How the massive development of cybercrime leads corporations to re-evaluate the way they do business.
On October 21st, 2016 a massive cyberattack led against the internet provider dyn(1) rendered thousands of domain names across the world inaccessible, preventing access to many large and small websites including a number of major players such as Netflix, Airbnb, PayPal or twitter. Even if it was not the first and will not be the last ‘denial of service’ attack(2), this date may be remembered as the black Friday of cybersecurity.
This episode is notable for both its significance and sophistication: the hackers launched a massive attack, using malicious traffic at the unprecedented volume of 665 gigabytes per second, by mobilising tens of millions of connected devices, called ‘zombies’ as they were remotely controlled by botnets(3). Even though it represents only one form of cybercrime, this coordinated aggression sheds light on the risks that economic players are exposed to, and the difficulty they encounter in addressing them.
A rising form of criminality
The fast acceleration of digitalisation in all industries, and the fact that the Internet is the primary vector of communication for almost all data exchanges, have made vulnerable not only large companies, but also SMEs, associations and non- governmental organisations, as well as public administrations and, as a matter of consequence, states themselves. Attacks can also target individuals who are identified due to their high profile or their opinions, such as the DDoS attack led against the website of Brian Krebs, a cybersecurity blogger(4). Who are the culprits? There are many of them, and cybercrime encompasses a broad spectrum of motivations, including simple acts of robbery as well as political activism (hacktivism) or aggression sponsored — or even masterminded — by states. In this context, every weakness is potentially an opportunity for hackers to inflict considerable damage on a massive scale.
As an illustration, in October 2016 Liberia, a country connected to the rest of the world by only a single Internet cable, underwent an attack against companies managing this crucial infrastructure(5). Coordinated acts of aggression against a nation’s strategic objectives on behalf of another state, known as ‘cyberwarfare’, has led many countries to start adding this new front to their defence doctrine, following the example of the United States and its ‘US Army Cyber Command’(6). This situation has also led to the creation of metrics measuring a country’s maturity and proactivity in the fight against cybercrime, like the Global Cybersecurity Index, sponsored by the International Telecommunication Union(7).
The explosion of cybercrime threatens, first and foremost, financial institutions. On February 4th, 2016, hackers used the access codes of Bangladesh’s central bank employees to send the Federal Reserve Bank of New York dozens of fund transfer orders to several bank accounts in the Philippines and in Sri Lanka through the international banking system SWIFT. Although these cyber-bank robbers managed to embezzle USD 81 million —ultimately withdrawn from the recipient accounts— their goal was much more ambitious, as the rest of the transfers — amounting to a whopping USD 850 million — was luckily frozen by the Federal Reserve Bank solely because of a typo in a recipient’s name(8). While the enormous amounts of money at stake made this an unparalleled episode, it is not a one-off incident at all, and has led some public authorities to consider whether cyber risk is leading to systemic risk for the entire banking system, with a potential to actually create another full-blown financial crisis(9).
A phenomenon that impacts all industries and all organisations
This attack against one of the cornerstones of the international banking system, albeit digital, is a relatively traditional case of embezzlement. Still, no organisation is insulated nowadays from the threat of cybercrime, given that data exchanges have become the driving force and the very engine of the world economy. Attacks targeting organisations like the IRS (Internal Revenue Service) of the federal government of the United States, or the UK flag carrier company British Airways, have one thing in common: ‘(…) each possesses valuable consumer data such as names, addresses, credit card numbers, financial institution information, protected health information, and social security information(10).’; we could also mention other data such as IP addresses, navigation history and purchasing preferences. Virginia Rometty, IBM Corp.’s Chairman, President and CEO, talks about this prevailing trend: ‘We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true —even inevitable— then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world(11).’
The cost of cyberattacks for businesses was estimated in 2013 at USD 100 billion, according to the Wall Street Journal. In 2015, the CEO of British insurance company Lloyd’s evaluated it at USD 400 billion(12). As surprising as it looks, this fourfold increase in two years was just the beginning, according to consultancy firm Juniper’s assessment, estimating the cost for companies in 2019 will exceed USD 2 trillion(13). This might be a conservative assessment, as a significant part of cybercrime is not even detected, especially when it comes to industrial espionage, as noted by the World Economic Forum. Beyond financial losses, the consequences for corporations could be devastating, indirectly causing damages in at least three fields: reputation —endangering the confidence between the company and its stakeholders—, existing partnerships, and legal liability.
The rapid growth of cloud computing is a key risk factor for cybersecurity, given the dependency it entails on the providers of such services, and the use of the Internet as the primary communication channel between providers and their clients. In addition, the development of the ‘Internet of Things’ (IOT) is a growing risk factor. With the ever increasing exchange of data from device to device (M2M or machine-to-machine) and the poor level of built-in security for these devices, there is a correspondent increasing vulnerability to hijacking.
