issues, represent part of a new fifth dimension battle space. That’s where a growing list of diverse and swift ‘threat actors’ are increasingly capable at the level of a sophisticated nation state.”
Boisvert says that many of those at greatest risk to be targeted are almost a bit naïve. To date, national government action on cybersecurity has had little effect in regards to protecting businesses, municipalities or nongovernment research organizations. And cyberterrorists are just as interested – if not more so – in breaking into a retailer’s credit card files or a private company’s power grid because it helps them raise money, and disrupt life.
“Crooks want to get rich, but in some parts of the world they also do it for a cause,” Boisvert said. If your country is getting sanctioned by the US government or involved in escalating tensions, for instance, hacking a US-based global corporation is a way to disrupt American commerce.
“You used to think of a terrorist organization like Hezbollah as thuggish, but they have sophisticated cyberoperations. The Syrian Electronic Army, as another example, can cause cyber mayhem,’’ Boisvert said. Finally, there are the cybersecurity attacks designed to cause embarrassment, such as the “hacktivists” that go after banks and other corporations whom they feel are engaged in business activities that are antithetical to their world view or value system.
After laying out the grim realities, Boisvert spoke to the problems corporations are having in taking the issue urgently and proactively. With the exception of financial institutions, the C-suite can be distracted by other pressing matters – from acquisitions to supply chain problems, Boisvert said.
“They’re disinterested in managing what many see as the nuts and bolts of business activities and are prone to sending the issue of cyberattack down the chain of command. Small and midsize companies don’t think anyone would bother attacking them, and thus don’t take necessary precautions. Municipalities don’t have it on their radars, and universities are horribly unguarded. It’s not in their DNA,” said Boisvert. But universities are increasingly connected to the business world, municipalities manage ripe targets like water supplies, and smaller companies are often contractors to large companies. The Target data breach is the perfect example – a hacker got access to Target’s network using a contract service provider’s login credentials.
How can organizations defend against cyberattack?
The solution, Boisvert said, lies in harnessing data and methodologies in ways that help organizations understand who the bad players are, and quickly detect malicious behavior so they can take early, effective action. Simply building higher firewalls and employing more anti-virus software doesn’t work. Instead organizations must:
- Understand the origin and behavior of cybercriminals and other attackers, and then build that into the models that seek out anomalies.
- Have the ability to screen the massive amounts of data flowing into the organization in real time to catch threats before they cause damage. The Home Depot data breach was believed to happen over several months with bits of data leaking out of the torrent that the retailer manages daily.
- Use advanced analytics to reduce false alarms and detect the true problems. Target had technology in place that did alert it to the 2013 credit card hack – it was just one of the mass of alarms that were classed as false positives. “The operations center staff didn’t know where to begin, or which were real threats,’’ noted Boisvert.
- Integrate cybersecurity into the core risk matrix, along with all other core business requirements. It cannot continue to be an afterthought or outrigger to the enterprise.
- Devote more effort to recruiting the right staff and training them to engage this emerging organizational threat. Find the right external cybersecurity technology and practitioners. The field tends to have a lot of “low-level experts” who apply technospeak and, as Boisvert noted, “will leave you unprotected and potentially stranded after an attack occurs – and it very likely will.” Most critically, companies need people who understand the behavioral side of cybercriminals and hackers, and not just the technical part of the solution.
“Many of us have lived in a world where the rule of law and honesty are the basis for business dealings,” Boisvert said. “Many in the rest of the world don’t get that, and don’t follow it.’’