“Why would anyone want to attack us, we are an aviation leasing company?”
Your perception of cyber security is very different the day after an incident than the day before and this is why I have been asked this question when sitting opposite clients in the aftermath.
Globally, just over two in five CEOs say they feel prepared for a cyber event. With spending on cyber security products expected to top the US$113bn mark by 2020 and reports of data loss making the headlines almost daily, why in the age of mature cyber security products do large scale breaches continue to happen?
Cyber criminals are employing tools of an increasing complexity and deploying them in an ever more sophisticated manner, using the same enterprise levels of organisation, artificial intelligence and machine learning solutions that security professionals aspire to possess.
The emergence of super strength encryption on readily available communication apps and the layered security model of the “dark web,” hosting online stores for criminal goods and services means that the potential for detection has decreased dramatically.
Cybercrime has now overtaken “traditional” crime as the key enabler of fraud, and with the value of financial transactions in the aviation leasing industry this makes it a lucrative target for cyber criminals.
The prevalence of point and click cyber weapons, loaded with an array of ransomware, phishing and compromised networks used to deploy denial of service attacks, are easily and cheaply obtained on the dark web. The means to effect those attacks is becoming easier and in many cases free of charge to the attacker.
A Distributed Denial of Service (DDoS) attack can be hired for as little as US$7 per hour, with the costs of mitigation estimated at over $100,000 per hour, incredibly this makes the cost of performing an attack similar to that of going to see a movie.
This has created a lucrative “gun for hire” marketplace on the internet. Distance, time of day or innocence of the target has no relevance, if the price is right and a return on investment can be realised. Making money is the real motivation behind current cyber-criminal activity and answers the question, “why us?”
According to Verizon, which analysed 42,068 incidents and 1,935 breaches from 65 organizations in 84 countries; 51 percent of breaches involved organised criminal groups.
Attacks can be focused, where you are of interest to an attacker because of the value of your business transactions, or simply you could be the victim of a “scatter gun” approach where you are the consumer of an IT product or service that has been compromised due to poor security design, or is reaching end of life and can no longer be supported.
The cost of defence has escalated over time, usually as a reaction to a high profile event. Typically spending on Cyber Security now outpaces operational IT at a ratio of seven to one, an unsustainable strategy.
Firms are coming under pressure to contain their burgeoning cyber security budgets, and there is an opportunity to look at the business holistically. Doing so would ensure that expenditure is focused on the true risks posed to their digital assets, rather than procuring multiple layered technical solutions (which ultimately no one entirely understands) to plug perceived security gaps.
Embracing emerging technology, and adopting maturing services such as Cloud, allows us to innovate and transform our business but requires the consideration of cyber security as an essential business operation.
The challenge is transforming our cyber security position from a basic one, to a more mature model whilst doing so in a timeframe that avoids obsolescence. As the aviation industry increasingly delivers and receives services via digital channels, Cyber Security by design and by default is a requirement. This is a core concept in transforming business in a rapidly changing environment.
In the 2018 KPMG CEO Outlook report ‘Disrupt and Grow,’ almost half of the CEOs consulted (56 percent), believe they need to do more to combat cyber security ‘fatigue’ in their organisation.
The apparent failure to explicitly identify and manage risks around cyber security, whilst noting the need to embrace emerging technology, might suggest a potential misdirection of effort, and resources, when dealing with the risks and opportunities around the application of technology within the business environment.
It is possible that the current approach to securing our technology has not fully lived up to expectations and that no magic bullet or box exists to solve the end to end multidirectional attack vectors employed with ever more efficiency and effectiveness by the modern cyber-criminal.
Cyber security professionals have repeated the “defence in depth” mantra for well over a decade, and the current theme is focussed on the people, process and technology aspects within the cyber ecosystem.
Evolving from those traditional models is a different way of considering the overall approach to securing our assets, designed to reduce the risk of a “hit” whichever direction it comes from - this approach is called Cyber Resilience.
Cyber resilience is being able to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events online. Cyber security is a key element resilience, but cyber resilient organisations recognise that operating safely in a digital environment goes far beyond just purely technical measures. By building an end to end understanding of cyber risks and threats, and aligning them to business objectives, they are able to take the appropriate measures to protect their digital assets and maximise the opportunities available online.
Cyber Resilience also creates opportunities to increase the security awareness of staff, management and the board to reduce their riskier behavioural elements; creating a clear line of sight between business objectives, and Digital Strategy and Cyber Security implementation.
The questions lessors have asked is how can I implement cyber resilience in practice?
Cyber resilience is a process of continual refinement and relies on organisations understanding the quantity, sensitivity and location of the assets to protect. The new General Data Protection Regulation (GDPR), effective from 25th May 2018, has mandated this approach to information asset management on EU Citizens personal information. Our experience with aviation leasing clients in implementing processes to support GDPR highlighted the effort required to meet basic compliance; but the result, a much stronger position with regard to their data management and protection of information assets. A similar approach to cyber resilience is required.
The process for achieving cyber resilience is framework containing five pillars: identify, protect, detect, respond, and recover. You evaluate each pillar against your organisation’s cyber security strategy to reduce the risk of adopting a static security posture in an ever evolving threat landscape; and ensure that business rules continue to be applied in the way they were designed, via the use of technology.
By evaluating the risk posed by each weakness and which are the most critical, you should be able to improve your preparedness for an attack, including managing and focusing spending on protecting ‘crown jewels.’ With each scheduled cycle of assessments, the security strategy is re-evaluated, and since every organisation has unique systems and different security needs, the results of each series of assessments is measured against the current threat environment and the acceptable risk level for the organisation, rather than a relatively generic series of standards and checklists.
Often our discussions on Cyber Resilience with our aviation leasing clients are targeted at board level as they ultimately are accountable for managing the risk.
Therefore from a Board perspective, it is important to de-mystify the concept of “cyber security” and how it relates specifically to an aviation leasing client. One size will not fit all, however every client, regardless of size, can take steps to help identify and respond to an incident. Technical support, or software based solutions, are only part of the answer and clients of all sizes seek advice on how to identify and respond to the risks posed to their assets from both cyber criminals and non-malicious actions – specifically centred on people, process and technology.
Our message to clients is that Cyber Security is a number of things executed effectively, so where can I start, or continue the journey to cyber resilience?
As a starting point, Board members should consider the following areas of focus – a number of steps can be taken with minimal incremental cost, beginning with a cyber focused risk assessment:
The five pillar model is consistent with the EU Directive on Network Information Security (NIS), in the US via the National Institute of Standards and Technology (NIST) and by the UK National Cyber Security Centre (NCSC) in their 10 Steps to Cyber Security approach, employing a number of key building blocks proportionate to all sizes of organisation, with an end to end continual assessment of each activity clearly described.
It is also the approach utilised by KPMG, in delivering Cyber Security Services to our clients.
We define Cyber Resilience in six core interdependent domains;
With the right governance structures and processes, information and appliance asset management, identity access management for customers and staff, technical measures to protect network boundaries and gateways, and response plans that are effective when needed, an organisation can consider itself to be resilient in the face of cyber risk.