EY has been conducting a yearly Global Information Security Survey (GISS) for 17 years. The key observations and views from the latest survey are shared in this article.
Cyber threats are increasing in their 2. levels of persistence, sophistication and organisation. The damage caused by a cyber attack can severely impact a business. Even if you have not experienced an attack yet, you should assume that your organisation will be targeted, or that your security has already been breached.
You could be under cyber attack now
Cybersecurity attacks have increased 3. exponentially in the last few years. As the evolution of technology marches forward, more complex cyber risks emerge, threatening significant harm to an organisation’s brand and bottom line. The infiltration could have occurred days, weeks or even months ago without the 4. organisation being aware of it. When the knowledge and magnitude of the breach does surface, the associated costs to the organisation may be staggering.
The disappearing perimeter
Cyber threats will continue to multiply. The advent of the digital world, and the inherent interconnectivity of people, devices and organisations, opens up a whole new playing field of vulnerabilities. The short summary below highlights the top five reasons why effective cybersecurity is increasingly complex to deliver: they illustrate that the security defences of organisations are under increasing pressure, further eroding the traditional perimeter and, in turn, creating more motivation for threat actors.
- Change. New product launches, mergers, acquisitions, market expansion, and introductions of new technology are all on the rise: these changes invariably have a complicating impact on the strength of an organisation’s cybersecurity.
- Mobility and consumerisation. The adoption of mobile computing has resulted in blurring organisational boundaries, with IT getting closer to the user and further from the organisation. The use of the internet, smartphones and tablets (in combination with personal devices) has made organisations’ data accessible everywhere.
- Ecosystem. We live and operate in an ecosystem of digitally connected entities, people and data, increasing the likelihood of exposure to cybercrime in both the work and home environment.
- Cloud. Cloud-based services, and third-party data management and storage, has opened up new channels of risk that previously did not exist.
- Infrastructure. Traditionally closed operational technology systems are now being given IP addresses so that cyber threats are making their way out of the back-office systems and into critical infrastructures such as power generation and transportation systems, and other automation systems.
The roadblocks facing today’s organisations
Concerns over cybersecurity have been increasing and attracting more attention at all levels within organisations. While they are taking actions to address cybersecurity risks, there are a number of roadblocks which need to be removed before organisations can successfully get ahead of cybercrime.
1. Lack of agility. There are known vulnerabilities in organisations’ cyber defences. In other words, it is understood that there is a clear and present danger, but organisations are not moving fast enough to mitigate the known vulnerabilities. Due to the lack of real time insight on cyber risks, organisations are lagging behind in establishing foundational cybersecurity.
2. Lack of budget. The lack of budget is one of the most challenging roadblocks. We see more organisations reporting that their budgets on cybersecurity will remain flat. Although we are experiencing ever greater attention to cybercrime in the boardroom and from non-executive directors around the globe, it seems that this interest doesn’t translate into additional money.
3. Lack of cybersecurity skills. The most important roadblock is the lack of cybersecurity skills. While the need for specialists deepens, the lack of specialists is a growing issue. Also, there is the need to build skills in non-technical disciplines to integrate cybersecurity into the core business. Sophisticated organisations not only defend themselves against cyber attacks; they use analytical intelligence to anticipate what could happen to them and have the confidence in their operating environment to know they are prepared. Organisations find it difficult to hire the specialists necessary to perform the analysis on threat intelligence data, draw relevant and actionable conclusions, and enable decisions and responses to be taken.
How to make vital improvements
So what are the areas that need specific and increased attention? What ‘low hanging fruit’ would allow organisations to make progress easily? Below we outline four areas of improvement that need specific and increased attention.
1. Improve the Security Operating Centre (SOC)
A well functioning SOC is an important asset to get ahead of cybercrime. If there is one security function in the organisation that should be aware of the latest threats, it is the SOC. In our latest GISS, we noted an alarming result where organisations felt that their SOC was not keeping up to date with the latest threats. One of the root causes is that SOCs are overly focused on the technology. Although the features of the technology are important, the starting point should be the business. The SOC will not be able to focus on the right risks (and changing risks) if the business is not connected to the SOC on a regular basis.
