Europe’s View on Cyber Security: “It’s not a concern!!”

Europe’s View on Cyber Security: “It’s not a concern!!”

After 8 months of meetings, presentations, practicums, conferences and you name it on Cyber or Information Security; I think I have figured out the mind set of UK and European corporations towards it. It’s just not a concern warranting any action. It’s that simple!

This is supported by a recent BT poll that said only 17% of corporations interviewed listed cyber security as a priority.

Don’t get me wrong, people are interested. Every speaking engagement or practicum we host, it’s a packed house, some participants even call back to say how much fun the real world practicum was to attend. "A lot like those murder-mystery dinner parties where one of the guests are killed and you have to find the killer. Those things never happen for real and neither do the cyber-attacks we just experienced."

Despite, daily media reports about information theft or cyber enabled crime, like the hacking of the Port of Antwerp by drug dealers or fake repairmen putting keystroke loggers on Barclays computers or even News of the World hacking cell phones and emails for stories, companies just don’t seem to care.

I’m guessing many are thinking this cyber-thing is just a fad and it’s no real threat and it will go away.

Maybe it’s because they don’t want to take lessons from the U.S. Over 800million customer records and pieces of proprietary data were stolen from companies in the US in 2014. But that will never happen in the UK or Europe right? (Yet 93% of UK companies suffered a cyber attack in 2013.)

It’s the US and they have the NSA who hacks everyone according to the media. We can’t trust them. But, maybe “hack” is too strong a word. If companies in the UK and Europe are not doing anything to secure themselves then is it really hacking? It seems it’s more like online window shopping, if you can “surf” by a company and see that its data is easily readable, aren’t you going to read it? German PM Angela Merkel is talking with the French about building a cyber-wall around the EU to stop the window shopping from the US but that just means those within the EU wall can look in on rival companies, right?

Better yet, the reason it is not a concern is because the general public doesn’t care. If a breach occurs and financial data is stolen, the public doesn’t care because the banks will make them whole again. There’s no impact to the consumer. Except, the higher bank fees and lower return interest rates. Oh you didn’t realize the banks weren’t eating that loss, that they were actually pushing it back on to the consumers and corporate banking clients. Also last I checked the general public is not aware of all the corporate hacking going on because companies don’t have to disclose cyber-attacks.

In the US as well as other places, corporations who have suffered cyber-attacks are legally obligated to report it to the Security and Exchange Commission and if the attack involves consumer data, they actually have to tell each consumer. There are also hefty fines from the Payment Card Industry (Visa, MasterCard, Amex, etc.) and the company can be sued. That’s not the case in the UK or Europe, well not yet. The EU has draft a directive to address this with penalties equal to up to 5% of the company’s annual worldwide revenue. It is scheduled to be enacted in 2015.

But there is no rule yet and maybe some are thinking by the time the EU regulation passes they’ll be at another firm or retired or I don’t know, we’ll just wait and see.

Even better maybe someone will buy the firm and then it’s their concern. Investors never conduct cyber security audits on acquisitions. It’s all about the finances and management. Whens the last time an investment firm asked a question about data protection or who has access to the company’s intellectual property. It just doesn’t happen.

Well, that waiting and seeing or hoping for sale, might just equal bankruptcy or criminal charges but let’s wait anyways.

A more likely reason for this lack of caring is actually a lack of understanding. Most of the CISO and those charged with information security get that this is an issue but management above then doesn’t. And of course you can’t admit that you don’t understand the issue. Instead we’ll just buy new equipment to watch that one port, heck there are only 65,000 ports to computer systems, I’ll buy equipment for each. So what if the equipment doesn’t talk to each other or no one understands the alerts that are being sent. The hardware/software sales guy said this is what I need to stop x, y and/or z type attacks. So what if every one of those “agents” is slowing down my processing power to less than 60%. Buying tech and building walls is being proactive right?

All this talk about identifying core data to be protected or auditing access controls, monitoring network traffic or creating a full and up to date network map, is just hog wash. Proactive annual reviews of policies and procedures, building a dedicated Info Sec team separate from IT, educating users on cyber based threats both in their personal and professional lives is pointless right?

We’ll do all that when we get attacked assuming we know when we have been attacked. Those statistics by Symantec or McAfee saying it takes over a year for companies to be aware of an attack or that 75% of attack victims are notified by third parties and have no clue they were breached, again it’s just poppycock. No one should believe that junk.

Clearly I am being sarcastic, but it is very difficult to help firms to understand their risks and to provide relatively easy and cost effective solutions to help minimize the threat only to be told “we’ll see.”

The UK and Europe are 3-5 years behind the US in the understanding of the threats and the cyber underground have taken notice. They know that information security is not deemed a concern. They know that most corporate management is low hanging fruit ripe for the picking and they (the cyber criminals) are making a mint. In fact, they know, that just like the US, most firms only seek to sweep attacks under the rug rather than chase down those responsible. Thus, for the bad guys, there is no down side to hacking ABC Company. They will never go after them.

UK and European companies simply have no impetus to address the issue. If the flaws in their computer systems were replicated as flaws in their products, recalls would be required and many would go out of business. But that doesn’t happen because hacking is a romanticized intangible we see on TV and the movies. It doesn’t really impact us. The US had the same mentality until the DPI hack lost 40 million cards in 2003, the US Congress demanded the payment card industry fix it and new rules were put in place.

