The power of remembering cybersecurity basics
Cyber-crime tactics and targets are becoming ever more sophisticated and wide-ranging. Motives increasingly go beyond financial gain to disrupting or destroying important data and national infrastructure.
News reports from the New York Times recently highlighted American efforts to hack Russia’s electrical grid, pointing to how energy power grids have become an “international battlefield”.
According to the latest Accenture and Ponemon Institute’s Cost of Cyber Crime Study, targets are more likely than ever to include industrial control systems. Private organisations and public entities rely on these systems to deliver critical services.
This underscores the Australian government’s decision last year to introduce new measures securing the country’s highest-risk critical infrastructure assets from hacking, espionage, sabotage and coercion by foreign actors. This includes facilities across the electricity, water, gas and port sectors.
A year on, we’ve got an opportunity to assess the impact of this law change and the news isn’t great. The Western Australian Auditor General’s Information Systems Audit Report shows that the majority of the state’s public sector entities failed to meet theeffective information security benchmark due to basic security weaknesses, including a lack of important information and system security controls.
In total, almost 550 general computer control issues were identified across 47 state government entities, 1.5 per cent more than in the previous year. Among utility companies in particular, the report also noted that bad recruitment processes and contractor management practices increased the risk of cyberattacks.
The auditor found cases where companies had not performed criminal history checks on new and existing staff, despite those staff having access to critical power infrastructure and systems.
Meanwhile, companies have increased their cyber risk by outsourcing most of their ICT functions, with big numbers of contractors having access to power suppliers’ networks and other key systems to perform their work.
Work to be done
Clearly there’s still a lot of work to be done to better secure power infrastructure from cyberattacks. This is particularly concerning given the potential for widescale knock-on effects in healthcare, security and economic activity.
And these companies are not alone.The Cost of Cyber Crime Study says the utilities and banking industries continue to have the highest cost of cybercrime with an increase of 11 per cent and 16 per cent respectively. The Accenture report surveyed security professionals at 355 companies across 11 countries, including Australia.
As a global commercial property insurer, FM Global has seen many such cases. We’ve learned a few lessons along the way about how to mitigate the risk of cyberattacks and minimise losses when they do occur. It’s why our team of cyber experts developed a patented Cyber Risk Assessment tool to help our clients identify areas of vulnerabilities at the enterprise level.
The human factor
The Western Australian Auditor General’s Information Systems Audit Report highlights a particularly important lesson. While we repeatedly hear of the growing sophistication of cyberattacks, simple human error is still one of the most common methods of infiltration.
Research recently released by Verizon in its annual Data Breach Investigations Report shows that 85 per cent of organisations have experienced phishing and social engineering attacks. And yet worryingly, The Cost of Cyber Crime Study found only 16 per cent of chief information security officers (CISOs) say their employees are held accountable for breaches.
Whether you’re a power provider subject to national laws on hacking and espionage, or simply a small private company aiming to protect your bottom line, it’s time to go back to basics. Educating employees on the risk of cyberattacks – what they look like, what’s at stake, and their role in taking steps to deter them – is just as important as implementing appropriate safeguards.
It’s also important to remember that some threats, like disgruntled employees, sit within your organisation. As highlighted by The Cost of Cyber Crime Study, securing against the possibility that insiders could be responsible for attacks – directly or indirectly – involves a coordinated effort between human resources, learning and development, legal and IT teams, working closely with the security office and business units.
Beyond people, many organisations are missing the basics when it comes to governance, weakening their cyber defences. There’s a need to have a solid foundation in place, which includes having appropriate and enforced security policies protecting the organisation’s crucial physical and information assets.
When assessing our client’s cyber risk resilience, FM Global focusses strongly on governance because we have seen how important it is for executive management in a company to provide strategic direction to the entire organisation, not just the information technology team, for managing the cyber risk.
We recommend limiting data access to those who really need it, patching and updating software as soon as possible, encrypting data in transit and at rest, and securing systems with two-factor authentication.
Employ a chief security officer who is accountable for ensuring the business is following best practices. They’ll need an appropriate budget to deploy policies and effective security solutions.
Budget with business priorities in mind
But bear in mind that it’s not just about spending money. Many organisations are taking a scattergun approach to their cybersecurity budgeting. To increase chances of success, start with a business impact analysis. This should identify your critical business priorities and align your cyber budget with them.
It's critical to remember that cyber defence isn’t a set and forget process. As you go about your operations, you’re continually creating new gaps in your security which could be exploited. You must assess regularly to identify them. Cybersecurity is very much a cat and mouse game – we continually need to up the ante to stay ahead.
The Cost of Cyber Crime Study finds that 80 per cent of organisations are introducing digital innovations faster than their ability to secure against cyberattacks. On the other hand, there are opportunities to tap into emerging technologies that make it easier to detect attacks, including automation and advanced analytics.
While there are costs associated with these investments, the consequences of not acting are ever more pronounced. The most recent international data shows that security breaches are up 11 per cent in the past year, and almost 70 per cent in the past five years. The Cost of Cyber Crime Study found associated costs have risen by almost precisely the same amount.
For power utilities and other critical service providers, these costs also include the denial of service to thousands or millions of customers who rely on them. The stakes couldn’t be higher. As cyberattacks get more sophisticated, it’s time to get back to basics.
As originally published in CSO.