‘Third parties’ a major risk to cybersecurity: EY exec

• Businesses spending more on security but risk exposure remains the same
• They now have an entire ecosystem of exposure to worry about

ORGANISATIONS are more aware and spending more on IT security, but that is not necessarily translating to a lower exposure to ‘cyber risk’ – or the risk of financial loss, disruption or damage to an organisation’s reputation from cyber-attacks and cybercrime.
 
“[Enterprises] have put a lot of money into security and [IT] transformation programmes, but the cyber risk has not gone down – or it has even gone up,” said Paul O’Rourke, EY Asia Pacific Cyber Security lead.
 
“Even those that spend significant dollars on security … are the ones that are consistently being compromised and reported on,” he told Digital News Asia in Singapore recently.
 
This is because organisations are not paying enough attention to the entire cyber risk equation, which includes not just the technology being deployed to mitigate risks, but also culture, people, processes and ‘third parties.’
 
“Technology itself cannot fix the problem,” O’Rourke said, adding that “third parties are now emerging as one of the more difficult ones.”
 
Third parties are the ‘cyber-ecosystem’ of a business, from its contractors to connected parties in its supply chain.
 
To protect themselves from the risks that these third parties bring into their systems, they have to look at governance and culture.
 
“Governance is ‘who owns the problem?’ ” O’Rourke said. “The CIO (chief information officer) can help, but unless the business itself understands the risk, it will never fix the risk.”
 
And when it comes to culture, a big factor is education.
 
“People have to understand how their actions can create a cyber risk – there needs to be a lot of investment around educating employees and third parties on cyber risks and exposure; and more importantly, what individuals can do to protect the organisation,” he added.
 
O’Rourke used spear-phishing as an example, which is a cyber-attack targeted at getting confidential information from an individual.
 
Educating employees on why they should not click on an email from an unknown source does not always translate to proper action, according to O’Rourke.
 
“You’ve seen a lot of education on spear-phishing, it’s still a topical issue – but as obvious as it is, it is one of the major ways threats get into an organisation,” he said.
 
Inadvertent user actions can cause the most damage, as ignorance is harder to detect than malicious actions.
 
“Even well-intentioned action can create the most damage,” O’Rourke said. “It’s constant education and re-education.”
 
The rising risk of hacktivism
 
Traditionally, companies really only worried about financial-based cybercrime, but these days they may even become targets of hacktivism, as the recent attack on online cheating site Ashley Madison shows.
 
And while traditional financial cybercrime still remains a threat, there are now “state-sponsored attacks that are more industry-specific – and increasingly, hacktivism is emerging as a major threat,” said O’Rourke (pic).
 
Hacktivists have a different motive and modus operandi from the usual cybercriminal, which makes protecting assets and reputation from them even more challenging.
 
“If you look at financial crime or state-sponsored attacks, which go after certain types of information, it’s easy to understand which data to protect,” O’Rourke said.
 
“But when [it comes to] hacktivism, where the whole motive is to damage the reputation of the company, they can attack you anywhere,” he added.
 
From defacing websites to a Distributed Denial of Service (DDoS) attack, hacktvists’ objectives may not necessarily be the same as the other hackers. This makes it even harder for businesses to address this risk.
 
The security spend equation
 
Businesses are beginning to realise that throwing technology at the cybersecurity problem is no longer viable.
 
“There is a large degree of fatigue in organisations with how much money they have spent on technology, and the fact that it hasn’t addressed their risk,” O’Rourke said.
 
“A lot of organisations are putting their forward technology investments on hold, and going back and revisiting their strategy and approach,” he added.
 
Businesses are also refocusing their spending, bringing detection and containment into the security mix, in addition to the traditional prevention.
 
Detection covers proactive internal measures to detect attacks within the network. Containment involves measures to ensure that the damage attacks may cause is limited.
 
“Most of the money before has gone into prevention, now it includes detection and a greater focus on containment,” O’Rourke said.
 
Businesses are also focusing more on their incident response as they come to the realisation that they cannot stop every attack, he said.
 
And, “it’s not a technology incident response – it’s enterprise incident response, it’s regulatory relations, it’s media relations, it’s investor relations, it’s the board, it’s legal, it’s across the organisation,” he added.
 
Related Stories:
 
The threat landscape runneth over, here’s what we need to do
 
Partnership the key to combating cybercrime: Interpol
 
Anonymous threatens Singapore’s financial systems … perhaps
 
                                                                                                                                        
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.