That same type of regulation is coming to the EU and when it does, if firms haven’t proactively prepared, when the breach happens the cost to investigate and mitigate will be double or triple the cost for proactive fixes.

Do you know where your proprietary data is stored, which systems, which countries, who has access to it and when was the last time someone accessed? When an incident occurs, who is in charge, who makes the decisions and who reports your findings to the board. Will the answers be a made-up best guess like 86% of other companies per the AccessData survey of over 1000 US, EU and UK companies?

Good thing for me and those in the InfoSec field, the lack of concern now will be a freak out fest in the very near future and the work will come rolling in. Unfortunately we can’t get to everyone at the time of attack and thus casualties will occur, primarily for those that “wait and see” or “aren’t concerned.”

Are You Working for a Hacker?

Throughout history people have sought the help of advisors.  Lawyers, accountants, wealth managers and consultants all have a key role to play as experts in their field to help guide their clients through the murky waters before them.  Yet, the very people called on for assistance could also pose the greatest business risk.

Cyber criminals love advisors, not because they guide them through legal issues or help them hide their ill-gotten gains, but because of all of the cyber criminal’s potential targets, advisors present the best value for money.

The psychology of a Cybercriminal

Cyber based crime has different motivators, different methodologies and different targets.  Whilst the media likes to use the word Cybercrime for every computer based attack, the term Cybercrime is really about profit motivated attacks. Cyber Espionage, Cyber Warfare and Cyber Activism have different motives and thus different targets. 

Cyber criminals are financially motivated fraudsters who use the Internet to access data and facilitate their main objective: to make a profit. 

Although cyber criminals may view themselves as smart business people who “work smarter not harder”, the reality is that cyber criminals are lazy.

As personal cyber security systems have become more robust and user friendly it has become harder for financially motivated hackers (FMHs) to collect the data they need.  Targeting one individual at a time, breaking through each unique security system and then committing a fraud on that one target with no guarantee of success is not a good return on investment or time.  

 

FMHs like volumes of data from which they can attempt mass fraud schemes, tweaking each attempt as they launch to ensure the highest level of success. 

As well as holding large volumes of data, the ideal target will also have limited cyber security, system users who demand full access with little awareness of data protection and IT support staff which are, just that, “support” rather than security focused. 

Such a target exists and it is called the professional services firm. FMH’s target lawyers, accountants, consultants and wealth managers amongst others, because each have all that is required to facilitate a fraud: volumes of data often stored in an organised manner with little protection.

Professional Services: The perfect target

By gaining access to a lawyer’s email accounts not only can the hacker read about upcoming transactions or litigation but they can also impersonate the victim’s lawyer or gain enough personal data to effect wire transfers, property sell offs or any other manipulation available to them.  The same can be said about the accounts of wealth managers or accountants. 

Such attacks are not sophisticated hacks.  Most involve a simple password collection made when the adviser logs onto a free Wi-Fi spot or clicks on a link in a spear-phishing email that “requires”  or automates a software download before viewing a file or a video that has gone viral.

Spear-phishing emails are tailor made for a specific person or professional group with the focus on getting that person or group to click a link and install hidden malware.  Professional services advisors are profiled by the attackers utilizing social media, standard media, client inquires and public records to determine their likelihood of having access to the data required by the cyber criminals. 

That profile is used to tweak the attack and then launch it.  Ever wonder why you get so much spam or why you have so many new Facebook, Linkedin or Twitter followers?  Even friendly emails with sugar-coated offers to win an iPad if you click a link and fill in your details could pose a risk.

Complacent thinking

Cyber criminals rely on complacent thinking. The belief that if your email was compromised you would notice if emails were being sent and received by someone other than yourself.   Unfortunately, once a hacker has access to your email account they can set up filters to forward certain mail messages away from your inbox to folders or even to reply and then delete before you see them. 

Even in rare cases where the fraud is discovered halted in time, the cyber criminals will have already stolen your information and can use it against you in a future attack or to make a profit. The financial value of confidential data cannot be underestimated. If it is sensitive, it is likely that there will be someone willing to pay to obtain it.

Protecting yourself from working for a hacker

The reality of the risk posed is visible when two key questions are considered; If you discover a compromise on your system do you have any way of knowing what was viewed, modified or taken?   What would be the impact to your business if it became public that client data was stolen and potentially misused?

In the past year Kroll has been engaged on more than 25 such matters for large professional services firms.  The message behind this trend is clear: why attack on a one-on-one basis when a single targeted attack can get you 1000 or more?

The damage to firms in the professional services sector is equally multiplied. Success in the sector relies on trust and the belief that client information will be protected.

The assumption is often made that there is nothing of value that cybercriminals could want, therefore it is not a concern, but the truth is that cybercriminals do not discriminate, they want a lot of data, some which to others may seem irrelevant. A personal credit card number is just a small piece.

Businesses need to understand what data they hold, why it is important or attractive to cybercriminals, how is it protected and who has access to it.  A proactive understanding of the threats leads to proactive mitigation.

The next time you are “inconveniently” forced to change your password due to some internal policy understand that this, as well as other requirements, could be the difference between money in your hands and money in the cyber criminals’ hands, it could be the difference between working for your client and working for a hacker.