If you run any kind of business these days then there is a very good chance that you utilise the internet in some way to aid the accomplishment of your corporate objectives. Because of this you should be aware that there are risks inherent with using the web, especially now that stories about data breaches are seemingly popping up all the time.
But its not only hackers that your company needs to worry about. Other threats are posed by employees, either due to malicious intent or through a lack of security awareness, or even a lackadaisical approach to their work. Then there are the well-publicised stories surrounding government interest in the web and accounts and rumours of surveillance.
But there is another threat that is always present but less well covered, at least at the moment – the business competitor.
A new report by CERT Australia looks at, amongst other things, the motives for cyber attacks, as reported by companies within its territory.
Amongst the 135 organisations surveyed, 56% had experienced at least one security incident in the previous year, and the primary motive for an attack was reported as competitors seeking a commercial advantage. This, the report says, relates to the theft of intellectual property, either for direct benefit, or to sell on for profit.
Other motivations for security incidents further underline the need for organisations to consider a wide range of reasons for which they may be attacked, with the report highlighting the following, in order of likelihood:
- malicious damage
- using the system for further attacks
- personal grievance
- issue motivated/hacktivism
- other (including carelessness, lack of attention and negligence)
- don’t know
- illicit financial gain
- random or indiscriminate
The Cyber Crime and Security Survey Report also details the ways in which organisations were attacked. Amongst those which experienced an incident, the following methods were employed against them:
- 63% – targeted emails
- 52% – virus or worm infection
- 46% – trojan or rootkit malware
- 35% – theft of mobile devices
- 26% – unauthorised access
- 17% – ransomware
- 17% – distributed denial of service
- 17% – unauthorised access to information from an insider
The report notes that the primary incident was socially engineered email which highlights yet again why staff education has an important role to play within the overall security function.
In terms of training, the report threw up some very interesting figures based upon the perception of those who took part. When questioned as to who within their organisation needed additional security training, the respondents replied thus:
- 95% of respondents reported this need for general staff
- 91% of respondents reported this need for management
- 66% of respondents reported this need for IT staff
- 63% of respondents reported this need for the CEO
- 62% of respondents reported this need for the board of directors
Whilst it may not be surprising to see that many felt the need for improved levels of security awareness amongst general staff members, and perhaps even for the CEO and board directors, I think it is extremely alarming that the general level of feeling was that around two thirds of those working in IT were in need of additional training.
Its possible that such thoughts have come about because 73% of the organisations surveyed had not increased security spending over the previous year but it may also be a sign that some companies are either sticking their collective heads in the sand, or are simply unaware of best practices. For example, almost half of the organisations surveyed still used Windows XP on at least some of their machines. Whilst most knew that support for that operating system was ending, 13% intended to carry on using it regardless and 8% had no idea whether or not migration to an alternative would take place.
Furthermore, it was discovered that many respondents were not reporting incidents, with 34% failing to notify CERT Australia or to a regulator, even when such a response was mandatory.
The reasons given for non-reporting were –
- 44% – ‘there are no benefits of reporting’
- 44% – ‘other’
- 20% – ‘the attackers probably wouldn’t get caught &/or prosecuted’
- 16% – ‘did not know’
- 12% – ‘negative publicity for the organisation’
– which goes to show how there is also a need for various bodies and agencies to do some work on awareness amongst organisations perhaps?
When questioned about the response to a cyber threat, the respondents gave several reasons with some of the standout ones, in my opinion, being the need for additional training (72%), technical controls (64%) and cultural change (59%), two of which I glossed over recently when looking at the excellent work undertaken by Dr. Jessica Barker.
The full report, which contains much more information than covered here, makes several obvious conclusions which crop up time and again with such surveys. The important takeaway with this one though is that the risks to any organisation are varied and so your security function needs to be prepared for a wide range of potential threats.