Instances of high profile cyber-attacks seem to be proliferating all the time. The risk is increasing as several factors combine and Boards are obliged to ensure the issue is managed and under control.
Amongst the factors driving this particular risk is the fact that attacker capabilities are growing; there are ever more resources available - often free or very low cost - on the public Internet (as well as the 'dark web'); the connectivity of devices is mushrooming through such concepts as the Internet of Things; the reliance on third parties and supply chains is growing; and cost issues can mean IT resources are under pressure.
KPMG's Risk Consulting Practice calls this term a 'readiness gap' in which the threat is increasing while companies? preparedness struggles to keep up. And yet, clearly, it is a risk that every organisation quite simply must be armed against. Every institution needs to be able to detect and respond to the cyber security threat ? and boards must take the lead in equipping the organisation in this battle.
So how can boards and their teams set about doing this? Thinking of the old adage 'know your enemy', it can be extremely instructive to put yourself in the shoes of the cyber attacker - to understand how they work and what they are looking for.
If you accept the premise that 'you are under attack', then, of course, one of the first questions is - from whom? So perhaps the first step is to think about the different types of cyber attacker out there, and which one(s) are most relevant for your organisation. The main classes of attacker can be grouped as: criminal gangs (most interested in financial fraud in order to make a profit), hacktivists (perhaps motivated by an issue or cause), corporate competitors (looking to steal secrets or data), nation-states (with similar aims), and disgruntled employees (often overlooked, but a potent threat as they often understand your systems and protocols).
Having thought about which group or groups you are most likely to be under threat from, ask yourself this: what are they likely to be targeting? Quite simply, what are your 'crown jewels'? What data or information do you hold that is most likely to be attractive to outsiders?
Then, put yourself in the shoes of your likely attacker, who is after your crown jewel of X - and consider: how are they likely to go about it? Even if your conclusion would be 'no one is interested in us really', remember that cyber criminals cast a wide and automated net that could infect your systems with destructive malware.
One key thing to appreciate right from the outset is that cyber attackers are highly organised. It is their business after all. So they are likely to invest quite some time researching your organisation, its security posture, systems and employees. This could include researching individuals, perhaps via LinkedIn and other social media ? who reports to whom, who has recently been hired and what linkages and dependencies are there between individuals and departments?
They will also be able to use publicly available search engines through which they can identify potentially vulnerable corporate devices, and exchange information with other groups of attackers. Tools available, such as open-source intelligence and forensics applications, enable them to then collate and analyse the huge amounts of data they have collected - the Big Data of hacking perhaps.
An attacker may also survey your physical premises, looking at access points to the building, how many people come in and out at what times of day and, crucially, what security pass system you have. They may be able to take a photo of or scan a staff or visitor pass and use it to print a fake one of their own. Don't overlook the physical threat - gaining access to your premises could be a quick way to gain access to your data.
Once the hacker has done their research and established their target, they will make a plan around how to reach it. Essentially, they will be looking to establish a virtual foothold within your organisation as a first base.
Likely methods of gaining this foothold include sending phishing emails to members of staff with links that have malware embedded or attached, or setting up a 'watering hole' - finding a site that is commonly used by staff and compromising it by embedding malware there.
Once they have tricked some victims, they can then digitally 'move around' within your organisation and try to reach their target.
Having considered things from the attacker's point of view, you need to focus on shoring up your defences. Just as for attackers, it's crucial to know your 'crown jewels'. What are they, and where are they located? Thinking about what it is you are defending also means thinking about the dependencies: what do your systems rely on, have you given copies to anyone externally or in the cloud?
Defending is essentially attacking in reverse - so map out possible routes of attack as a planning tool (known as creating an 'attack tree') and make a matrix of actions to defend against them. It helps here to think of the 'five D's':
Detect, Deny, Disrupt, Degrade, Deceive
Deceiving could mean the creation of 'honeypots' - false targets (such as apparently vulnerable devices or applications) designed to lure attackers in to identify and catch them. Some organisations set up fake executive profiles on LinkedIn to get an early indication.
There are certain pre-requisites for a successful defence strategy. You will need to be determined and have a resolve to win: winning the battle is not for the faint-hearted. You will need to be able to capture all of your data in order to analyse and learn from it. In the same vein, you will need to build a knowledge base - logging phishing emails for example, creating a database that you can interrogate and analyse.
It's vital of course to have the necessary in-house skills - a capable cyber security team, and perhaps the services of outside consultants who can be called in as and when necessary.
And finally, there is no getting around the fact that you will need to make the right amount of investment in order to do all of this - which means that getting the Board on side is essential.
Having done all of this, it's critical to put it into practice. Test your systems through drills and realistic attack simulations.
This may involve hiring a 'red team' of external attackers from your advisers to put your systems through the mill and identify weaknesses and areas of priority - while your 'blue team' of defenders seeks to repel the attacks.
If you don't test your defences, then to a large degree you are simply closing your eyes and hoping. Putting them into action will open your eyes as to where you really are and what you need to address - giving you the confidence that dealing with the cyber threat is a significant boardroom priority.
© 2020 KPMG Limited, a Gibraltar Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.