John Higginson, Principal Consultant at Context Information Security, examines what organisations can do to try and combat the increasing and varied threats posed by cyber attacks.
Cyber security has become increasingly more relevant and tangible, with large-scale hacks and global malware outbreaks becoming the norm. But who are the threat actors out there behind these incidents, and what can your organisation do about cyber threats?
The range of threat actors varies considerably: from low-sophistication and low-resource ‘hacktivists’ typically driven by ideology; to much better equipped and funded organised crime elements driven by financial gain; through to highly organised, motivated and extremely capable state-sponsored actors looking for political or economic advantage. Real-world examples of how they operate are varied too and include diverting payments; targeting personal, banking or proprietary data to sell on the Dark Web; and stealing commercial secrets to avoid onerous and time-consuming research and development costs, with the potential to reduce your company’s competitive edge and price you out of the market. A number of well-publicised new products have been launched that bear more than a passing resemblance to those of well-established and more expensive brands. For example, the new Chinese Land Wind X7 looks astonishingly similar to the Range Rover Evoque.
State-sponsored actors can also have the longer-term and more strategic aims of disrupting or destabilising foreign nation states to further their own political or economic goals. As an example of this, recent reporting suggests purportedly Russian state-sponsored groups have infiltrated US power supply networks as well as those in Ukraine, where power disruption attacks have already taken place. The threats posed by operating in cyber space are very real and ever-more prolific.
From a defence industry perspective, any supplier is a potential target for many of these threat actors. Understanding the weapon or technological capabilities of a potential enemy significantly increases the ability to prepare and devise strategies to defeat that adversary.
Notwithstanding the considerable threats to individual organisations, companies in the supply chain often have trusted relationships with large defence contractors or the Ministry of Defence itself, so can be seen by threat actors as the ‘soft underbelly’ and an easy way in to obtain their end goal. Whilst, unsurprisingly, such hacks are not well publicised, they do occur and the supply chain will continue to be targeted.
So, now that we know the various threat actors out there and some of their intentions, the big question is: what should your organisation be doing about it?
The solution, unfortunately, is not simple. However, it is imperative companies make sure that efforts are being put into all the areas needed with management and governance to mitigate risk, resourced with an appropriate level of cyber-aware people, following effective processes and supported by technology controls. Most importantly, the correct security-focused culture must proliferate throughout the entire organisation, from the very top down to the very bottom.
As with anything involving human factors, there can never be a 100% foolproof solution; people by their very nature are unpredictable. In line with everything concerned with security, the best approach and most viable solution will be all about reducing risk, via the frequency or impact of those human errors and within the budget and risk appetite of the organisation. With that in mind, ensuring that the Return on Investment is maximised will be at the forefront of people’s minds. Unfortunately, more often than not, this means having something tangible to show for the investment, be that a shiny new piece of hardware or a clever new intruder alarm. However, this can ultimately give rise to a false sense of security.
The key to addressing the sociological aspects of security is fostering a vigilant and questioning cyber-aware culture that is rewarded for following procedures, even if staff ‘cry wolf’ occasionally in being overly cautious. To support your staff in keeping your information secure, there are four main factors to consider:
- Policies and Procedures – What guidance and direction is provided to support appropriate action and informed decision-making?
- Technical Controls – Who has access to what information, and why? The principle of least privilege should pervade and can significantly reduce the impact of any incident.
- Training and Awareness – Who across the organisation has been trained, and to what level? How long ago was this? Was the training level appropriate to their role, responsibilities and risk profile? Ensuring your staff are trained reduces the likelihood of an incident occurring as well as the impact should the worst happen.
- Testing – When were your procedures and awareness training last tested to establish how effective they are, either through realistic rehearsals and simulation exercises, or via technical penetration testing or exploitative ‘red teaming’? If you have a response plan, who knows about it, what would their role be, and is the plan still fit for purpose?
If you get these factors right, then your organisation should be in a good place. So perhaps it’s time to look internally at what security processes your business has adopted and whether the culture, tools, technology and training you have in place support them in being successful and delivering real security value through a reduction in operational risk.
The easiest route into your network is via the people who use it. Making it more difficult, and therefore not worth threat actors’ time and effort, should mean that potential attackers will, with a bit of luck, look elsewhere.
For more information, visit: https://www.contextis.com/
If you would like to join our community and read more articles like this then please click here.