2. Create a core cybersecurity team
By establishing cybersecurity knowledge in a core team, organisations will be able to adapt to new threats more easily. This core team can be organised centrally or distributed across functions/ borders depending on the size and the requirements of the organisation.
The core team should also focus on training, skills and awareness, and make the practice of information security part of everyday life for every employee.
3. Establish accountability
Greater accountability and performance measurement are key ways to achieve behaviour change. If employees understand that their own job security is under threat because the security of the organisation is under threat, and that cybersecurity is a performance metric, this will encourage a permanent change in awareness and behaviour.
Breaches of information security protocols should be taken very seriously. In addition to informing employees about cyber threats, find ways to make them the ‘eyes and ears’ of the organisation and ensure there is a clear escalation process everyone can follow in the event of an employee noticing something suspicious. Forensics support and
social media could be the first way of spotting that the organisation is at risk
of an attack.
4. Go beyond borders
With a transformation cycle in place, organisations can start to look beyond their own borders, and begin to assess the impact of a cyber attack on their business partners, suppliers and vendors – a community that can be described as their business ‘ecosystem’. Their own effective transformation will reveal leading practices, and these practices can be communicated to the ecosystem so that suppliers and vendors can be contractually obliged to conform.
Get ready to anticipate
No organisation or government can ever predict or prevent all attacks; but they can reduce their attractiveness as a target, increase their resilience and limit damage from any given attack.
Learning how to stay ahead is challenging and takes time but the benefits for organisations are considerable. They will be able to exploit the opportunities offered by the digital world while minimising exposure to risks and the cost of dealing with them.
Understand your threat environment and establish early detection
It is not enough to just know that there are threats. Organisations need to understand the nature of those threats and how these might manifest themselves, and assess what the impact would be. Early warning and detection of breaches is key to being in a state of readiness. However, the majority of organisations are only able to detect fairly simple attacks, meaning they may not know they have already been breached by a more sophisticated attack and they will not be able to detect future attacks of this nature.
Incorporating or establishing a cyber threat intelligence capability can help get organisations ahead of cybercrime. At a tactical level, this capability will sit in the SOC, but the reach of this function will extend into the strategic level and the C-suite, if done well.
Take a view of the past, present and future
The organisation’s ambition needs to encompass efforts to look into the future, as well as learning from the past and being prepared for the now. Organisations should be kept informed of new/ different trends in attack types and in the methods, tools and techniques to deal with them. It is vital to be kept informed about emerging technologies, and to keep exploring the opportunities for the business to exploit these, while keeping a firm eye on the new risks and weaknesses they may introduce.
Get involved and collaborate
Information and intelligence sharing platforms exist in many forms. Governments and major organisations have started to take a leading role in establishing the policy and practice frameworks that support the development of resilient cyber ecosystems.
Collaboration provides organisations with greater awareness of their partners and supply chains, and the ability to influence and learn from the whole ecosystem.
Larger organisations need to understand that their security capabilities are often far more mature than those of some of their suppliers, so knowledge-sharing around cybersecurity, or coordinating cybersecurity activities with suppliers can be much more effective than going it alone. A shared solution tightens the protective layers in and around your ecosystem. However, it would require an organisation to develop a ‘trust model’ based around authentication, assurance agreements, etc. Any incident response exercises should include third parties and other players in your wider ecosystem.
Organisations are using these four questions to assess the impact of a cyber attack in real-world terms, to understand the impact on the bottom line and the organisation’s brand and reputation.
- How would the share price be affected?
- Would customers be impacted?
- Will this translate into reduced revenues?
- What will the costs be of having to repair damage to all internal systems and/or replace hardware because the organisation was not prepared for an attack?
Cyber economic techniques are being developed to help organisations convert this into tangible figures.
Conduct cyber incident exercises
Is the organisation confident that everyone knows what to do if an attack takes place? If not, then the damage from the attack will be far greater than expected.
