Cyber Foot Soldiers
Rather than viewing
as liabilities, training
them to spot cyber
attacks is a best
By Graham Buck
One year on from WannaCry and NotPetya, senior executives and employees alike have spent time reviewing their companies’ cybersecurity defenses and their response plans in the event of attack. They’re likely not pleased by a recently published academic survey highlighting how lucrative cybercrime has become. The annual, tax-free
income of the highest earners is up to $2 million, while mid-level criminals can
expect up to $900,000 and even beginner hackers average $42,000 — enough for
the weekly grocery bill.
The findings will hopefully assist, rather than undermine, the progress
achieved over the past 12 months in raising employees’ awareness of cybersecurity
and their role in being alert to potential scams such as phishing emails. Although
WannaCry and NotPetya wrought the most havoc in the shipping and
manufacturing industries, they proved large-scale attacks are feasible and that
targets can be random rather than selected.
“Financial institutions have always been ahead of the game on cybersecurity,
partly due to the regulator,” said Marcin Weryk, senior underwriter, XL Catlin. “The
transportation sector — ranging from airlines to cargo carriers — is a close second.
“Manufacturing is also starting to come around, having realized that its systems
weren’t designed with security primarily in mind. They have certainly improved
but still have a long way to go.”
Meanwhile cyber criminals are becoming increasingly sophisticated, said
Andrew Beckett, MD and EMEA leader for Kroll’s cybersecurity and investigations
practice. He noted that back in 2012, Sir Iain Lobban, then the head of the UK’s
Government Communications Headquarters, estimated organized crime was four
years behind state entities in the sophistication of its cyberattacks.
“Since then you’ve had the emergence of the Shadow Brokers, who’ve hacked and
released details of the National Security Agency’s own hacking methods. The gap has
closed as organized crime catches up with state-backed entities,” Beckett said.
There is growing acceptance that while companies should take all reasonable
steps to bolster their resilience, full protection against cyberattacks is unattainable.
“Companies can be regarded as always two steps behind the intelligent
criminal or hacker who can spot and exploit any vulnerability,” said Shannan Fort,
cyber product development leader, Aon’s global broking center.
“For companies, it’s a fine balance in deciding at which point they decide to transfer
the risk. There’s a threshold at which more money and resources can be spent on
the system without any commensurate improvement in security. It’s then an issue of
spotting a breach at the earliest possible opportunity and minimizing the impact.”
Beckett agreed. “The emphasis has changed, and the focus is less on keeping
the attackers out and more on spotting them early and having an effective
response plan in place.”
EMPLOYEE RISK MANAGEMENT
When it comes to the issue of cybersecurity, the question everyone should ask
is, “Where are the company jewels and how do we protect them?” said Karen
Kukoda, senior director, strategic partnerships, FireEye.
Companies aiming to make
employees more cybersecurity-savvy
should be able to count on them
sharing this aim, added Gareth
Wharton, CEO, cyber, Hiscox.
“Employee screening is vital, as is
having good management processes in
place for when an employee departs.
This includes ensuring they can’t log
into the system after departure and
limiting access to only those systems
relevant to their job — for example,
• Companies are focusing more on
spotting cyber attacks early and
creating effective response plans.
• Employees must be trained how
to spot suspicious activity and take
• Cyber insurance continues to
mature but is not well-understood.
“Insurers need to include a
major focus on education and
also to be very clear on exactly
what they’re offering.”
— Gareth Wharton, CEO, cyber, Hiscox
Employees untrained on cyber security threats are a company’s weakest links.