Few can be unaware of the ‘NotPetya’ cyberattack that struck at the end of June 2017, the repercussions of which should have caused organisations to review every existing assessment of their exposure to cyber risk.
Perhaps the greatest challenge with cyber risk is that it is a new and ever-changing paradigm, for which existing or historic models may be inadequate. Cyber risk is vast, complex, diverse and largely hidden, but has the ability to impact organisations in the most fundamental ways.
The uncomfortable realities are twofold: firstly, the interconnected infrastructure on which global businesses rely is inherently insecure and, secondly, human nature and ingenuity is at once the greatest strength and the greatest weakness. If any doubted the intensity of the struggle of ‘good’ and ‘evil’ in this arena, the launch of Operation #LeakTheAnalyst at the end of July should be a claxon wake-up call.
For the most part, it may be assumed that organisations will be unwitting victims, although corporate espionage cannot be totally discounted. The recent events affected a broad range of industries, including food companies, law firms, shipping, banking, utilities and health. The simple conclusion is that criminals are exploiting weaknesses across the board, and both extorting money and causing significant disruption.
Supply chain vulnerability
It’s surprising that the intermodal supply chain hasn’t been more exposed and disrupted by cybercrime. In part, this may be due to the low level of transparency and reporting; it is understandable that organisations tend to be coy about the incidence and manner of cybercrime to which they fall victim.
In reality, the intermodal supply chain is particularly exposed, since it is increasingly reliant on IT linking offices between different countries in each individual organisation, depending on interactions with multiple third-party stakeholders and often operating on custom-built/proprietary applications, where security protocols may not be alert to recent vulnerabilities. Added to these, many entities will, in the ongoing economic and competitive environment, create overall risk appetites that focus on risks other than just cyber.
The impact of a cyberattack can vary vastly, ranging from simple theft or fraud, through to system or equipment control and manipulation, and extending to the release of data or intellectual property.
Many companies have reviewed email security arrangements in an effort to reduce the volume of potentially fraudulent emails their employees receive. Measures can be put in place to strengthen email sender identification prior to release into an internal email system, including ‘sender policy framework’ (SPF) validation, which confirms a message is from a legitimate domain associated with the sender company.
The human factor
However, risk mitigation techniques are not enough on their own and need to be combined with policies that address the elephant in the room: human behaviour. The structure and culture of each organisation will fundamentally impact the way in which its employees and counterparties react to cyber threats and vulnerabilities. The implementation of clear policies – including in relation to topics such as whistle-blowing – and effective, regular awareness and good practice training are necessary to combat the threat posed by careless insiders.
There also needs to be clear recognition that people have lives outside the workplace. Organisations need to consider the interfaces with devices such as smartphones, let alone the potential vulnerabilities presented through social media usage. At both personal and corporate level, a balance is required between the strength of perimeter security and its ease of use. This needs to encompass not just matters such as password/PIN complexity, but also clarity concerning connection and use of peripheral devices and USB flash drives.
Together with the reality that IT is thoroughly inescapable in achieving personal and corporate objectives, assessment of cyber risks needs to lead to mitigation that recognises that perimeter defences are insufficient on their own, concluding that focus should be given to the human factors alongside additional detection and remediation techniques. Experience to date may yet be minor skirmishes.