This month, the $1 billion (£650m) bank heist affecting up to 100 financial institutions has highlighted a growing gulf of miscommunication between chief executives of large organisations and their IT departments.
Kaspersky Lab reports that, working with international law enforcement agencies Interpol and Europol, it discovered that the gang, dubbed Carbanak, used malware enabling it to see and record everything that happened on staff's screens. These and other recent high profile cyber attacks, such as that which recently saw 76 million customer accounts hacked at financial institution JPMorgan Chase, are forcing organisations such as banks to examine why cyber criminals see them as easy pickings. Some are rapidly reaching the conclusion that they need to plug any security holes not only in their own networks but also in those of their advisers and partner companies.
Bank of America Merrill Lynch, for example, believes it is “one of the largest targets in the world” for cyberattacks and is auditing cybersecurity policies at its outside law firms. According to the bank, law firms are “considered one of the biggest vectors that the hackers, or others, are going to go at to try to get to our information.”
Disconnect between boards and their IT departments
However, the main reason that cyber criminals see large corporations and their senior advisers are seen to be such easy targets by cyber hackers is an alarming disconnect between company board members and their IT departments - a virtual 'Intelligence Gap'. A report "Exposing the Cybersecurity Cracks: A Global Perspective" conducted by the Ponemon Institute last year, shone a light on board-level ignorance regarding cyber security. Of the 5,000 IT and IT security professionals interviewed for the survey, almost half said that their board level executives have a sub-par understanding of security issues.
But the problem goes deeper than ageing board members who may not have bothered to keep abreast with the digital age. IT departments themselves are also partly responsible for the huge intelligence gap which has grown between themselves and their board. Chief executives and senior board members are frequently surprised by the way IT heads frequently regard their departments as personal fiefdoms, resenting any external examination of procedures.
This is, in part, a legacy of a time when the majority of company directors were largely computer illiterate and rather proud of it. But it is also a result of an emotional impasse that now exists between IT department heads who are defending what they see as their personal fiefdom without comprehending that cyber security impacts every area of the company's operations.
Ring-fencing cyber security in this way leads to a dangerous culture of complacency within organisations, lulling the chief executive and his board into a sense of complacency, believing their cyber defences to be impregnable when this may be far from the truth.
A more realistic picture would be for the chief executive to understand that his/her organisation is likely be hacked - if it has not already been compromised. Unless a company regularly conducts third-party penetration tests on its digital defences, it is highly likely that much of its data may already be compromised. In reality, this means that cyber criminals and business rivals alike will likely have access to some the company's most sensitive business data.
While IT departments may mistakenly think that cyber security is a purely IT matter, it actually crosses over into HR and other areas. Many data breaches, for example, come not from outside hackers but are internal, sometimes the work of disgruntled or dishonest staff or even ex-employees. According to industry estimates, roughly a third of all ex-staff in the UK still have access to data held by their former employer.
The first step taken should, therefore, be to ascertain which data has already been compromised and by whom. Chief executives should rely on internal investigations conducted by in-house IT staff as they may overlook existing and long-standing "blind spots".
An intruder can sit on an IT system undetected for months
Often, an intruder can sit on an organisation's IT system for months or, in some cases, years before the host becomes aware. In such cases, the damage can be hard to quantify. A rival may gain prior knowledge of a company's business strategy through examining its most confidential documents in real-time or a cyber thief may simply use information obtained to misdirect company funds. Next-generation data loss prevention software such as Sentinel, created by UK-based developer ZoneFox, tracks the history of each document, letting the organisation know the complete history and usage of any data or user. By monitoring each and every user interaction with data, Sentinel can inform organisations of behaviours occurring on their systems that may be malicious or non-compliant.
The next step is to assume that, even if no sensitive data has been breached, there is no reason to assume it will not be breached in the future. This means developing a crisis management strategy capable of limiting the damage caused by a significant data breach.
Until recently, a fully comprehensive cyber security policy was seen as little more than a 'nice to have'. But the massive data breach that compromised the data of over 70 million customers at US retailer Target and the subsequent resignation of its chief executive, Gregg Steinhafel, last year, provided chief executives with a much-needed wake-up call. When a data breach does occur, as it inevitably will, chief executives can no longer merely point an accusing finger at the head of their IT department and conveniently pass the buck.
As legislation in the US rapidly moves towards making the reporting of corporate data breaches compulsory, chief executives will find their neck is on the line if they are seen to have mindlessly delegated all cyber security matters to their staff. Chief executives and their boards are also starting to discover that other third parties such as insurers and partner organisations are starting to scrutinise their cyber security policies.
Those without an effective cyber strategy will soon find themselves paying increased insurance premiums and losing the confidence of those partner companies and clients who have taken the time to instigate effective cyber defence policies.
by Stuart Poole-Robb, chief executive of business intelligence and cyber security adviser of the KCS Group