Active defense vital for battling cybersecurity threat

11 November 2015 9 min. read

Against the backdrop of the growing frequency and impact of cybersecurity, and the uphill battle forecasted to unfold at businesses over the coming years, adopting an active cyber-defense stance is becoming increasingly vital, says EY in a newly released report.

The rise of digital is providing organisations and governments globally with a flood of rapidly expanding opportunities for innovation, business and other forms of potential. A recent report from McKinsey & Company for instance found that Internet of Things could add up to $11.1 trillion to the global economy by 2025, while Industry 4.0 – another exponent of the digital wave – is set to revolutionise the manufacturing spectrum, with Strategy& estimating that €550 billion in value could be generated in the next five years alone. The benefits of digital are abundant, pundits agree, and could unlock value added across industries, functions and geographies.

Respondents of GISS 2015

There is a flip side however, as digital at the same time also offers great potential for exploitation by criminals and others wanting to cause trouble. Digital attacks, also known as cybercrime, has grown massively of late, although the exact scale of cybercrime is fiercely debated – every time a report on the cost of cybercrime is released it is met with intense scrutiny from within the security industry. According to McAfee's latest report, worldwide losses stemming from cybercrime hit £266 billion last year, with the less conservative estimate stating the damage caused could be as high as £342 billion – between 0.5% and 0.8% of global GDP. From a UK perspective, the most cited estimate comes from the hands of the Cabinet Office (in partnership with Detica), with the researchers estimating the cost of cybercrime to be £27 billion per annum*.

The largest part of the cybercrime burden is borne by businesses – in the case of the UK, 78% (~£21 billion) of the total cost is faced by private sector enterprises. The cost stems from dealing with the fiasco once it has hit a firm’s frontier, but also from preventive actions that aim to counter intellectual property theft and espionage, through among others risk management, security principles and technology armed to block digital intruders.

Source of attack

Global Information Security Survey
To understand how the private sector cybercrime landscape is evolving, and help businesses fight e-crime, EY annually conducts in-depth research into the phenomenon. This year’s edition of the so-called ‘Global Information Security Survey’, the 18th in the series, is based on the view of 1,750+ respondents across 25 industries in 60+ countries.

The research shows that employees are no longer considered the most likely source of attack. 59% of respondents believe that criminal syndicates are the main threat, up from 53% last year, highlighting the professionalisation e-criminals are undergoing, say the researchers. Employees, which in recent years stood at the top of the list, has dropped to second place, followed by hacktivists and lone wolves in the hacking field.

Top cyber threats

Companies currently feel less vulnerable to attacks arising from unaware employees (44%) and outdated systems (34%); down from 57% and 52%, respectively vis a vis last year. However, they feel more threatened today by phishing and malware. 44% percent of respondents (compared with 39% in 2014) ranked phishing as their top threat; 43% consider malware as their biggest threat versus 34% in 2014.

To counter cybercrime, business erect a range of security measures, of which data loss prevention is considered the most important priority for the coming 12 months. Ensuring the business can run smoothly following a cyber-attack comes in second on the priority list, down from top spot in 2013, followed by identity and access management and security awareness and training. Interestingly, safeguarding intellectual property – for many business the heart of their long-term value proposition – and forensics – the art used to detect and slip e-criminals out of their disguise – score lowest of the 20+ priority areas.

Information security priority areas

The battle has just begun
Looking ahead, the researchers warn the battle against cybercrime is only set to intensify. Few areas of our lives remain untouched by the digital revolution, and the trend is accelerating. In addition, the cybercrime market in itself is changing, arguably maturing, at a rapid pace. Cyber attackers are continuously changing tactics, increasing their persistence and expanding their capabilities, and as a result e-invaders are finding new and better ways to take advantage of the growing interwovenness with (internet) connected devices and mobile technologies. “There must be a corresponding uptick in addressing the increasingly sophisticated cyber threats. Businesses should not overlook or underestimate the potential risks of cyber breaches. Instead, they should develop a laser-like focus on cybersecurity and make the required investments,” says Ken Allan, who leads EY’s Global Cybersecurity offering.

Organisations are seemingly embracing the need for bolstering their lines of defense – only 12% of respondents currently believe that their information security function fully meets the organisations’ needs, which financially translates into the fact that 69% state that their IT security budgets should be increased by up to 50% to match the risk tolerance of management.

Cybersecurity maturity

If companies want to successfully overcome the threats of cybercrime, the researchers believe they should not just spend more money but follow a strategic, two-folded approach. Firstly, they should have the basics in place, which centres around maturity in eight key building blocks. The methodology the accounting and consulting giant developed – dubbed Activate, Adapt and Anticipate (the “three As”) – is based on research and hundreds of engagements and draws on best practices from strategy to execution, across functional areas such as technology and IT security, as well as non-technological facets such as risk, legal, process and people. By following the three stages of the journey to cybersecurity maturity a company’s overall cyber defense maturity can be “significantly boosted”, says Paul van Kessel, Global Risk Leader at EY, at the end of the line bolstering defense, and more importantly, lowering the attractiveness of the organisation as a target.

Cybersecurity radar map

An analysis of the results reveals however that organisations still have a long way to go when it comes to maturity. Asked for which parts of cybersecurity measures are “very mature”, not a single area received a score of higher than 11% (percentage of respondents). To gain insight in actual versus required performance, and bring organisations on the road to improvement, Van Kessel suggests creating a cybersecurity radar map, a tool that identifies gaps with end-state positions and helps determine roadmaps and action plans.

Active defense
The second pillar focuses on taking what Van Kessel calls an ‘active defense’ stance. “Cybersecurity is inherently a defensive capability, but organisations should not wait to become victims,” he says, adding “it is imperative that organisations consider cybersecurity as an enabler to build and keep customers’ trust.”

Paul van Kessel and Ken Allan - EY

Putting in place an active defense requires the setup of a Security Operations Centre (SOC) and the use of Cyber Threat Intelligence. The SOC serves as the control centre which supports the entire organisation with cybersecurity related matters. The SOC ensures there is an understanding of critical cyber business risks and knowledge of what attackers may want, enabling the establishment of a “targeted defense” through prioritisation (of assets, people, business areas) and hardening of vulnerabilities. The SOC also assesses the threat landscape, based on a range of specific factors such as operating environment, critical assets and business strategy. By applying Cyber Threat Intelligence, organisations can send out intelligent feelers to look for potential attackers, analyse and assess the threat, and neutralise the threat before it can damage critical assets. “Active Defense does not replace traditional security operations — it organises and enhances them,” concludes Allan.

* The Cabinet Office and Detica however acknowledge in their report that in all probability, and in line with their worst-case scenarios, the real impact of cybercrime is likely to be much greater.