The New Cyber Menace - And How to Keep Your Business Safe

The cyber threat landscape is changing. And with it, businesses of all industries and sizes need to be prepared. Angela Huang and Khoong Chan Meng of NUS-ISS highlight significant security trends, and ways you can transform passive defence into intelligent safeguards.  

In December 2013, US retailer Target suffered an astonishing data breach. In its busiest holiday season, 40 million credit and debit card details were stolen via malicious software embedded in point-of-sale devices at stores across the nation. As a costly investigation ensues, Target is left with lawsuits, sagging sales and greatly diminished customer confidence. 

The experience of Target reflects the evolving threat landscape, and its widening impact on businesses. You don’t have to run a bank – as long as your business is connected and digitally reliant, your organisation can be a target. At the same time, you may find your IT security architecture challenged by a combination of forces: as workforces become increasingly mobile and endpoints proliferate, cyber-threats are growing more sophisticated and capable in swiftly infiltrating defenses. 

Some significant security trends that are expected to affect businesses include:

• Social engineering. In 2012, the head of information security at a US government agency fell prey to a birthday email sent by a penetration testing team. The email was spoofed to look like it came from an attractive, albeit non-existent, employee. With one click, a malicious link compromised his computer, gaining access to key assets and data. It is but one example ofsocial engineering, a non-technical attack that manipulates people into divulging company data. Attackers often build false relationships over social networks, providing them with opportunities to gain information about a company. Chris Betz, a senior director at the Microsoft Security Response Centre, notes that as enterprises move off legacy systems, businesses will see cybercriminals increase the use of social engineering and weak passwords to access data. 
• Advanced Persistent Threats (APTs). An uninvited guest breaks into your company’s systems – often via social engineering – to deliver targeted malware that infects systems and retrieves data under the radar. The penetrator may be part of a highly skilled and well equipped organisation pursuing a specific agenda of harm against your company.  The Sophos Security Threat Report 2014 notes that APT attacks in 2013 were well-planned, well-funded, and highly professional. Defending against technologically advanced adversaries is thus a complex undertaking that requires a coordinated approach in both systems and network, along with a workforce-wide commitment to security. 
• Mobile security. According to Flurry Analytics, mobile-app use increased 115% in 2013. And along with the rising adoption of Bring Your Own Device practices in Asia Pacific workplaces, the attack surface via mobile devices will only widen. A user who unknowingly downloads a malicious mobile app, for example, can quickly and easily transfer the threats to company servers. McAfee Labs researchers predict mobile device attacks will dominate security threats in 2014, noting that new mobile malware has popped up at a faster rate than malware targeting PCs. 
• Hacktivism. The Sochi Winter Olympics will begin under the dark cloud of “cyber war”, with sponsors of the Games facing heightened risk from hackers.  Hacktivism – the act of hacking to fulfill politically motivated purposes – will be expected to gain even more traction in 2014. 

The takeaway from this list is that businesses of all industries and sizes need to invest in IT security. Building defences is no longer a passive exercise in installing traditional cyber security products like firewalls and software; companies will need to actively develop an intelligent action plan, deploy advanced security technologies, and support its execution with a well-trained IT team. The basic framework of a pre-emptive plan of action would include: 

• Developing a security policy that identifies the “crown jewels”. Identify critical assets and threats to key assets, evaluate the risks and implement appropriate controls to protect them.
• An incident response and recovery plan that ensures continuity and minimises loss in the event of an attack. Assemble a core Computer Security Incident Response Team (CSIRT) and define an incident response plan that contains the damage. Adopt a Business Continuity Plan by conducting a Business Impact Analysis (BIA) that helps you select an appropriate recovery strategy.
• Putting your own defences to the test. Test your cyber defences and recovery plan on a regular basis, to draw out weaknesses and strengthen response confidence.   
• Inculcate cyber security awareness and mindsets. Invest in training all levels of employees to increase awareness, diligence, and shared responsibility. Just as human behavior can be the weakest link in cyber defence, fostering an organisational culture of cyber safety and security is the best insurance against all threats.

Security breaches have the potential to disrupt operations, cause damage to the bottom line, and harm stakeholder confidence. The ability to implement appropriate security controls while aligning them with business objectives is more critical than ever. To this end, NUS-ISS assists businesses with courses that provide Infocomm professionals with a rigorous understanding of security needs, from information security governance, to business continuity management and systems security. Courses are accredited under the National Infocomm Competency Framework (NICF) – a joint development by the Infocomm Development Authority (IDA), Singapore Workforce Development Agency (WDA), and industry experts. 

To find out more about NUS-ISS and relevant courses on IT security, visit www.iss.nus.edu.sg. 

Article by Khoong Chan Meng, Chief, Strategic IT Management and Angela Huang, Teaching Staff, IT Governance and Risk Management Practice, NUS Institute of Systems Science (NUS-ISS)