18 June 2015

The Fifth Frontier- Cyberspace

17-Jun-2015

In recent times, a fifth domain has emerged in addition to the four traditional war domains, land, sea, air and space--cyberspace. 

Remember Captain Kirk talking about “Space, the final frontier”? — To explore strange new worlds and boldly go where no man has gone before. As we dawn upon new vistas of technological advancement, the power of the cyberspace seems limitless. Its sovereignty, however, is under constant threat. Different technologies are being introduced every day, often outpacing the ability to properly assess associated risks.

Cyberspace reckons the emergence of war in the fifth domain

In recent times, a fifth domain, cyberspace, has emerged in addition to the four traditional war domains — land, sea, air and space. Compared to earlier times, when the scope of war strategies was restricted by borders, cyberspace wars transcend borders into the virtual world — and the consequences are just as devastating and real. In fact, it could be catastrophic — malicious software bringing down military e-mail systems; security breach in oil refineries and pipelines leading to explosions; cyber-attacks on power grid servers resulting in widespread black-outs. The World Economic Forum predicts a 10 percent chance of a major infrastructure breakdown in the near future, which may cause damage to the global economy amounting to USD 250 billion[1].

Cybersecurity is becoming board level concern

Organizations have become easy targets of different forms of attack, since they have been increasingly relying on digitized information and sharing vast amounts of data across the globe. As a result, every company’s day-to-day operations, data and intellectual property are at a serious risk. In a corporate context, a cyber-attack can not only damage the brand and reputation of the company, it can also result in loss of competitive advantage, create legal/regulatory non-compliance and cause significant financial damage.

Various recent events vindicate the adverse outcomes of cyber-attacks and security breaches. In November 2014, a large media company reported a major cyber-attack in which social-security numbers of 47,000 of its current and former employees were leaked; sensitive financial information such as salaries was published and copies of several yet-to-be-released films were distributed online. Some well-known financial and e-commerce companies have also suffered major data breaches. Earlier in 2013, a hoax post brought a major financial index down by 1 percent within 7 minutes, destroying billions of dollars in value.

The evolving threat landscape calls for a strategy overhaul

As the level of persistence and sophistication of cyber threats increase, it is becoming difficult to predict the nature of threats that will emerge in the next five or 10 years. The only sure way to counter the threat is to align the organization’s cyber security strategy with its business strategy.

With 17 editions published so far, EY’s Global Information Security Survey (GISS) [2] is one of the longest running and highly valued surveys of its kind. EY’s GISS outlines “The Activate-Adapt-Anticipate” approach to streamline the cyber security journey for organizations across the globe. Some of the key findings of the survey are highlighted below:

► Cybersecurity strategy should be led from the top. Currently, cybersecurity strategy and execution is primarily seen as an IT responsibility. The survey indicates that nearly 80 percent of CIOs have the Information Security function reporting directly to them, compared with just 14 percent reporting directly to the CEO. Organizations need to involve senior leadership in cybersecurity. Lack of executive buy-in opens the doors to mistakes and cyber criminals.

► The first step is to build a solid foundation of cybersecurity. Organizations are making progress on building the foundations of cybersecurity — and this progress is important — however, most respondents report having only a “moderate” level of maturity in their foundations. Across almost every cybersecurity process, between 35 percent and 45 percent of respondents rated the­mselves “still a lot to improve.”

► Mix of preventive and detective technologies is a must to combat cyber-attacks. According to the survey, 57 percent of respondents think that employees are the most likely source of an attack; 53 percent point to criminal syndicates; 46 percent point to Hacktivists; and 35 percent think external contractors working onsite are the most likely source of an attack. Designing a well-defined and automated Identity and Access management (IAM) program can help organizations prevent and detect cyber-attacks.

► Lack of cybersecurity skills is an important roadblock. While the need for specialists deepens, lack of specialists is a constant and growing issue. Also there is a need to build skills in non-technical disciplines to integrate cybersecurity into the core business. According to the survey, 53 percent of organizations state that lack of skilled resources is one of the main obstacles that challenge their information security.

► Potential cost of a cyber-attack can be fatal. Many organizations view the costs of cybersecurity as considerable. They underestimate the potential cost of a cyber-attack. Nearly 65 percent of respondents cited budget constraints as their number one obstacle to delivering value. Organizations must understand they are under daily attack, the attackers show no signs of giving up, and they are getting smarter and more targeted. The next breach could be fatal.

Winning the cyberwar can be an exciting journey

Cyberspace is a challenging technological sphere ready for war and each organization will need to attack to defend itself better. To do this means shedding the “victim” mindset of operating in a perpetual state of uncertainty (and anxiety) about unknown cyber threats. Today’s attackers have significant funding, are patient and sophisticated and target vulnerabilities in people, process as well as technology. To be able to conquer the cyberwar, companies need to build awareness and advanced capabilities, develop a compelling strategy and install cybersecurity components throughout the business. Therefore, anticipating cyber-attacks is the only way to be ahead of cyber criminals.

Talking of war do we remember the latest James Bond movie? Breach of MI6 servers; electronic trails and taunting messages via computers formed the crux of the movie. It is perhaps established that in general security is considered boring; films are not made on security but on cyber-threats, attacks, and frauds which normally excite us. Stay tuned for the next edition of this series where I discuss the inextricable link between action movies and cyber security.

About the author:

Burgess Cooper is a Partner in Advisory Services team with a focus on the Information & Cyber Security in EY India. He has over 18 years of industry experience.

No comments: