stein@opensky
I have wanted to comment on this for a while. I am by no means a deep expert on cyber security. However, I have been engaged with it at company level and also at industry level during my years in the telecom industry. Therefore, I would say I have a certain management perspective on it. This article is therefore mainly aimed at the management or Board level in companies, large or small. For experts in the security area, it is probably quite basic.
Cyber hacks on the rise
These days, the general awareness of cyber threats among companies and the general public is growing. This is good – as the threats are real and on the rise – something that has specifically been seen during the COVID lockdown this last year when people in their home offices have been especially vulnerable to various forms of fraud and ransomware. According to Telecom TV, “in the UK, one epidemic is leading to another. As Covid-19 maintains its deadly grip on UK society and the economy, credit card fraud, identity theft and a myriad of other online cyber scams and hacking is now rampant across the country. It has become so widespread that respected think-tank the Royal United Services Institute (RUSI) says it is costing individuals and the UK economy overall at least £190 billion a year.”
One of the most recent cyber incidents known to the public is the SolarWinds attack, which infected many Departments in the US Government, including the Treasury Department, the Commerce Department, the Justice Department and the State Department – and even American nuclear facilities. So were Microsoft, Cisco, Intel, and Belkin - i.e. large companies widely used by customers across the world. SolarWinds is a Texas-based IT company which provides network management systems to more than three hundred thousand clients. The complete effect of the attack is still not known – but companies across the world have been affected.
SolarWinds is only an example of a recent high-profile attack. Going back some years there have been may others. I could mention the “Petya”, “Notpetya”, “Spectre”, “Meltdown”, “Gooligan” and “Wannacry” cases some three or four years ago. We also had the attack on the Dyn DNS provider which reportedly took out “half the internet” in late 2016. Also in the last two years we have seen an increase in malware, often seen as ransomware like “Maze”, “Tycoon”, “Emotet” and “Zeus”. The list is long – and the list of companies and institutions that have been affected is even longer. Examples of well-known companies affected by cyberattacks include government agencies, large companies like those above, hotel chains like e.g. Marriott and Choice, Google, Facebook, Travelex, Experian, Estée Lauder, AWS, telecom operators – and even the World Health Organization (WHO). Small companies are also not spared.
An example from 2020 in my own country Norway is the case where cyber criminals managed to steal 10 MUSD from Norway’s state investment fund (Norfund) in a business email compromise scam that tricked an employee into transferring money into an account controlled by the hackers – and another one last year was the attack on the Norwegian Parliament through emails to several MPs.
More on Norway: In a survey done by Statista in 2020, it was shown that 39% of the respondents were very concerned about cyberattacks within the next five years. By contrast, 30% stated not to be concerned. I see two alarming aspects here: One is that 30% are not concerned at all. The second concern is that, although 39% are very concerned, they might not be doing anything about it!
So where are the attacks coming from?
Cyberattacks can come from all kinds of sources, ranging from random hackers doing it for fun, through “hacktivists” trying to promote a political or social agenda - or organized crime aiming for financial gain through fraud or other means, to state sponsored attacks for reasons of industrial or national espionage, destabilization or disinformation – and the methods of attack are many. It is also a trend that cyberattacks are getting more and more advanced – and that the top of the pyramid with state sponsored attacks and Advanced Persistent Threats has become more and more active.
Of the more organized cyberattacks by organized crime or state sponsored, the Western world typically claims that they originate from countries like Russia, China, Iran, North Korea etc. On the other hand, western countries also carry out similar attacks – whether as defensive or offensive measures (refer also this article from an American source referring to the “defending forward” strategy).
What are they after?
What the threat actors are after depends on the context. Very often it is about financial gain – and it could be through some kind of fraud, e.g. tricking individuals or companies to give away money. It could be done directly through threats or ransomware - or indirectly through getting access to personal data or credentials and bank accounts. For state sponsored attacks, there could also be various national interests.
How is it done?
For cyberattacks on regular companies, an increasing type of attack is ransomware (refer various examples above), resulting in companies getting their IT systems encrypted and inaccessible – such that they have to pay to get them opened again. Another type of attack is a DDOS attack (distributed denial of service) with the effect that essential company systems get jammed and go out of service.
I will not go through all the cyberattack methods, however, some of them are well-known, like e.g. phishing – which is a method of tricking individuals e.g. to click on a link in an email believing that it will be to their advantage, e.g. through temptations, fear, trust or urgency. Related examples are “smishing” or “vishing” – through SMS or voice, respectively.
In the telecom world, where I have spent most of my time, security threats also very often come via the interconnection between different operators, mostly in different countries. However, I will not deal with this here.
What might be the consequences?
The consequences of a cyberattack depends on the company attacked and the business it is in. However, potential effects for you might include:
Your critical IT systems are totally out of service – non-recoverable
Your critical IT systems are out of service – and you have to pay huge sums to recover them
Software bugs make your systems malfunction or exposed to fraud
Essential data in your systems are corrupted – resulting in wrong behaviour
Your customer database is lost for good
Customer data in your systems are stolen – a significant privacy breach
Confidential documents or business secrets are lost to your competitors
Your customers are exposed to fraud
You get regulatory fines due to privacy breaches (e.g. GDPR fines)
You get regulatory fines due to other damages
You suffer financial loss due to all above
Your brand is damaged or you lose company reputation
and much more ...
What can be done?
Cyber threats are increasing every year on a global level – and as the world is becoming more and more digital, everyone is also getting more and more exposed. Digitalization is good for efficiency, for society and for the climate (see also some previous articles on digitalization and on digitalization for climate). The side effect of this, however, is also that the threat landscape is widening. On the positive side, there is also an increasing awareness around it. The more concerning side, however, is that everyone has a lot of preparation work to do on the preventive side – but I am not sure everyone is on a good track for it.
