The-Accountant-Sep-Oct-2017-Final
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Information Technology<br />
requiring its attention. <strong>The</strong> majority of the<br />
major incidents the NCSC has dealt with<br />
were C3-level attacks, typically confined<br />
to single organizations. <strong>The</strong>se account for<br />
451 incidents to date. <strong>The</strong> remaining 29<br />
major incidents were C2-level attacks,<br />
significant attacks that typically require a<br />
cross-government response.<br />
Across these nearly 500 incidents, an<br />
official in the NCSC stated there were five<br />
common themes or lessons to be learned.<br />
Firstly: <strong>The</strong>re is still a need for<br />
organizations to get the basics right -<br />
software security patching, antivirus<br />
updating and putting in basic protections<br />
and controls for system administrators,<br />
who are typically big targets for attackers<br />
to steal their credentials.<br />
Secondly: Organizations fail to get<br />
the balance right between usability and<br />
security - victim organizations had leaned<br />
too far in the direction of convenience and<br />
usability, leading to things like logging<br />
being turned off to optimize performance:<br />
decision-making around where to strike<br />
that balance is typically confused because<br />
of the complexity of the enterprises<br />
being defended, and because of a lack of<br />
understanding about what they are trying<br />
to prevent and which data really matters.<br />
Thirdly: Organizations continue to<br />
use legacy systems and equipment – these<br />
present opportunities to attackers: when<br />
incidents are investigated, the NCSC<br />
finds it is in the legacy systems that the<br />
compromise has begun.<br />
Fourthly: Outsourcing - in early <strong>2017</strong>,<br />
the NCSC reported on a major compromise<br />
of managed service providers [MSPs]:<br />
MSPs enable attackers to obtain security<br />
credentials in one country, traverse across<br />
their network, and then compromise a<br />
company or series of companies in another<br />
country, and exfiltrate (take out) the data<br />
through a third country. <strong>The</strong> NCSC has<br />
published a list of questions organizations<br />
should ask their MSPs in terms of security:<br />
organizations need to understand the<br />
security implications of their supply chains,<br />
who they are connecting up to, and what<br />
risks are involved.<br />
Fifthly: Mergers and acquisitions - in<br />
mergers and acquisition, cyber security<br />
is often overlooked in the due diligence<br />
process; as a result, the cyber risk is not<br />
understood and not addressed effectively.<br />
WannaCry was a novel piece of malware<br />
whose speed and impact were hard to<br />
anticipate. Organizations should build<br />
flexibility, speed, and adaptability into their<br />
event-response capabilities. Those plans<br />
should be tested across the organization,<br />
on various event scenarios; specialized<br />
resources and expertise should be identified<br />
and adapted in response.<br />
Risk modelling must be kept up to date.<br />
<strong>The</strong> potential scenarios that could affect<br />
the organization’s operations should be<br />
rethought; the potential operational and<br />
financial impacts should be established.<br />
Second- and third-order consequences,<br />
like supply chain disruptions and associated<br />
financial costs, should be evaluated; risks<br />
that demand the most focus should be<br />
determined.<br />
And finally, the organization’s cyber<br />
insurance programme should be reviewed<br />
and updated. Networks will continue to<br />
become more connected and businesses<br />
more dependent on data-sharing. Every<br />
business that uses technology should take a<br />
fresh look at its cyber insurance programme:<br />
policies should be updated as needed to<br />
provide coverage for business interruption<br />
and cyber extortion; and programme limits<br />
in the face of catastrophic scenarios should<br />
be re-evaluated.<br />
september - october <strong>2017</strong> 31