KPMG’s Daryl Pereira offers cyber security advice to Asia’s SMEs – prepare to be hacked, because you may not be as prepared as you think you are.
Two years ago, the typical SME felt that cyber security was all about having up-to-date antivirus software and a proper firewall. Now, the explosion in cyber crime and the increased sophistication of attacks means that SMEs are overwhelmed. And they can forget about the expensive security consultants that big corporations hire – they’re often lucky just to scrape together a decent IT budget
With this in mind, the IEEE assembled a collection of experts for CommunicAsia’s Security Governance conference track last week to provide SMEs access to knowledge and expertise from highly skilled, experienced experts in the field, from academics at Edith Cowan University showing how easy it is to take over a system and helping participants understand the psychology of the cyber criminal to Nomura speaking of its studies of the cost of data, and how depreciated assets such as phones or computers that are off the balance sheet after three years still cost a lot in terms of cyber security.
Also on hand was KPMG, whose partner and head of cybersecurity Daryl Pereira painted a grim picture of the state of play in cyber security, and advised SMEs to prepare for the inevitable – which sounds obvious, except that they might not be as prepared as they imagine they are.
Back in 2013, he said, cyber security made it into the top five concerns at the World Economic Forum in Davos. Today, banks can no longer function without technology and bankers now think of themselves as running a technology company.
One of KPMG’s surveys showed that 57% of CEOs globally feel they are prepared for a cyber attack. However, break that number down by region and you find that 87% of US CEOs feeling they are prepared, but only 32% in APAC and 31% in Europe. Why do Asian CEOs feel so much less prepared than their American counterparts?
Another KPMG survey in 2016 asked CIOs if they had experienced a cyber attack. Asia-Pacific came up with numbers much higher than the global average – Asia-Pacific countries are twice as likely to be targeted in a cyber attack. Worse, it takes the average Asia-Pacific company 520 days to realize they have been compromised, as opposed to the global average of 150-200 days.
The numbers are not much better in Australia, with cybercrime now the number one economic crime there – it’s also the third most targeted country in the world for banking botnets.
Between 40 to 50% of attacks today involve a social element, most often “spear phishing”, which Pereira said works better in an Asian context – where subordinates are inclined to just hurry and obey their bosses even when orders are sent by email – rather than in a western context where employees are more likely to question the order if it sounds a little suspicious. That is one major reason why Asian countries are overrepresented in cyber attacks, Pereira said.
Pereira also noted that the nature of cyber attacks has evolved considerably. Ten years ago, the typical attacker were isolated script kiddies looking for targets of opportunity. Then hacktivism became more popular as an opportunistic crime where they deface websites to voice political opinions. Today’s targets are specifically selected, as opposed to random. Bad actors range from nation states to hacktivists, insiders, or even terrorists.
The Sony Pictures hack was not just theft of intellectual property by North Korea – it was also intended to send a message and upset both the US and its close ally Japan, who maintains the economic embargo against Pyongyang. Sony Pictures is still very much an American company, albeit one with Japanese owners. The lesson is that the objective of the hack isn’t always what it appears to be.
The same goes for today’s DDoS attacks. The effect of a DDoS attack is to shut down a server, but that’s not the objective – the DDoS attack is often an act of misdirection to distract a company’s IT resources while the real attack is launched to steal data.
Even cyber-espionage is not just the usual spy-vs-spy intelligence gathering – it’s also about planting disinformation to influence political decisions or outcomes. The most famous example at the moment is last year’s hacking of the US Democratic National Committee’s email servers, which several intelligence agencies believe was the work of Russian agents attempting to influence the outcome of the 2016 Presidential election in favor of Donald Trump. Part of that operation allegedly involved releasing fake emails and documents in order to confuse government officials and the general public alike as to what was real and what was “fake news”.
One key issue is that people still tend to think of cyber security as a matter of buying tools and technology and do not understand the people and process aspects of it.
For example, who is responsible for cyber security in an organization? Often it is the CEO or CIO, but cyber security should be at the board level, Pereira said. It is about leadership and governance.
Cyber security is not just about the cyber security team. Similar to how each department now has its own fire marshal, companies need cybersecurity champions. Cyber security is not a department, Pereira said – “It should be an attitude, part of the company’s DNA.”