The Power of Remembering Cyber Security Basics
Cyber crime tactics and targets are becoming ever more sophisticated and wide-ranging. Motives increasingly go beyond financial gain to disrupting or destroying important data and national infrastructure.
News reports from the New York Times recently highlighted American efforts to hack Russia's electrical grid, pointing to how energy power grids have become an "international battlefield."
According to the latest Accenture and Ponemon Institute's Cost of Cyber Crime Study, targets are more likely than ever to include industrial control systems. Private organizations and public entities rely on these systems to deliver critical services.
This underscores the Australian government's decision last year to introduce new measures securing the country's highest-risk critical infrastructure assets from hacking, espionage, sabotage and coercion by foreign actors. This includes facilities across the electricity, water, gas and port sectors.
A year on, we've got an opportunity to assess the impact of this law change and the news isn't great. The Western Australian Auditor General's Information Systems Audit Report shows that the majority of the state's public sector entities failed to meet the effective information security benchmark due to basic security weaknesses, including a lack of important information and system security controls.
In total, almost 550 general computer control issues were identified across 47 state government entities, 1.5% more than in the previous year. Among utility companies in particular, the report also noted bad recruitment processes and contractor management practices increased the risk of cyber attacks.
The auditor found cases where companies had not performed criminal history checks on new and existing staff, despite those staff having access to critical power infrastructure and systems.
Meanwhile, companies have increased their cyber risk by outsourcing most of their information and communication technology functions, with big numbers of contractors having access to power suppliers' networks and other key systems to perform their work.
Work to be done
Clearly there's still a lot of work to be done to better secure power infrastructure from cyber attacks. This is particularly concerning given the potential for widescale knock-on effects in healthcare, security and economic activity.
And these companies are not alone. The Cost of Cyber Crime Study says the utilities and banking industries continue to have the highest cost of cyber crime, with an increase of 11% and 16% respectively. The Accenture report surveyed security professionals at 355 companies across 11 countries, including Australia.
As a global commercial property insurer, FM Global has seen many such cases. We've learned a few lessons along the way about how to mitigate the risk of cyber attacks and minimize losses when they do occur. It's why our team of cyber experts developed a patented Cyber Risk Assessment tool to help our clients identify areas of vulnerabilities at the enterprise level.
The human factor
The Western Australian Auditor General's Information Systems Audit Report highlights a particularly important lesson. While we repeatedly hear of the growing sophistication of cyber attacks, simple human error is still one of the most common methods of infiltration.
Research recently released by Verizon in its annual Data Breach Investigations Report shows that 85% of organizations have experienced phishing and social engineering attacks. And yet worryingly, the Cost of Cyber Crime Study found only 16% of chief information security officers (CISOs) say their employees are held accountable for breaches.
Whether you're a power provider subject to national laws on hacking and espionage, or simply a small private company aiming to protect your bottom line, it's time to go back to basics. Educating employees on the risk of cyber attacks–what they look like, what's at stake, and their role in taking steps to deter them–is just as important as implementing appropriate safeguards.
It's also important to remember that some threats, like disgruntled employees, sit within your organization. As highlighted by the Cost of Cyber Crime Study, securing against the possibility that insiders could be responsible for attacks–directly or indirectly–involves a coordinated effort between human resources, learning and development, legal and IT teams, working closely with the security office and business units.
Rising costs
Beyond people, many organizations are missing the basics when it comes to governance, weakening their cyber defenses. There's a need to have a solid foundation in place, which includes having appropriate and enforced security policies protecting the organization's crucial physical and information assets.
When assessing our clients' cyber risk resilience, FM Global focuses strongly on governance because we have seen how important it is for executive management in a company to provide strategic direction to the entire organization, not just the information technology team, for managing the cyber risk.
We recommend limiting data access to those who really need it, patching and updating software as soon as possible, encrypting data in transit and at rest, and securing systems with two-factor authentication.
Employ a chief security officer who is accountable for ensuring the business is following best practices. They'll need an appropriate budget to deploy policies and effective security solutions.
Budget with business priorities in mind
But bear in mind that it's not just about spending money. Many organizations are taking a scattergun approach to their cyber security budgeting. To increase chances of success, start with a business impact analysis. This should identify your critical business priorities and align your cyber budget with them.
It's critical to remember that cyber defense isn't a set-and-forget process. As you go about your operations, you're continually creating new gaps in your security, which could be exploited. You must assess regularly to identify them. Cyber security is very much a cat-and-mouse game–we continually need to up the ante to stay ahead.
The Cost of Cyber Crime Study finds that 80% of organizations are introducing digital innovations faster than their ability to secure against cyber attacks. On the other hand, there are opportunities to tap into emerging technologies that make it easier to detect attacks, including automation and advanced analytics.
While there are costs associated with these investments, the consequences of not acting are ever more pronounced. The most recent international data shows that security breaches are up 11% in the past year, and almost 70% in the past five years. The Cost of Cyber Crime Study found associated costs have risen by almost precisely the same amount.
For power utilities and other critical service providers, these costs also include the denial of service to thousands or millions of customers who rely on them. The stakes couldn't be higher. As cyber attacks get more sophisticated, it's time to get back to basics.
As originally published in CSO.
Learn more about FM Global's Cyber Risk Assessment
Related Content:
Why Mutuality Is the Best Approach to Cyber Risk
FM Global's Patented Cyber Risk Assessment Earns Innovation Award from Business Insurance
Seeking Cyber Attack Sanctuary: Cyber attack now No. 1 business threat
Get Physical with Cyber Security: FM Global's value-added physical security evaluation addresses unauthorized site access to reduce cyber risk