The previously mentioned attack against Dyn used a huge number of IOT devices with little or no protection. The democratisation of connected objects, used by individuals as well as businesses, is all the more significant as it is a deep-set trend in the digitalisation of the economy and society, representing a market estimated to be worth USD 11 trillion by 2025(14).
Lastly, the growing trend to interconnection generates new issues: in a context of increased outsourcing, more and more companies are giving third parties access to their resources and data. It is precisely due to network credentials stolen from a third party vendor that American retailer Target incurred a data breach that affected roughly 40 million customers, damaged the corporation’s reputation with shoppers, and cut into sales. This kind of incident calls for risk assessment and action plans extended to an entire business ecosystem, which represents a level of complexity much higher than the protection of one single company.
A wake-up call: cyber awareness as a primary objective
Concretely speaking, what can and what should companies do to protect themselves?
In light of the unprecedented scale of the phenomenon, the business community is fighting back, with a priority given to raising awareness within corporations and society at large. Among the initiatives taken, the designation of October as the ‘National Cyber Security Awareness Month’, in the United States(15), is one good example, followed by the European Union which established a similar programme(16).
Within companies, cybersecurity must be considered by executive boards as a strategic issue they must tackle, instead of as a merely technical topic; data is so important that its protection is a business issue rather than an IT issue. Raising concern for the matter among employees’ is also a top priority: it is about creating and fostering a culture of ‘(…) cyber awareness where employees recognise and avoid risky situations and take action as instinctively as reaching for a seatbelt when they start a car’(17). This approach is especially important with 95% of security breaches resulting from human mistakes. It is not about ticking boxes in a training session’s checklist; it is about empowering employees so that they can individually take up the issue and grasp the importance of it; developing knowledge about the risks to be aware of and necessary actions to be taken across the organisation; and finally, measuring and monitoring results. Transparency is also key: the more employees are informed about what happened during a security breach, the more likely they will comply with existing controls and even suggest new types of controls(18)’.
In other words, it is permanent, long-term, user-centric action that must be instituted, aiming at making the organisation feel responsible, as a whole, for cybersecurity.
Defining an acceptable level of risk
Perhaps one of the greatest challenges is defining the level of risk a company is ready to live with. Risk assessment, the first measure to take for any organisation willing to implement a cybersecurity strategy, consists of identifying the vulnerabilities and allocating the corresponding resources to protect the data.
Instead of a strictly compliance- based mindset, a business? oriented approach must also be adopted; organisations should determine what data must be protected at all costs — which will always include confidential information about the employees and clients as well as the company’s growth plans.
‘It’s important to really understand what you are actually protecting. It’s easy to assume that we are all protecting the same thing, but the truth is that protecting a hedge fund is different than protecting a health care organisation’ says Justin Berman, VP of Information Security at Flatiron Health(19).
Reinforcing defences, shifting resource allocation, ERM integration
A significant number of companies today remain insufficiently protected against cybercrime and capable of detecting an attack. It takes ‘(…) about 256 days for [a company to identify] a malicious attack or 158 days for a breach caused by human error. The time gap allows enough time for the hacker to steal or manipulate data or infect it with virus’(20). As a consequence of the growing sophistication and increasing number of attacks, it is common that corporations’ internal resources get overwhelmed. ‘Quite often the IT people are confident that their security is sound and their risks are known. But that is often not the case’, Chris Hills, CEO of South African IT security firm Magix Security, indicates(21).
For the largest corporations, increased cyber risk necessarily involves an evolution of the organisation’s IT resources.
‘In a context of pressure on budgets, it is not about scaling up resources; the solution is to implement tools and processes that automate the detection of incidents, thus transferring value-added work to problem analysis’, Pierre Chakalov, director in charge of IT audit for the ‘Global Banking & Investor Solutions’ (GBIS) division at Socie?te? Ge?ne?rale in the Americas, explains(22). ‘It has a direct impact on recruitment, which must target more expert profiles.
On the audit side, co-sourcing allows companies to follow the trend; this is what has been done with Mazars, which provided us with resources capable
of understanding code and detecting interaction patterns between applications that could potentially harm security’.
Cyber risk is still underestimated by many companies and is not always integrated into their Enterprise Risk Management framework. The reason is simple: leaders do not always know how to integrate cybersecurity into the traditional structure of risk prevention. There is however a direct relationship between technological risks and business risks.
Fortunately, the appointment of a CISO (Chief Information Security Officer), independent from the IT teams and directly reporting to the executive board, is a path taken by a growing number of organisations.
The CISO’s role is to ensure that data content, technologies and all the company’s assets are adequately protected, and to advise the executive on risks.
Multi-national entities (MNEs): an added layer of complexity
For companies operating across several markets, the situation is tricky: every national regulator sets its own requirements, with a direct impact on the corporation’s security policy. ‘Making investment that is inconsistent across different operational areas could lead to a heterogeneous security level, introducing a weak link within the international organisation.
It is therefore critical to adopt a consistent approach of security’, Chakalov asserts. ‘In many countries, it is a requirement to store data within your national borders. Yet, as soon as there are transnational transactions, companies must comply with the most restrictive laws, which can be troublesome, notably regarding the organisation of internal IT resources’, Chris Hills underlines.
This seemingly chaotic cybersecurity-related regulation landscape, with some cutting- edge countries leading the charge while others tend to lag behind, may nonetheless be seen as an opportunity for MNEs, provided that expert knowledge is available: ‘As an advisory and audit firm operating in about 80 countries, Mazars gets ahead of its clients’ needs. We go well beyond compliance as required in a given country, and get inspiration from the best practices that exist in other regulation areas’, Olivier Lenel, head of Consulting at Mazars in France, highlights. ‘To achieve that, it is essential to have an international team of high-calibre experts working together with a common methodology’.
The unexpected benefits of the fight for cybersecurity
While the stakes of cybersecurity are of critical importance, the changes it triggers within organisations may have some more positive impacts. Research carried out by The Economist and sponsored by Mazars points out that 76% of financial services companies use data analysis and cybersecurity technologies to actually improve their ethical standards well beyond applicable regulations(23). Taking positive steps like these ahead of the competition can only strengthen a company’s reliability, reputation and brand.
(1) Dyn Statement on 10/21/2016 DDoS Attack http://hub.dyn.com/ static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos- attack.html
(2) ‘In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. The most common and obvious type of DoS attack occurs when an attacker ‘floods’ a network with information. [A] server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can’t process [all requests].’ Department of Homeland Security, US-CERT: ‘Undestanding Denial-of-Service Attacks’. https://www.us-cert.gov/ncas/tips/ST04-015
(3) ‘Botnet‘ refers to a given network of malware-infected ‘zombie’ devices.
(4) http://www.theregister.co.uk/2016/09/26/ brian_krebs_site_ddos_ was_powered_by_hacked_internet_of_things_botnet/
(5) https://medium.com/@networksecurity/shadows-kill-mirai-ddos- botnet-testing-large-scale-attacks-sending-threatening-messages- about-6a61553d1c7#
(8) https://www.wired.com/2016/05/insane-81m-bangladesh-bank- heist-heres-know/
(9) This analysis is however questioned by two London School of Economics experts: https://www.weforum.org/agenda/2016/06/ could-a-cyber-attack-cause-a-financial-crisis (
10) Scott M. Higgins, Moises Brito. ‘Data Breaches, Cybersecurity, and the New Normal’. Cyber Defense Magazine, September 2015, p. 18.
(11) Forbes, 24/11/2015. ‘IBM’s CEO On Hackers: ‘Cyber Crime Is The Greatest Threat To Every Company In The World http://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on- hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the- world/#2512a7f43548
(12) Fortune, 23/01/2015. ‘Lloyd’s CEO: Cyber attacks cost companies $400 billion every year’. http://fortune.com/2015/01/23/cyber-attack- insurance-lloyds/
(13) https://www.juniperresearch.com/press/press-releases/ cybercrime-cost-businesses-over-2trillion
(14) McKinsey. ‘Unlocking the potential of the Internet of Things’ http:// www.mckinsey.com/business-functions/digital-mckinsey/our-insights/ the-internet-of-things-the-value-of-digitizing-the-physical-world
(15) National Cybersecurity Alliance, ‘National Cyber Security Awareness Month’. https://staysafeonline.org/ncsam/
(17) Peter Schablick, Scott M. Higgins. ‘The people factor in cyber breach: Three Key Elements for Building an Effective Human Firewall.’ http://www.weisermazars.com/uploads/src/uploads/The%20 People%20Factor%20in%20Cyber%20Breach.pdf
(18) Scott M. Higgins, Moises Brito, op. cit.
(19) Scott M. Higgins, Moises Brito, op. cit.
(20) https://www.fastcompany.com/3064490/growth-notes/the-people- factor-in-cyber-breach
(21) Interview conducted in October 2016.
(22) Interview conducted in September 2016.
(23) Digital Finance: Meeting Ethics & Compliance Challenges in Financial Services – Global Report. http://www.mazars.com/ digitalfinancereport