Poor handling of cyber incidents have led to harsh impacts on many companies. Once a breach is detected, then having thorough knowledge of your critical assets and associated ramifications will allow your organisation to set in motion the appropriate handling mechanisms. Stakeholders, customers, employees, PR, regulators – all these parties play a part in determining how well your organisation weathers an attack.
Being in a state of readiness requires that an organisation will have already rehearsed many different attack scenarios. At least once a year, organisations should rehearse their crisis response mechanisms to complex cyber attack scenarios. Regulators in some areas are now requiring that such rehearsals are undertaken and the results reported.
What organisations need to do
Every day, cyber attacks become more sophisticated and harder to defeat. No one can tell exactly what kind of threats will emerge next year, in five years’ time, or in 10 years’ time. It is inevitable that these threats will be even more dangerous than those of today.
Despite this uncertainty, organisations need to be clear about the type of cybersecurity they need. To get cybersecurity right, the first step is to get the foundations right. Given how much attention recent cyber attacks have received, no one can claim they do not know the dangers. There can be few excuses for organisations that are still not putting basic cybersecurity systems and processes in place.
Once the foundation has been mastered, the next stage is to make your cybersecurity more dynamic and better aligned and integrated into key business processes. Without taking this crucial step, organisations remain vulnerable since they, their environment and the cyber threats they face are
By focusing your cybersecurity on the unknowns – the future and your business’s broader ecosystem – you can start building capabilities before they are needed and begin to prepare for threats before they arise. Organisations should take the initiative and make cybercrime far less profitable and a far less effective use of time and resources than it is today. In other words, take away the power of the hacker and get ahead of cybercrime.
