They say there are two kinds of companies: those that were hacked, and those that don’t yet know they were hacked.
Companies seem to be consistently behind the curve when it comes to cybersecurity, with even massive institutions of the stature of JPMorgan Chase – which spend over a billion dollars per year on security – being hacked for years, before the breach is detected. Which, of course, raises some very serious questions.
While the curse of cybercrime is nothing new, companies’ ability to assess their level of vulnerability certainly is. Check out your company’s cybersecurity resilience here.
The Curse of Lag Time: What Happens between Breach and Discovery
In considering the stories of high-profile hacks, we can’t help but notice the incredible lag time between breach and discovery. For example, according to this report by Bloomberg, the JPMorgan hack – which involved at least nine big financial and publishing firms, and generated hundreds of millions of dollars in illicit proceedings – continued from 2012 to mid-2015.
In another colossal attack of Sony Pictures Entertainment – disclosed in in November 2014, and allegedly sponsored by North Korea – hackers claim to have had access for more than a year, prior to discovery of the breach.
And if we’re talking about response time, it’s worth pointing out that regional differences do exist. The Asia Pacific region, for example, has an astonishingly poor record. According to this report released in August 2016 by Mandiant, most breaches in the region never become public. Discovery time in the region is, on average, 520 days, significantly longer than the global average of 146 days.
A quick look at the headlines gives a real sense of the urgency and scale of cyber threats. One recent example is Hong Kong-based Bitfinex, one of the world’s largest bitcoin exchanges, which announced in August 2016 the theft of 119,756 bitcoins – which would have been worth about $72 million before the hacking was made public.
A bit later in the year, a security breach in the UK involved ~160,000, names, and phone numbers of customers of the British broadband and phone provider TalkTalk, and also compromised records of British consumers at big-name brands Vodafone, Visa, Sky TV, Amazon, and Ticketmaster.
Another big story in the UK in 2015 was Carphone Warehouse, which compromised almost 2.5 million customer records, with about 90,000 having encrypted credit card information stolen.
Cyber Dumb – Or: Yes! Email and Social Media are a Potential Threat
Employees and other users are perceived, increasingly, as the weak link in cybersecurity. With the ever-growing complexity of attacks, it is becoming more essential for companies to educate all personnel – and third party partners, if possible – about smart and safe security practices.
Do employees know, for example, that cybercriminals are savvy in their attempts to lure people in and get them to click on a link or open an attachment? Do they realize that phishing attacks use email and malicious websites to collect information and infect computers with malware and viruses?
*An image from an awareness campaign by Belgium’s CERT.
Research by UK email provider Mailjet released in November 2015 shows just how limited the average user’s understanding is.
The research showed that an astounding seven in ten Brits do not consider an email account to be a potential threat, and 69 percent do not know that simply opening an email can expose a computer to an attack.
In a somewhat similar vein, Chief Executive of Singapore’s Cybersecurity Agency, Mr. David Koh, commented in an interview with Channel NewsAsia that while he is personally aware of issues relating to online security, his very own family is not on the same page.
Bottom line: The knowledge level of the average user vis-à-vis cybersecurity is an important part of the cybersecurity story, and companies need to start investing in education to reduce the degree of risk.
Are You CyberReady?
Looking beyond education, there’s a need for more sophisticated, on target, and timely protection that can reduce the threat of attack. While there is no such thing as a bullet-proof defence against cyber attacks, if your investment in cybersecurity is well utilised, you will minimize the number of potential attack vectors coming into your business.
Taking on the attackers' perspective and being vigilant about testing and re-testing your defences will help you identify your weaknesses in advance and secure them in time.
And given the increasingly menacing cyber environment, a growing number of companies are opting to hire professional cybersecurity experts who can help them check their own security vulnerabilities and fix them before it’s too late.
Cyberint, for example, simulates real attack scenarios designed to evaluate your controls and evaluates the impact of a breach on a business.
Cyberint’s approach, which is paving the way for world-leading organizations in the cybersecurity industry, replicates the behaviors of real threat actors by preceding the attack simulations with an initial assessment based on threat intelligence. This initial assessment leads to the identification of possible attack vectors and payloads, which enables hackers to exploit system vulnerabilities.
Checking a company’s cyber readiness has become an essential step in the safety of your company and a necessary tool in avoiding cyber disaster.
Time to check out your company’s CybeReadiness.