Worst-case scenario: state-sponsored attackers hack your company

CIOs and CISOs face each day the fear of internal and external threats from criminal syndicates, employees, external contractors or hacktivists that could damage their company’s reputation. But what happens when a government agency wants to affect your business forecast and learn all your secrets? This concern is real and increasing -- state-sponsored attacks rank sixth among the most likely sources of attacks on a company, cited by 35% of the respondents in a recent survey, compared with 27% in 2014.

The European Union Institute for Security Studies (EUISS) has even called state-sponsored hackers “hybrid armies” and stated that “these cyber-attacks are rarely disconnected from political realities.” Available data, cited by the EU, suggest that cyber-espionage by state-affiliated groups is rising. The 2014 Data Breach Investigations Report by Verizon, a US telecommunications company, shows that 87% of all such incidents in 2013 (511) were performed by state-linked groups from East Asia (49%) or Eastern Europe (21%).

If governmental or political targets have been major targets for many years, state-linked hackers have recently started hitting private businesses. EU mentions the 2014 incident of US-based security company Crowdstrike blaming Chinese PLA-associated group ‘Putter Panda’ for a series of cyber-espionage actions directed at high-profile aerospace, satellite and communications targets. Another group, called ‘Guardians of Peace,’ supposedly linked to North Korea, claimed responsibility for an attack on Sony Entertainment Pictures that stole personal information of employees and their families and exposed executive-level salaries and company email exchanges.

The EU also noted in a 2015 report that smaller and militarily less advanced countries appear to readily embrace such ‘patriotic’ hackers as they benefit from the tactical asymmetry – “a sort of virtual guerrilla warfare” – that cyberspace offers.

“With state and non-state actors ever more interested in developing both offensive and defensive cyber capabilities, designing the rules of the game will be complicate,d” EUISS analysts write in a study. “Authoritarian regimes enjoy significant freedom to set and adapt rules as they please. Their opponents have, alas, more limited options. In democratic states, governments are bound by the rule of law and operate under strict public scrutiny. Legal cooperation among likeminded countries is moving forward, but at a very slow pace.”

The cumulative effect on an organization can be devastating. Cybercriminals can spend months inside organizations, storing away information for a future attack or piecing data together that will get them to the prize they are after. They will also create measures to protect themselves from detection. Sometimes they create diversionary tactics to draw your attention away from what they are doing and where they have succeeded, as EY’s Global Information Security Survey 2015 shows.

Cyberattacks impact both business decisions, mergers/acquisitions and competitive positions.

Some 1,755 C-level respondents from 67 countries across all major industries have said that sales, supply chain, R&D, and accounts payable are strongly impacted. First, strategic manipulation of sales and email systems result in missed sales of 2% to 3% just prior to quarterly or annual reporting periods. Second, supply chain and online ordering system manipulation leads to degradation of production and receivables collection, resulting in missed revenue projections of 2% to 3%. If higher-profit areas and R&D efforts are stolen, this will also hurt sales and competitiveness. Periodic accounts payable fraud causes millions of dollars in lost income per year, respondents say. Mass release of privacy data results in loss of public trust and additional legal costs.

Organizations approached by likely benefactors of the cyberattack may also acquire the troubled entity at “duress value.” Artificial duress results in >30% loss of book value, while social media rumors result in >50% loss of market capital, respondents say.

Placing the most attention, prevention and counter-measures around your areas of most value and highest risk is a key step in minimizing harm from cyber incidents, authors of the study write in the most recent report published this year by the accountancy firm. Detecting cyber incidents as early as possible is the next crucial step, which is only possible with a comprehensive radar that covers a variety of indicators and can raise alerts when a certain threshold is crossed. Determining the thresholds relates back to risk appetite and the sorts of incidents that will cause the most harm to your organization.

“Some attacks will be sudden and obvious, in which case the whole focus switches to effective response,” the document says. “However, remember that these obvious attacks can also be a diversionary tactic, so organizations need the capability to analyze each incident in order to gain enough data to see patterns emerge over time. There are many ways into an organization, and cyber attackers will find the most vulnerable entry points. Some of these will be obvious and therefore easier to fortify, and they should be monitored, but from thinking creatively in a scenario about how the attackers could operate, additional barriers and monitors can be added in the not-so-obvious places (for example, public-facing websites, third-party systems that connect into yours, connecting industrial systems, the cloud, etc.).”

Only 7% of organizations claim to have a robust incident response program that includes third parties and law enforcement and is integrated with their broader threat and vulnerability management function.

Lacking incident response or disaster recovery plans in case of security breaches can mean long delays in threat mitigation and remediation. Although a technology and layered security mechanisms provide a level of security and reduce the surface of attack, quick incident management and response can make all the difference in terms of business continuity. Find out more about the inability to identify critical assets or data and to properly react to security breaches in a previous article on Business Insights.

Here is EY’s list of indicators to detect signal of a breach:

• Very visible attacks with no obvious purpose: e.g., DDoS; details stolen but with no obvious use to them

• Unexpected share price movements

• New products launched by competitors that are uncannily similar to your R&D and IP and reach the market just before yours — indicating IP theft and knowledge of your growth strategy and timings

• Mergers and acquisition (M&A) activities disrupted: rival bids that may demonstrate awareness of confidential plans; M&A targets suffering cyber incidents (e.g., their IP stolen)

• Unusual customer or joint venture behavior: remember that these may not always be genuine customers or partners since cyber criminals can join organizations to gain easier access to your systems and data

• Unusual employee behavior: managers need to be more aware of changes in staff behavior, especially of those in more sensitive areas

• Operational disruption but without a clear cause

• Oddities in payment processing or ordering systems

• Customer or user databases showing inconsistent information.

Some 36% of C-level executives think it is unlikely they would be able to detect a sophisticated attack, which is actually good news as it’s a significant improvement from the 2014 finding of 56%. A non-stop state of preparedness is crucial to continuously decreasing the figures above.

“Wars between nation states have been digital for more than half a decade now,” says Bogdan Botezatu, Bitdefender’s senior eThreat analyst. “Industrial processes and intellectual property are becoming increasingly valuable for governments, as this information can help local companies get a foothold into new markets and acquire new customers, along with their data.”