You may also be interested in:

Articles

Think Like a Hacker: The Key to Confronting Cyberrisk

  • By Richard Hartung
  • Published: 8/13/2015
cyberriskEven as cyberattacks in Asia continue to increase, businesses often ignore the risk—at their peril. At a recent cybersecurity event in Singapore, experts shared their insights on how corporate leaders can protect themselves from the threat.

Issues in Singapore

As Singapore pushes forward with smart technology, it has been lagging in terms of security. “Any new advance in technology has not been designed with security in mind,” noted Jacqueline Poh, managing director with the Infocomm Development Authority of Singapore. “It’s not as if your fridge will encrypt everything.”

Further complicating matters is the fact that 47 percent of large organizations in Singapore already have infected mobile devices in their networks and they are continuing to find more malware, Poh explained. There are also new vectors of attack, ranging from financial fraud on credit cards to corporate espionage.

The rising risk of attacks may lead to cybersecurity costs increasing 38 percent year-on-year for the next 10 years, Poh continued. Meanwhile the costs for attackers have been falling. Spammers can send 1 million emails for $70, custom malware costs as little as $12 and distributed denial of service (DDoS) attacks cost as little as $2.99 per month. One recent threat in Singapore has been a flood of ransomware attacks. “They threaten to DDoS you unless you pay,” she said.

But despite the increase in threats, CEOs in Singapore do not appear to be taking cybersecurity seriously. “Only 21 percent of organizations have chief security officers (CSOs),” Poh said. “In Singapore, no CEO has lost his job as a result of a cyberattack. When one does, the attitude will change rapidly.”  

Additionally, small and medium-sized enterprises (SMEs) typically don’t see the criticality of the issue. “They’re concerned about cash flow,” Poh said. “A cyberbreach is not high on the list of priorities.” She related how a flower shop in Korea even started a DDoS attack against its competitor in order to sell more roses. Cybersecurity is crucial for SMEs, especially as they go into ecommerce.

Understanding hackers

Poh noted that hackers who target large organizations have now gone corporate themselves. “There is a parallel boardroom of people with cybersecurity expertise,” she said. “They look at reward, effort and likelihood of success. They have a 67 percent chance of exfiltration of corporate data once they get started.”

What companies need to do is to determine who the likely attacker actually is and what to do to prevent a successful attack. “Once the hacker thinks it’s too much effort, they won’t bother. It’s about changing the ROI,” Poh said.

A good protection strategy is to “think like a hacker,” Poh opined. “Why would someone launch an attack? What is he trying to disrupt?” After a spate of point-of-sale attacks to steal credit card numbers dropped the price per card from $20 to 50 cents, for example, hackers moved to more profitable businesses such as healthcare.   

Forming a strategy

The first step companies need to take is protecting data, even though it is not easy. CEOs need to get involved, together with CIOs, CFOs and treasurers, to determine what is feasible. Companies are increasingly developing anti-exfiltration systems, for example, to prevent sensitive data from getting out.

Companies then need to establish ways of detecting attacks, and responding to them. While businesses are spending the 38 percent more largely on detection systems, Poh believes they will fail if they simply continue existing processes.

Finally, corporates need to share information. Though the traditional orthodoxy for businesses is not to talk about attacks, doing so can help them get a better picture of the threats and protect themselves.        

“Risk management strategy is clearly the key,” she concluded. “Every board should have cybersecurity as part of their process.”

Using foresight

Adding to Poh’s insights, Janson Yap, managing partner for enterprise risk with Deloitte, said that the concept of cybersecurity remains vague and only 6 percent of breaches are detected by IT departments.

What companies need to do, Yap emphasized, is determine which technologies will have the most impact and how to realign roles around customer data ownership. “Executives need to think about the future and deal with the present through solutions that matter,” he said. “The dark side is clever. Being silent is no longer the right answer. We need to warn the attackers there are better targets to focus on.”

Hiring the right people

While companies may have been lax about protecting themselves in the past, some companies are doing far more now. “It was really after Target, when the CEO and CIO lost their jobs, that corporate America woke up,” said Matt Comyns, global cybersecurity practice leader for Russell Reynolds. Since then, many companies have begun hiring chief information security officers (CISOs) and demanding far more from them.

The CISOs that companies hire, Comyns observed, tend to be IT staff, professional services auditors or military and law enforcement professionals. Audrey Tan, Singapore Country manager for Russell Reynolds, added that a recent survey in Asia-Pacific showed that 59 percent of CISOs were appointed in 2014, more than 40 percent were external hires and the majority came from technology or banking. Once they’re hired, CISOs are building threat and intelligence teams that focus on “how I would break in” as they work to prevent data theft.  

Negotiation Skills for Treasury and Finance Professionals
On December 6 & 13, learn to negotiate more effectively, following an interest-based negotiation model. Master the three most important phases of any negotiation: exploring the context, expanding the constraints, and dividing the expanded resources appropriately.
Learn More

Copyright © 2018 Association for Financial Professionals, Inc.
All rights reserved.