Good security begins with good hygiene

• Attacks more complex, with nation states & organized crime using novel attack vectors
• Boards need to get up to speed, to understand if existing defences are working as advertised

A RECENT survey by E&Y indicates that almost all cyberattacks are preventable, if only companies did more to secure their perimeters. “These common attacks are preventable because security patches for 99% of them have been available for more than a year," explained Jason Yuen Chee Mun (pix, below), an Ernst and Young Advisory Services Sdn Bhd Partner who specialises in cybersecurity.

This trend is expected to continue into 2020 and was one of the findings of their 20th Global Information Security Survey (GISS).

"(However) the sheer amount of technology that you have to manage and maintain is a huge thing," he admitted. "We finished a cybersecurity review one of the key banks in Malaysia recently where we're talking about something like 20,000 endpoints, 20,000 laptops and devices, and hundreds of servers."

Nevertheless, good cybersecurity hygiene can prevent attacks. The exploit that the WannaCry ransomware attack used globally last year in fact was already addressed by a patch available three months prior.

Different levels of attacks

"The fact is that there are just too many bad guys," confessed Yuen. “What we are recommending in our survey is really to split your defence around how you view your attackers and your threats."

The first type of threat are opportunistic attackers who try their luck. The analogy Yuen used were burglars who try door handles to see if they are unlocked. "That's the one that we say that you have to really focus on prevention."

The second type of threats are those who employ targeted attacks. They observe habits, probe for weaknesses (e.g. with phishing attacks) and are determined to succeed. “In most of these cases the sophisticated target attack is going to break through," cautioned Yuen.

The third type of threats are sophisticated emerging attacks employed by organized crime groups, cyber terrorists and nation states.  These encapsulate novel attack vectors exploiting smart devices made ubiquitous by the IoT and the gaps created by the convergence of personal and business devices (e.g. Bring-Your-Own-Device policies).

Third-party vendor risk

The scrutiny on improved security should also extend to third-party vendors. “If I'm not actually carrying out the appropriate due diligence on my vendors, they become the weakest link," said Darren Simpson (pix, lef), the Ernst & Young Australia Director for Cybersecurity in Asia Pacific.

“If they've been breached then the breach can actually follow through their organization into yours," he continued.

An example given was how some people of a Mumbai-based company working on the popular TV show Game of Thrones had the correct security credentials that allowed them to illegally leak an episode online.

The recommendation given is to mandate that third-party vendors must follow the same types of mitigations and controls that the parent company uses.

Breach notification

Yuen explained that security should be seen as a trifecta of prevention, detection and response.

"Usually the biggest weakness is in the last link, the response," he said, which includes disclosing breaches to the public.

Their survey found only 68% of respondents had some sort of formal incident response capability, of which only 8% described their plan as robust and spanning third-parties and law enforcement.

Worryingly, 17% of respondents said they would not notify all customers, even if a breach affected customer information. Even worse, 10% wouldn’t notify anybody, even customers that were impacted.

However, as more countries adopt mandatory breach notification laws (such as the one mandated by the European Union’s GDPR), withholding information will no longer be an option.

"I think it's something that is a common criticism of why Malaysia actually didn't have one along with the PDPA,” he continued.  “I think we've seen in other jurisdictions, it has driven the level of security up."

"For example, (if) an auditor leaves a CD-ROM in an airplane, you can easily choose not to disclose anything like that. But they come out in the US because (it’s the) law. And if you get caught and you didn't disclose, it's a huge penalty."

Responsibility of boards

It cannot be denied that high-profile attacks brings with it increased awareness. 76% of survey respondents said that the discovery of a breach that caused damage would result in greater resources allocated.

"WannaCry was one of the biggest issues that placed cybersecurity on non-IT people,” pointed out Yuen. "After WannaCry came up, boards are asking what can you do? What do you need to fix this and how much money do you need to fix this?”

Kartik Shinde (pix, right), an Ernst & Young LLP (India) Partner in Cybersecurity for Financial Services, said that boards don’t always ask the right questions, unsurprising given that only 36% of those surveyed said their boards had sufficient knowledge about cyber risks.

"The questions asked are, how safe are we and what are the things that we have invested in?” Shinde pointed out. "What question they should really ask is, two or three months down the line, what is the level of effectiveness and what is the level of assurance that this thing really works?"

"Unless and until you know what controls you are putting in you can't just keep buying new technology, new security solutions and think that that's a silver bullet to all your security issues," concluded Shinde.

Although 87% of the survey respondents say they need up to 50% more cyber security budget, Simpson advocates companies to do the simple things first before looking to more complex solutions.

"Just because you don't have budget doesn't mean you can't make improvements,” he stressed. “I still come back to training and awareness.”