An underlying theme for the victims of major cyber attacks during 2014 was their heavy investment in IT security, regular testing programmes and no doubt long lists of accreditations, write James Solyom and Stewart Bertram. Yet these were not enough to protect them from groups of attackers and the resulting losses and fines for the breaches that were detected.
In 2015 the cyber security landscape will continue to evolve rapidly and attacks will increase in number and sophistication, from a wider range of threat actors than ever before. One constant, however, will be that spending money on the wrong cyber defences will continue to result in cyber attacks causing real damage.
Cyber threat actors are commonly split into three groups: nation states, cyber criminals and cyber activists or hacktivists. In the New Year, these threat factors look set to continue to advance their capabilities.
Characteristically, nation states – realising that cyber attacks provide them with a cheap, effective and plausibly deniable espionage tool – are often behind the theft of proprietary or sensitive information for the benefit of one of their home-grown enterprises. Cyber criminals, motivated by financial gain, have traditionally targeted a company’s customer base, stealing personal details or credit card information to use in fraud or to sell. Cyber activists, motivated by a range of factors – including personal amusement, environmental concerns, anti-capitalist sentiment, nationalism and religion – base their activities on disrupting operations or generating embarrassment.
Political events on the world stage
Global political developments will continue to shape the cyber threat environment in the coming year. Countries that had once only aspired to sophisticated cyber capabilities are now developing them, using indigenous hacktivist groups and cyber criminal capabilities. Different hubs of cyber criminal activity and new targets will emerge, driven by the economic disparity between rich and poor nations, and the dramatic growth of IT literacy in many of the latter. These dynamics are facilitated by new ways of communicating, such as cyber criminals' and activists' use of the Dark Web to buy and sell hacking tools and techniques, using anonymous currency such as Bitcoin.
Expect to see an increasing blurring of activity between the actors, a trend we noticed in 2014. For example, we have seen criminals operating with a degree of impunity contingent on targeting politically expedient victims, or hacktivist groups becoming involved in attacks in support of government agenda.
As sophisticated tools and techniques become more widespread, and the distinctions between the threat actors become more blurred, the long-term outlook for cyber threats is concerning. The constraining factor previously was that the people with the intent to conduct widespread and high-impact cyber attacks – the activists and the criminals – did not have the capability. This may not remain the case for much longer.
How best to defend your organisation
Throwing more money at the problem is not the solution.
With limited resources, it is not possible to protect every asset against every threat. The key for an organisation is to understand which threat actors are targeting it, what the organisation’s key assets are and how to protect them. Cyber defence needs to be intelligence-led, risk-based and prioritised – it is not a compliance exercise.
There are five mistakes that organisations cannot afford to make during 2015:
- Failing to build cyber defences around a granular understanding of threat. Any cyber defence programme should be intelligence-led. That includes collecting operational and strategic information that helps the organisation understand the specific nature of the threat. It may be necessary to look up and down the supply chain, as vulnerabilities in subcontractors or suppliers often affect the organisation and vice-versa – attackers will target the weakest link.
- Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.
- Treating cyber security as an IT issue rather than a business risk. Many organisations accept that cyber security is a business risk, rather than an IT-specific issue – but not many act on this by integrating cyber security risk management with wider business risk management processes.
- Failing to identify and protect the organisation’s most important assets. Organisations need to focus budgets on prioritising protection. Many focus excessively on ensuring organisation-wide compliance to standards, without effectively protecting their most important assets.
- Lacking the technical defences to deal with advanced persistent threats. Through 2015, an increasingly broad group of highly capable actors will target those critical assets across a wide range of organisations.
James Solyom is head of Cyber Protect and Respond, and Stewart Bertram is Cyber Threat Intelligence manager at Control Risks.