Consumer Electronics Daily was a Warren News publication.
'Common Sense to Many'

Businesses Seen Ramping Up Cybersecurity, But Not Enough Against Rising Attacks

January 3, 2017 by Dibya Sarkar|Top News

Russian interference with the U.S. presidential election and Yahoo's announcements of two massive data breaches (see 1612150010) weren't necessarily wake-up calls for U.S. corporations, which have ramped up efforts to enhance network security against cyberattacks over the past few years, said some cybersecurity experts in interviews over the past two weeks. But they described an arms race of sorts in which nation states and cyber criminals are using increasingly sophisticated techniques to penetrate the defenses of corporations, which are having a hard time keeping up through educating and training employees, changing policies and deploying new technologies.

Increasingly, corporations and government institutions are protecting themselves, but attacks are trending by "an even more dramatic amount," said Markus Jakobsson, chief scientist with email security firm Agari. "And, of course, it’s a struggle and frustrating situation for people who wish to have security measures deployed [but] ... see their sector is growing slower than the attack sector. That’s where we are.” He said unless people take this very seriously more "devastating" incidents will occur.

Simone Petrella, chief cyberstrategy officer at CyberVista, said the Russian hack of the Democratic National Committee reinforced the importance of integrating cybersecurity and related investments into executive decision-making. One aspect that will become increasingly important for U.S. executives and corporations is understanding the different motives of hackers in the context of what would be the most attractive target given the business. "If you’re a large corporation with a significant amount of [intellectual property] you cannot rule out the fact that there might be a nation state who is extremely interested in a very traditional economic espionage to get that information, just as much as you could not rule out that there might be an organized criminal group" that wants to commit fraud and steal money, she said.

On Thursday, the Department of Homeland Security and FBI issued a 13-page joint analysis report providing technical details about the tools the Russian civilian and military intelligence services used "to compromise and exploit networks and endpoints associated with the U.S. election," plus the U.S. government, private sector and other entities. The report was released as the Obama administration announced sanctions against Russia for the hacking (see 1612290040). Two Russian actors used targeted spear-phishing campaigns over the past year to gain legitimate credentials and compromise the DNC, though the report described the victim as "a U.S. political party." The report recommended several strategies -- such as regularly updating software patches and restricting administrative privileges -- that it said could prevent up to 85 percent of targeted cyberattacks. "These strategies are common sense to many, but DHS continues to see intrusions because organizations fail to use these basic measures," the report said.

Jakobsson said corporations are using awareness or education campaigns, instituting better procedures or policies and implementing advanced filtering technology to handle spear-phishing tactics. But he said targeted attacks such as a ransomware or business email compromise, which uses sophisticated tactics, personal information and social engineering to penetrate computer networks, are 10 times more effective than nontargeted attacks. He said the Yahoo breaches gave hackers "contextual" information about users and contacts, essentially a stepping stone to mount higher value attacks.

There's growth among companies wanting to improve protection, said Paige Schaffer, president of Generali Global Assistance's identity and digital protection services global unit. She cited a recent survey from identity and access management company Versasec that found nearly seven in 10 companies intend to spend at least 10 percent of their information technology budgets on security in 2017. The survey also found that 15 percent of companies said their IT security budgets will be more than 50 percent of their overall IT budget. "That’s an increase over Versasec’s survey early in 2016, when approximately 40% cited their IT security spending at between 0 percent and 9 percent of their [IT] budgets," said a Versasec news release.

But Schaffer said it's important to differentiate between large corporations with the resources and means to protect their systems and their customers, and small to midsized companies that don't necessarily have the security capabilities and investments. Among large corporations, she said there's also a difference in how some protect just themselves and those that extend that security to their employees and customers. One "very much emerging" trend is the creation of a chief identity officer position that could help organizations look at every aspect of personal information within human resource and corporate systems, Schaffer said, acknowledging such a position has some overlap with those who oversee security and privacy.

Petrella, whose firm provides cybersecurity training and workforce development services, said smaller and midsized companies that don't have the resources to spend often think more critically through how they can address security than larger corporations that may not be necessarily "judicious or measured" in how they approach the issue. But she said culture also plays an important role in any corporation. “You can change every policy that you have in your company but if you don’t have the culture established for people to follow them they’re just pieces of paper that sit on a shelf somewhere," Petrella added.

The government should play a bigger role in helping the private sector improve security, said experts, but they're unsure what that would be. Petrella said the free market over the past 15 years has tried to address the problem: "I would posit that it has not worked." But she said she didn't know what the government alternative would be and whether it would be incentive- or punitive-based. Others said the U.S. government, which also suffered high-profile attacks such as on the Office of Personnel Management, should lead by example. Jakobsson said Australia and the U.K. recently imposed cybersecurity requirements within their governments, which could be models for industry. Schaffer also cited the need for a national data breach notification law rather than companies having to deal with multiple state statutes (see 1609280050).

Insurance policies for cybersecurity could also help motivate companies to implement better security measures, experts said. Jakobsson said he expects that area to take on a bigger role over the next two years as insurers figure out the actuarial models. Policies would be focused on financial loss due to a breach, but Schaffer said insurers would look at mitigating risks through vendor audits, vulnerability checks and identity theft service.