We are at war in cyberspace and every corporate director is on the firing line. Looking at the reams of data and reports on breaches, attacks, and perpetrators, it is clear there are no absolute methods for detecting and preventing a devastating cyber-attack. As FBI Director James Comey eloquently put it, “There are two kinds of big companies in the United States. There are those who’ve been hacked… and those who don’t know they’ve been hacked.”
Most companies, and thus most boards of directors, are oblivious to cybercrime attacks. Breaches are most often discovered only because a third party notified them (94% of victims according to Mandiant and 92% according to Verizon). Once a cybercriminal gains access to a corporate network, the median time to detect the intrusion is 416 days, which means cybercriminals often spend well over a year feasting on treasured corporate information.
In further sobering numbers: 97 percent of the IT systems of companies surveyed globally have been breached according to Fireye. Security firm McAfee’s surveys suggest “only three in ten organizations report all data breaches/losses suffered, while one in ten organizations will only report breaches/losses that they are legally obliged to, and no more. Six in ten organizations currently ‘pick and choose’ the breaches/losses they report, depending on how they feel about them.” Though in 2011 the SEC promulgated guidance on disclosure of cybercrime incidents, few companies appear to have reported, perhaps reflecting the thought process of the 40% of respondents to a recent PricewaterhouseCoopers survey of 3,877 respondents from organizations in 78 countries: the top concern regarding cybercrime is reputational damage.
While the reluctance of corporate officers to publicly disclose cybercrime incidents is understandable, failure to report hinders general awareness of the cybercrime problem. Many corporate executives, and therefore directors, are not aware of their level of exposure to cybercrime until they become victims. Lack of awareness, lack of reporting, and finally lack of effective response compound the underlying risks.
Our collective corporate position is untenable and it is up to the members of all boards of directors to develop an approach to dealing with these monumental and intractable issues. There are many resources available to help boards of directors and top executives charged with protecting the company and its stakeholders prepare specific business continuity plans and incident response protocols.
There is so much material, however, on such complex topics that our eyes and even our ears glaze over, which are enemies are counting on. We as directors face the difficult task of helping our enterprises turn reams of data into useful information, while also conserving corporate resources, so we do not all drown in the futile effort to defend ourselves when our ramparts have likely already been breached.
If you remember nothing else on this difficult subject, remember this: the most important goal is to be constantly reducing the time it takes to detect a breach and the time it takes to resolve each breach. Our approaches need to move away from the losing war of attrition called defense against attacks and recognize that attacks will happen and our resources need to focus on a more offensive approach: find it, remove it, and FAST. More on how to do this later, but first, what is creating the opportunity for a breach?
According to a paper from Trusteer®, a leading provider of advanced malware and fraud protection solutions, now part of IBM, the most prevalent approach to penetrating cyber-defenses involves the following steps:
- Compromise an employee device.
- Steal the employee’s access credentials.
- Use the employee’s access privileges to identify and steal valuable information or directly initiate fraudulent financial transactions.
- Infect the endpoint (their laptops and desktops) with malware.
- From there, infect the underlying system by attacking vulnerabilities.
Vulnerabilities refer to software code weaknesses, due to design flaws or coding errors that allow an attacker to compromise the underlying system. Software vulnerabilities allow a cybercriminal to bypass security controls built into the operating system or provided by third-party security applications that prevent unauthorized file installation.
Exploits are pieces of code designed to take advantage of software vulnerabilities to deliver a payload (malware) that otherwise would be prevented by system restrictions. To combat this threat, software providers seek to patch the vulnerabilities. Availability of a patch, however, does not mean it is installed on the end user’s device. Inconsistent patch adoption leads approximately 2.7% of Microsoft programs and 6.5% of third-party programs to remain unpatched at any given time. Multiplied by millions of users, these figures reveal a large population is regularly exposed to cybercriminal exploits.
These patching statistics do not reflect the true underlying lifecycle of vulnerabilities and exploits. Especially dangerous are exploits that take advantage of undisclosed vulnerabilities. Cybercriminals are able to exploit unknown system vulnerabilities to successfully infect endpoints for an average of 10 months before any protections are put in place. Research shows that immediately after vulnerabilities are disclosed publicly, cybercriminals increase the number of exploits by 2 to 100,000 times to infect as many machines as possible before the vulnerability is patched.
Disturbingly, criminals don’t have to rely solely on developing exploits for newly discovered vulnerabilities. Because users consistently do a poor job of installing security updates that patch critical vulnerabilities, many exploits continue to be effective months or years after a vulnerability patch has been released. For example, 39% of computers failed to install a Microsoft Word update one year from its release, and 70% of computers had not installed an Adobe Flash Player update within a month of its release. This lag allows cybercriminals to continue to use existing attack methods against patched vulnerabilities for months, or sometimes years.
As a veteran corporate director, I am appalled and mesmerized by the above examples of why and how our enterprises are vulnerable. As a Bryn Mawr educated writer, I am cringing at the many statistics and surveys I have cited above without providing footnotes. The message is so urgent that I elected not to clutter up the text, however. Instead, I direct those seeking further context and useful information to the websites listed below, maintained by pioneers in the rapidly evolving world of effective detection and response to breaches.
Whether we realize and acknowledge it or not, we — business and technology leaders — are in the middle of a cyber-war. Every day, cybercriminals are preying on industry’s lack of awareness and are actively engaged in covert corporate espionage activities that may never be uncovered. While business leaders will continue to wonder how a new entrant developed a competitive product so quickly, why another provider always seems to offer slightly better pricing, or how sensitive corporate information was leaked to the press, Rome is burning. We need to get out there and fight, by learning what we can and directing our corporate resources intelligently to focus relentlessly on rapidly detecting and eliminating the enemy.
Additional information can be found in, The Rising Threat of Corporate Cybercrime: Cybercriminal Motives and Methods.