[BreachExchange] Fighting cyber-crime: an investment for the future

Audrey McNeil audrey at riskbasedsecurity.com
Fri Nov 18 14:54:02 EST 2016


http://www.scmagazineuk.com/fighting-cyber-crime-an-
investment-for-the-future/article/570299/

The opening of the National Cyber Security Centre (‘NCSC') will be seen by
many businesses as a welcome simplification of the sometimes confusing
array of bodies and accreditations they are presented with when seeking to
prevent or respond to cyber-security threats.

Over the past two years, corporate Britain has become much more aware of
the threat from cyber-crime. This is due, in part, to the escalation in
targeted or behavioural attacks including whaling or spear-phishing, and
also to the increasingly tangible damage to the reputation of companies
such as TalkTalk, and the ensuing fines and loss of business.

In June, the National Crime Agency (‘NCA') highlighted a 22 percent
year-on-year increase in reported cyber-crime against business, with a
direct loss of £1 billion. The true loss is far greater once loss of future
revenue and reputational damage is factored in.

The danger of undetected threats
In fact, the greater risk remains undetected theft of capital or
intellectual property (IP). An unnoticed breach can allow a threat actor to
capture highly-sensitive commercial information over an extended period,
typical targets being product designs, blueprints and new product
development plans, and customer contract details.

Larger companies, which tend to have a lot of this intellectual capital,
have become far more aware of the threat and how to protect themselves,
adopting IT infrastructures, protocols and processes designed to limit
risk. This has resulted in criminals and other threat actors looking for
other weak access points - typically smaller companies with less
sophisticated protection - particularly those interacting with larger
companies with a lot of IP.

Suppliers are an ideal target, particularly where there is some degree of
systems integration, common in markets such as the automotive sector. We
are seeing large original equipment manufacturers (OEMs) increasingly push
security standards down to the companies in their supply chains as a cost
of winning work with them, although the extent of this is varied.

M&A processes lack adequate due diligence
Mergers and acquisitions also create a good environment for the attacker,
with opportunities existing both from the integration of the target's IT
with that of the acquirer, and the increased potential for human error when
employees are learning new systems, new reporting structures and
potentially working with people they do not know well before security
protocols have been learnt. Adoption of proper cyber-security diligence and
integration within M&A remains worryingly lacking, despite the obvious
risks.

Sharing intelligence: protecting against future breaches
As a single body that businesses can turn to both to understand and to
address these risks, the NCSC could become a very important tool, in
particular allowing for the first time the effective channelling of threat
intelligence from Government and private sector agencies to businesses of
all sizes, rather than just the largest or most sophisticated companies
within manufacturing, technology and finance, as has largely been the case
to date. Should the NCSC be able to work effectively as this conduit,
perhaps UK businesses can start to build the ‘herd immunity' through best
practice, which will be critical if we are to arrest the virulent growth of
cyber-crime.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161118/c9aed1d6/attachment.html>


More information about the BreachExchange mailing list