Wannacry: How to prepare for the next big cyber attack

Virtual risks do not get appropriate top management attention. This needs to change.

 |  5-minute read |   19-05-2017
  • ---
    Total Shares

As disruptive innovations and new business models transform organisations and communities around the world, their sustainability is threatened by a plethora of cyber risks. We have witnessed one of the largest cyber-attacks recently with “WannaCry” impacting the lives of many individuals and enterprises.

Indeed, criminals and nation-states are increasingly attacking the technology assets of individuals, organisations and governments, stealing and selling valuable information, and in what is an alarming trend, paralysing critical infrastructure. With governments and enterprises increasingly leveraging the internet for missions, critical cyber security continues to remain a top imperative across the world.

Unfortunately, India Inc’s response to cyber risks has not been robust. India ranks third globally as a source of malicious activities and its enterprises are the sixth-most targeted by cybercriminals. Cyber resilience is a critical boardroom imperative. The key challenge for Indian companies is that most view cybersecurity as an “IT issue”.

Consequently, cyber risks do not get appropriate top management attention. This needs to change. The cyber threat landscape continues to evolve and presents new challenges to organisations every day. In response, organisations have learned over decades to defend themselves and respond better, moving from basic measures and ad hoc responses to sophisticated, robust and formal processes.

infograph1-copy_051917075355.jpgCriminals are increasingly attacking the technology assets of nations.

There are three high-level components of cyber resilience:

a. Sense: Sense is the ability of organisations to predict and detect cyber threats. This can be done by simply investing in cyber intelligence.

b. Resist: Resist mechanisms are basically the corporate shield to cyber attacks. It begins with assessing an organisation’s risk appetite.

c. React: If Sense fails (the organisation did not see the threat coming) and there is a breakdown in Resist (control measures were not strong enough), organisations need to be ready to deal with the disruption, ready with incident response capabilities and mechanisms to manage the crisis.

infograph2-copy_051917075514.jpgCriminals are increasingly attacking the technology assets of nations.

Significant progress has been made in taking measures to strengthen corporate shield. In the last two to three years, we have also seen organisations focus more on their Sense capabilities. Most organisations, however, are lagging behind in preparing their reaction to a breach. Focus on cyber risks, not only on cyber security. A recent EY survey said:

1. 75 per cent of responders said that their cybersecurity function did not fully meet their organisation’s needs.

2. More than half (61 per cent ) the responders said that their outdated information security controls or architecture were one of the biggest areas of vulnerability.

3. 54 per cent believe that cyber-attacks are primarily targeted at disrupting or defacing the organisation’s websites or other digital assets, while they also believe that theft of IP or data continues to be an important risk.

4. Surprisingly, only 58 per cent of the survey respondents from India fear that the next attack will be to their employees’ carelessness or complicity, compared with 78 per cent of global responders who consider this to be a likely source of attack.hack1-copy_051917080943.jpgThere are three high-level components of cyber resilience. [Photo: Geohack]

Finally, the question remains: where should organisations focus to better resist attacks we see today?

Activate your defences: The survey revealed that 35 per cent of responders have had a recent significant cybersecurity incident, which shows that there is still more work to be done to strengthen the corporate shield. Maturity levels are still low in many critical areas, and improving them would be a significant step forward for any organisation.

Take an unorthodox approach: In the face of today’s unpredictable and unprecedented cyber threats, a fail-safe approach can no longer be the only option. The new aim should be to design a system that is safe-to-fail. Future cybersecurity needs to be smarter as well as stronger, with a soft-resilience approach. This means that on sensing a threat, there are mechanisms that have been designed to absorb the attack, reduce its velocity and impact, and accept the possibility of partial system failure as a way to limit the damage.

From protection to sacrifice: Technologies today make it possible to sacrifice portions of information or operations in the interests of protecting the larger network. If configured correctly to the organisation’s risk appetite, this can be performed as an automated response.

The role of leadership: Executive leadership and support are critical for effective cyber resilience. Unlike Sense and traditional Resist activities, which can be seen as the domain of the CISO or CIO, cyber resilience requires senior executives to actively take part and lead the "React" phase.

The importance of reporting: According to the survey, 49 per cent say that those responsible for information security do not have a seat on the board. In this scenario, the board has to rely on reporting instead.

Based on this response, it may seem like boards are not fully informed of one of the greatest threats to their organisations. Anticipating, and now actively defending against, cyber attacks is the only way to be ahead of cyber criminals.

It’s not a matter of "if" you are going to suffer a cyber attack, it’s a matter of "when" — and it is most likely you already have.

Also read - Legion hacking group are no Anonymous - they look like cyber criminals

Writer

Nitin Bhatt Nitin Bhatt @dr_nitinbhatt

Nitin Bhatt is the National Head and Partner, EY Risk Advisory-India. He has over 20 years of global consulting experience in the areas of corporate governance, risk management and business performance improvement.

Comment