I have stated earlier that security is not a problem until you have a problem – and then it is a huge problem (see also this article on a similar topic in the sustainability area)! It pays off to be ahead of the problems. The unfortunate fact is that CEOs and CFOs are likely not to spend money on preventive (non-revenue generating) measures unless they see that there is a significant business risk involved – and it has always been a challenge to convey the right messages to management from security people far down in the IT department (if they even exist).
The complexity of this depends on the company in questions, its size and its business. However, from a management perspective, a useful approach is the following:
Threats and risks: It all starts with understanding the cyber threats around you. At a very high level some examples are given in this article, however, a more in-depth assessment is required adapted to your context. Then in your context, you need to assess the likelihood of incidents happening and the impact they may have on your business. Then you can plan forward on how to prevent them or deal with them if (or when) they happen.
Policies: If you are a big company in need for a structured governance model, you may want to develop and implement policies on cyber security management. If you are a small company, it might be sufficient simply to follow a systematic approach like e.g. outlined here. A basic requirement in any case is to understand any legal obligation you might have in the market(s) you operate.
Plan for mitigation: Having done the risk assessment, you need to plan for how to deal with the risks. Some risks may need no mitigation, i.e. you decide to live with the risk – but then that should be a conscious decision made by management. Other risks will need to be dealt with through various forms of preventive measures, technically and/or process-wise. In some cases, you could also transfer the risk to others, e.g. through some form of insurance, if that is seen as sufficient.
Technical measures: Your IT systems might be simple or most likely with some degree of complexity, and in this area, there is a huge number of measures you might consider – which will not be covered in detail here. However, some basic measures are: 1. to implement basic access control to your systems (with defined users, non- standard passwords etc), 2. to establish a security architecture with firewalls, probes, virus protection etc – and 3. to make sure your software is always updated with the latest version (i.e. so that known vulnerabilities are covered). 4. You must also ensure that customer data is well protected and GDPR compliant – and 5. you should also ensure good backup routines for all your systems.
Organization: You may be a small or large company – and you may not have a large IT department. However, someone needs to be in charge of cyber security. They may be organized in the IT department or not. In a large company, there might need to be a four-eyes principle, however, it is important that every function in the company sees security as part of their job.
Incidents: Whether you have good plans or not, cyber security incidents may happen - and plans need to be available if such should be the case. Such plans would revolve around recovery, internal and external communication – and you may also need external help. It is also important to keep track of incidents, to analyze their causes and to learn and improve from them.
Testing: If some cases, i.e. if you are a large company and have a lot of critical systems, you may consider testing your cyber security through internal or external security testing, e.g. with friendly security testing companies.
People: However cyber security is organized in your company, it is important that every individual is aware of basic security aspects – and that they act according to good practice. As an example, it is very important for employees to understand what to do and not to do e.g. around the use of passwords, when they receive suspicious emails or similar. It is therefore necessary to ensure a minimum of training, communication and awareness efforts in the company.
Management focus: As I commented above, a well-known challenge in a company is to make sure that management is on top of the cyber security threats, risks, plans and status. Irrespective of how cyber security is organized, however, top management (and also the Board) needs to have it on the agenda on a regular basis – such that the company status in terms of risks, incidents, mitigation plans and resources is clear – and such that revised plans can be made.
A continual effort: Hackers develop continuously and become better and stronger all the time. After all, they have strong incentives – and it may even be their core business and revenue source. If they are after financial gain, they might go after the most profitable targets or the easiest victims first. However, any company might be exposed. Therefore, all efforts above are not a one-time effort. They must be repeated on a regular basis.
What about your suppliers?
For those of us coming from the telecom industry, one of the high-profile cases on the geo-political scene and in the media recently has been the trade war between USA and China, which has resulted in Chinese suppliers like e.g. Huawei and ZTE being banned from delivering e.g. 5G equipment to a number of countries – starting with the USA but also expanded to a number of other countries like e.g. my neighbour country Sweden. The main justification on the public scene has been cyber security.
I will not comment on what the reasons for the ban really are, but cyber security relating to your suppliers is an important element to consider – and every company has a number of IT suppliers on software and hardware.
There are many questions that could be asked in this context, some of which are: Do you trust your suppliers? Could they have any malicious intents? What laws are they exposed to? Do they have control over all their software? Is it partly open-sourced? What about their sub-suppliers? Do they have a good software development practice? How is their bug fixing process? Do they have a proper inventory management? Do they have proper access control to their systems? Do they have remote access to your systems? … and the list is long. It may also be necessary to secure contingency plans around your suppliers – should you need to replace them at some stage.
In summary
With the ongoing digitalization of industries and increased rollout of 5G and IoT (see also various other articles) – and the increased sophistication of hackers, the threat landscape in the cyber security area is widening – and, when companies and societies are digitalizing these days, having a proper cyber security management is essential. The extent of what to do depends on what company you are – but every company needs to consider the topic at a minimum level.
This article has provided a certain high-level perspective on the cyber threat landscape and what could be done about it. My former company Telenor, however, made a more comprehensive report in 2020 (in Norwegian) around the same issues (“Digital Sikkerhet 2020 – De Lange Linjene”) – and I am sure they (and many others) can support you with products and solutions.
OpenSky Consulting has competence on security management. We don’t offer any security services or products – and we are not hackers, but we offer advisory services on handling security from a management perspective. See also this one-pager with some basic questions for you.