Keith Yuen, Partner, and Alan Lee, Executive Director, EY
Keith Yuen can be contacted at tel: +86 2122282252, or email: Keith.Yuen@cn.ey.com
Alan Lee can be contacted at tel: +852 26293160, or email: Alan.Lee@hk.ey.com
安永每年一度的全球信息安全调查(Global Information Security Survey , GISS),至今为止已经进行了17年。本文与您 分享其最新调查结果与看法。
网络威胁的持续性、复杂性和组织 化程度不断加剧,网络攻击对企 业造成的影响也越发严重。即使您的 企业从未遭遇过网络攻击,您也应当 假设您的企业将会成为攻击对象,或 者已经遭受攻击。
网络安全攻击在过去数年急剧增加。 随着科技的快速发展,网络上出现更 为错综复杂的风险,给企业的品牌和 利润造成重大伤害。入侵可能于企业 毫不察觉情况下,已在数天、数周甚 至数个月前悄然发生。一旦意识到所 存在的破坏及其规模时,企业所蒙受 的损失可能已无法弥补。
网络威胁将继续蔓延。数字世界的到 来,以及人们、设备和企业之间的内 在互联互通,为发动网络攻击提供了 一片新土壤。下述摘要主要阐述妨碍 采取有效网络安全措施的五项最重要 因素,而这些因素表明,企业的安全 防御面临着日益增加的压力,并进一 步侵蚀传统的防线,从而加速了威胁 的蔓延。这些因素包括:
1. 变化 。新产品的推出、合并、收 购、市场扩张和新技术的引进, 均呈上升趋势,而这些变化总会 对企业的网络安全产生一定的影 响。
2. 移动设备与促进消费。移动通 讯设备的普及导致企业界限模糊 不清,并使得信息科技与用户的距离越来越近,同时与企业的 距离却越来越远。互联网、智 能手机和平板电脑(加上个人 通讯设备)的使用,使人们可 从任何地方取阅企业的资料。
3. 生态系统。我们生活及处于一 个机构、个人和资料互联的生态 系统中,从而增加了在工作和家 庭环境中遇到网络犯罪的风险。
4. 云端服务 。云端服务及第三方数 据管理与存储,衍生了新的风险 入侵途径。
5. 基础设施 。以往封闭的营运技术 系统,现今已经配置了互联网协 议地址, 因此网络安全威胁已经 从办公室后勤系统走入重要基础 设施, 例如电力和运输系统以及 其他自动化系统。
企业的各个级别都对网络安全越来越 关注。企业在应对网络安全风险的同 时,也需要清除一些障碍,才能有效 遏止网络犯罪的出现:
1. 反应欠敏捷。企业的网络防御 存在已知漏洞。换言之,即是 尽管企业了解目前明确存在的 危险,但未能采取迅速行动来 作出补救。由于企业对网络风 险缺乏实时监控,因此在构建 基础网络安全方面显得滞后。
2. 预算不足。预算不足是其中一 项最难克服的障碍。我们看到 有更多企业表示其在网络安全 方面的预算将不会有所加增。 虽然董事会和全球非执行董事 对网络犯罪的关注超过以往任 何时候,但此等关注似乎并没 有转化成额外的资金投入。
3. 缺乏网络安全技能。网络安全 技能的缺乏是最重要的障碍。尽 管对专业人士的需求越来越强 烈,但专业技能人才缺乏的问题 则越趋严重。此外,还需要培养 的,是如何将网络安全纳入核心 业务范畴的非技术性技能。成熟 的企业不仅会做好免遭网络攻击 的防御工作,还会使用分析智能 来评估可能发生的情况,并对其 运行环境抱有已做好充分准备的 信心。企业很难聘用到所需的专 业人才来对威胁智能数据进行分 析,得出准确且可付诸行动的结 论,并作出适当的决定和回应。
那么哪些领域需要给予具体及更多的关注呢? 哪些是能够使企业容易取得 进展的“可行目标 ”呢 ? 以下为四个 值得给予具体及更多关注的改善领域:
1. 改善安全运营中心 (Security Operations Center, SOC)
运转良好的安全运营中心是防范网络 犯罪的重要资产。企业如有一项能觉 察到最新威胁的安全职能,那么它必 然是指安全运营中心。在我们的最新 GISS中,我们察觉到有一项值得给予 警惕的结果,就是受访企业认为其安 全运营中心未能不断更新以应对最新 的威胁,而根本原因之一,是安全运 营中心过于注重技术。尽管技术特点 十分重要,但起点应是业务本身。如 果有关业务并没有恒常与安全运营中 心联系,那麽安全运营中心将无法聚 焦于真正(且不断变化)的风险。
通过在核心团队中建立网络安全知 识库,企业将能够更加容易地适 应新威胁。这一核心团队可以集 中建立或分散在各职能/跨界中, 视乎该企业的规模和要求而定。该核心团队应将重点放在培训、提升 技能和安全意识方面,并将信息安全 实践落实到每个员工的日常生活中。
