Upload
alexandra-murariu
View
217
Download
0
Embed Size (px)
Citation preview
8/9/2019 Part 2 Cybercrime
1/1
38 BUSINESSTODAY
n an unprecedented move, the heads ofGCHQ and the MI5 recently wrote to thechairmen of Britains 350 largest
companies, calling for their backing to carryout a cyber governance health check. Itfollows growing concerns over the rise incybercrime, with the UK Home AffairsSelect Committee warning the threat isgreater than that posed by nuclear war.
Cybercrime knows no boundaries and everybusiness, irrespective of size, is a potentialtarget. A further dimension is also emergingwith the recognition that weak links mayexist in an organisations wider ecosystem,for example through suppliers or externaladvisers.
While there is no fool-proof wayto prevent a cyber attack,businesses can take steps to buildgreater resilience. First amongthese is one that sounds elementary,although in reality often turns outto be quite complicated: conduct an
audit of the IT and physical securitysystem. A security assessment, like afinancial audit, should be carried outby an outside team without a stake inthe existing IT infrastructure.
The team will be looking tounderstand the companys threatprofile and any vulnerabilities. Inaddition to ensuring that firewallsand other security measures are upto industry standard, a thoroughsecurity assessment will also identifywhere sensitive data is stored andwhether this can be segmented or further
removed from the rest of the IT system.
As with physical security, the bestpreparation cannot prevent all attacks. For
this reason, preparing a response strategy incase of an attack is an essential part of risk
and contingency planning strategies. This
must include a specific plan to ensure thatvaluable time is not lost as the organisation
decides who is in charge of the responseefforts. Businesses should determine in
advance of an incident what the chain ofcommand will be for the incident response
team. A specific executive should be
nominated to lead the internal response team,and the organisation must designate in
advance its external lawyers and ITconsultants. This will ensure that the
organisation is ready to respond at the firstsigns of an incident.
Whether law enforcement can play anymeaningful role in the aftermath of a hackingincident is often dictated by the type ofincident involved. Where employees or formeremployees with a grudge are involved, a range
of civil enforcement options may be available.In contrast, hackings co-ordinated by outsiderspresent a much steeper challenge. Unlike mostcrimes, there is typically no physical linkbetween an outside hacker and his victim.Indeed, the hacker could be thousands of milesaway and completely unknown to the victim.
Even if law enforcement could
determine the scope of the incident for the
corporate victim, there are serious downsides
to letting the government lead an the
investigation. To conduct a thorough
investigation, forensic experts must secure and
review copies of the network traffic logs and
configurations, and make forensic images of
infected computers. This is a very intrusive
process that may require unlimited access to
secret corporate data and restricted networks
something most companies may not want togrant to the authorities.
Faced with evidence of a successful hacking,
most companies conduct a private
investigation before notifying law
enforcement.
Three factors typically drive this decision:
1) Sophisticated computer hackers typically donot advertise their presence and initial evidenceof a breach may be confusing or hard tointerpret.
2) Hackers rarely leave a detailed list of whatthey stole and only painstaking reconstructionof a hackers activities through sophisticatedcomputer forensics can determine if regulatorsor individuals need to be notified about thebreach.
3) It is much easier to control the publicrelations and communications strategy if thecompany knows the extent of the problembefore it is made public. By handing theinvestigation over to the police, the companywould lose control over the timing and contentof any public notification. This could prove a
public relations disaster, especially since thepublic often blames the corporate victim forfailing to prevent the incident, regardless of thefacts.
Hacking is one of the greatest businessand technology threats of thedigital age. It is constantlyevolving, claiming ever morevictims. Failure to prepare is simply
no longer an option. Seniormanagement and corporate boards
must make a clear commitment to tacklesuch risks, and must create a strong culture ofvigilance and preparedness.
C
YBERSEC
U
R
ITY
PREPARATION KEY TO
FIGHTING CYBERCRIMESETH BERMAN
of Stroz Friedberg explores the challenges facing seniormanagers in tackling cybercrime risks and offers some practical advice on
how to establish a robust response strategy
I
Seth Berman is
executive managing
director and UK head
of Stroz Friedberg, a
digital risk
management and
investigationscompany
This article first appeared in Business Today, Issue 14, 2013. www.ukbusiness-today.co.uk