8/9/2019 Part 2 Cybercrime
1/1
38 BUSINESSTODAY
n an unprecedented move, the heads ofGCHQ and the MI5 recently
wrote to thechairmen of Britains 350 largest
companies, calling for their backing to carryout a cyber
governance health check. Itfollows growing concerns over the rise
incybercrime, with the UK Home AffairsSelect Committee warning the
threat isgreater than that posed by nuclear war.
Cybercrime knows no boundaries and everybusiness, irrespective
of size, is a potentialtarget. A further dimension is also
emergingwith the recognition that weak links mayexist in an
organisations wider ecosystem,for example through suppliers or
externaladvisers.
While there is no fool-proof wayto prevent a cyber
attack,businesses can take steps to buildgreater resilience. First
amongthese is one that sounds elementary,although in reality often
turns outto be quite complicated: conduct an
audit of the IT and physical securitysystem. A security
assessment, like afinancial audit, should be carried outby an
outside team without a stake inthe existing IT infrastructure.
The team will be looking tounderstand the companys threatprofile
and any vulnerabilities. Inaddition to ensuring that firewallsand
other security measures are upto industry standard, a
thoroughsecurity assessment will also identifywhere sensitive data
is stored andwhether this can be segmented or further
removed from the rest of the IT system.
As with physical security, the bestpreparation cannot prevent
all attacks. For
this reason, preparing a response strategy incase of an attack
is an essential part of risk
and contingency planning strategies. This
must include a specific plan to ensure thatvaluable time is not
lost as the organisation
decides who is in charge of the responseefforts. Businesses
should determine in
advance of an incident what the chain ofcommand will be for the
incident response
team. A specific executive should be
nominated to lead the internal response team,and the
organisation must designate in
advance its external lawyers and ITconsultants. This will ensure
that the
organisation is ready to respond at the firstsigns of an
incident.
Whether law enforcement can play anymeaningful role in the
aftermath of a hackingincident is often dictated by the type
ofincident involved. Where employees or formeremployees with a
grudge are involved, a range
of civil enforcement options may be available.In contrast,
hackings co-ordinated by outsiderspresent a much steeper challenge.
Unlike mostcrimes, there is typically no physical linkbetween an
outside hacker and his victim.Indeed, the hacker could be thousands
of milesaway and completely unknown to the victim.
Even if law enforcement could
determine the scope of the incident for the
corporate victim, there are serious downsides
to letting the government lead an the
investigation. To conduct a thorough
investigation, forensic experts must secure and
review copies of the network traffic logs and
configurations, and make forensic images of
infected computers. This is a very intrusive
process that may require unlimited access to
secret corporate data and restricted networks
something most companies may not want togrant to the
authorities.
Faced with evidence of a successful hacking,
most companies conduct a private
investigation before notifying law
enforcement.
Three factors typically drive this decision:
1) Sophisticated computer hackers typically donot advertise
their presence and initial evidenceof a breach may be confusing or
hard tointerpret.
2) Hackers rarely leave a detailed list of whatthey stole and
only painstaking reconstructionof a hackers activities through
sophisticatedcomputer forensics can determine if regulatorsor
individuals need to be notified about thebreach.
3) It is much easier to control the publicrelations and
communications strategy if thecompany knows the extent of the
problembefore it is made public. By handing theinvestigation over
to the police, the companywould lose control over the timing and
contentof any public notification. This could prove a
public relations disaster, especially since thepublic often
blames the corporate victim forfailing to prevent the incident,
regardless of thefacts.
Hacking is one of the greatest businessand technology threats of
thedigital age. It is constantlyevolving, claiming ever
morevictims. Failure to prepare is simply
no longer an option. Seniormanagement and corporate boards
must make a clear commitment to tacklesuch risks, and must
create a strong culture ofvigilance and preparedness.
C
YBERSEC
U
R
ITY
PREPARATION KEY TO
FIGHTING CYBERCRIMESETH BERMAN
of Stroz Friedberg explores the challenges facing seniormanagers
in tackling cybercrime risks and offers some practical advice
on
how to establish a robust response strategy
I
Seth Berman is
executive managing
director and UK head
of Stroz Friedberg, a
digital risk
management and
investigationscompany
This article first appeared in Business Today, Issue 14, 2013.
www.ukbusiness-today.co.uk