更完善的问责制和绩效评价,是实现行 为改变的关键。如果员工意识到企业安 全受到威胁的同时,也意味着其工作安 全也将同样遭受威胁,并且意识到网络 安全是一项业绩指标,这将激励员工在 意识和行为上的永久改变。
除此之外,还应当以严肃态度看待对 信息安全协定的违反。除了告知员工 网络威胁之外,还应积极寻找方法使
其成为企业的“耳目”,确保在某个 员工注意到可疑之处时,所有人都能 够遵循明确的向上提报程序。取证支 持和社交媒体可以是识别企业面临网 络攻击风险的首项方法。
随着转型周期的到来,企业可以超越 其边界,开始评估网络攻击对其业务 伙伴、供应商和卖方(一个可被称为 其业务“生态系统”的群体)所产生 的影响。企业自身的有效转型揭示了 主导性的运作方式, 而当此等运作方 式被输送往“生态系统”后,供应商 与卖方将须按照合约规定予以遵守。
没有任何企业或政府能够预计或预防 所有攻击;但它们可以减少其作为被 攻击目标的吸引力,提升复原力,并 减少遭受攻击所蒙受的损失。
要学习如何保持领先并不容易,且需 假以时日,但企业从中的得益亦非 浅。企业一方面得以把握数字世界所 提供的机遇,另一方面可将所面对的 风险及所需的成本降至最低。
只知道威胁的存在是不够的。企业需 要了解该等威胁的性质,它们会如 何出现,以及评估其会造成什麽影 响。对破坏作出及早警报和侦测,是 做好充分准备的关键。然而,大多数企业只能侦测到较为简单的攻击,这 意味着它们可能并不知道自身已被更 为复杂的攻击入侵,并且也无法侦 测未来所出现的此类性质的攻击。
建立网络威胁情报收集机制,有助企 业防止网络犯罪的发生。就策略层 面而言,这项职能由安全运营中心行 使,但倘若情况理想,它可以延伸至 战略层面和最高管理层。
企业要实现其抱负,便需要展望未 来、学习过去,及为现在做好准备。 对于各种攻击类型,以及应对它们的 方法、工具和技术,企业应当时常了 解其最新或不同的趋势。但至关重要 的,是了解新兴技术,并持续探索企 业利用这些技术的机遇,同时密切关 注其可能形成的新风险和脆弱之处。
信息和情报共享平台以许多形式存在。 政府和主要企业在建立支持具复原力 网络生态系统之发展的政策和实践框 架方面,均开始扮演主导的角色。
协作提高企业对合作伙伴和供应链的 了解,以及影响和学习整个生态系统 的能力。
大型企业需要理解其信息安全能力通 常比某些供应商成熟得多,因此对网 络安全的知识共享,或与供应商协作 进行网络安全活动,比单独进行要有 效得多。共享解决方案可使生态系统 内外的保护层更为紧密。然而,这需 要企业建立以认证和保证协议等举措 作为基础的“信任模式”。任何事故 应变演练,都应当包含第三方和你的 更广泛生态系统中的其他参与者。
企业使用以下四项问题来评估网络攻 击对现实世界的影响,及了解对利 润、企业的品牌和声誉的影响。
4. 如因企业未对攻击做好准备,而需修复对各个内部系统所造成的 破坏,和/或替换硬件,其成本将 是多少?
企业是否有信心当攻击发生时,所有 人都懂得如何应对? 如果答案为否, 那么该等攻击所造成的损失,将会比 预期高出许多。
对网络事故处理欠佳,会对许多公司 造成恶劣影响。一旦检测到漏洞,那 么对你的关键资产和相关后果有完全 了解,将会使你的企业能够启动合适 的应对机制。利益关联方、客户、员 工、公关、监管者— 上述各方在决定 你的企业能如何有效抵挡攻击方面, 均发挥一定的作用。
要作好充分的应对准备,需要企业就 许多不同的攻击状况进行演练。企业 应当针对复杂的网络攻击状况,至少 每年演练一次其危机反应机制。某些 领域的监管机构现时规定必须进行该 等演练并汇报演练结果。
每一天,网络攻击都变得愈加复杂和 越难抵御。没人能够准确预知明年、 未来5年或者10年会出现什么样的威 胁。我们只能说,这些威胁会比今天 的更加危险。
尽管存在这样的不确定性,企业必须知 悉其所需的网络安全防护类型。要建立 适当的网络安全防护,首先要建立适当 的基础。基于最近的网络攻击事件深受 关注,没有人可以说不知道相关危险; 所以那些尚未建立基本的网络安全系统 与流程的企业没有借口拖延。
一旦掌握了基础,下一阶段是使企业 的网络安全防护更有动力,并与关键 业务流程更加匹配和整合。当企业、 企业环境与企业所面临的网络威胁都 在不断变化时,假如不采取上述这一 关键步骤,企业仍将继续易受攻击。
将企业的网络安全防护专注于未 知——未来及你的更广泛业务生态 系统——企业可以在需求产生前预 先建立力量,并在威胁出现前预先 做好应对准备。企业应当采取步 骤,使网络犯罪的得益,及使其在 时间与资源的运用效益,远较今天 为差。换句话说,就是废去黑客的 武功,从而将网络犯罪有力铲除。
阮祺康, 安永中国信息安全咨询服务 合伙人
李伟伦, 安永香港信息安全咨询服务 执行总监
阮祺康先生的联系方式如下 电话:+86 2122282252;电邮: Keith.Yuen@cn.ey.com 李伟伦先生的联系方式如下 电话:+852 26293160;电邮: Alan.Lee@hk.ey.com