On average it takes about 205 days between a company being hacked and it detecting the compromise, a recent Mandiant report found.
The volume of security threats are enormous and protecting an organisation from them has transitioned from an issue which was dealt with in the IT department to one which is regularly handled in the board room.
Just last week corporate watchdog ASIC and the AFP revealed it detected a surge in scammers from Russia hacking into share trading accounts at both Morgan Stanley and Commsec in Australia and it was trying to clear them out.
Sony Corp’s movie studio was also hacked in 2014, a breach which is estimated to cost the company tens of millions of dollars in costs from lost productivity, IT fixes and the exposure of trade secrets. The massive security breach exposed sensitive data, forced the company to temporarily shut its networks and crippled Sony’s reputation for a perceived failure to safeguard information.
Last year Apple’s iCloud was also criticised when hackers gained access the accounts of celebrities like Jennifer Lawrence and Kate Upton. Hundreds of naked photographs leaked online after hackers bypassed Apple’s security question system.
These are just several examples in the past 18 months which show how security breaches can torpedo a company’s trading position, share price and consumer confidence.
“It has a huge impact on people’s acceptance of electronic methods for conducting business. In terms of our continued adoption of technology, it’s really important that what they’re doing is safe and in a trusted environment,” PWC cyber services director Dave Owen told Business Insider ahead of speaking at the CACS information security conference in Sydney.
“If it continues to get worse you’ll see a reluctance of people using computers to do transactions and to run their business.”
In both the Sony and Apple cases, the organisations were compromised for a sustained period before they become aware of an issue.
Separately, about 69% of organisations are notified by an external party, like a journalist or a security agency, that they’ve been compromised, Owen explained, adding covert attacks are increasing.
“One of the challenges is someone attacking an organisation will spend time slowly progressing an attack; they’ll get an initial hold and then slowly get more of an entrenchment in an organisation and then start to get to the sources of interests,” he said.
“There’s a lot more emphasis on covert attacks. Five or 10 years ago there were a lot more defacement attacks. Now there’s a greater emphasis on trying to covertly compromise an organisation.
“We’ve seen a much greater recognition of the value of people’s information,” he said, adding extortion-type attacks using ransom viruses Cryptolocker which won’t release data without its owner paying money, are also on the rise.
Some Australians have reportedly paid thousands of dollars to international hackers to get rid of the unbreakable Cryptolocker virus which infiltrates computers through credible-looking emails before taking files hostage.
A number of organisations have admitted sometimes it is cheaper to pay the ransom than have IT people spend weeks attempting to unencrypt the files. According to an ABC report, the Australian Competition and Consumer Commission has received 2,500 complaints this year and estimates about $400,000 has been paid to hackers.
PwC noted a 48% increase in security incidents in 2014, compared to the previous year. The average compound rate over the past five years is 66%.
While the security conversation varies by sector or industry, Owen says large institutions have been looking at this for a long time. But increasingly health care, retail and telcos are starting to show more interest and asking basic questions around who might attack and what strategies should be adopted.
One of the biggest challenges is figuring out where valuable information, like corporate or customer data, is being kept.
“A lot of organisations have allowed themselves to become very complex and that complexity is proving to be quite a challenge where they’ve got hundreds and hundreds of systems and a large group of suppliers. It becomes very hard to retrofit security to that complexity,” he said.
The issue of complexity in organisations tends to rear its head when the company diversifies or expands into several business activities, Owen said.
“We’re seeing people recognise they have to simplify their business as part of making it easy to secure their information,” he said.
Moving data and services onto the cloud is one thing many organisations are starting to do. However, the downside is, in the case of some cloud services, it’s not always clear where the data is being hosted.
“We’ve seen some organisations where hundreds of different cloud services are being used by a business.. a lot of that is outside formal procurement of an organisation,” Owen said.
Insider threats are also a growing concern where disenfranchised employees with access to sensitive information can also be a security risk.
“It’s quite common for people trust their employees so we see some organisations where the internal access control is not strong and people can access lots and lots of information,” he said.
“Trying to tie that down can be very hard.”
In line with the growing threats, PwC has noted companies are increasing expenditure to thwart cyberattacks. Gartner research from 2013 indicated the insurance industry spends about $684 a year per employee on information security while banking spends $553 and retail just $169.
Tracking down hackers can be a near impossible task, Owen explained. One attack can have multiple groups working on various elements from hacking, to trading the information.
“The question of blame can be hard to track who did it and the concept of blame may actually be attributed to four different types of group in the same incident,” he said. “Sometimes it can be possible to trace some types of hacks because you can actually see behaviour patterns and correlate it… but it’s not an exact science trying to work out who’s behind it.”
Owen explained bolstering up a company against cyber threats will take more than just the IT department. Top level management need to be engaged in to process and employees need to think about the risks when designing workflows and culture.
“This problem is no longer a binary issue of you you’ve either got an attack or you haven’t got an attack. It’s shades of grey.
“On that basis there need to be a much greater emphasis on detection capabilities to spot when there’s an issue emerging…to try and manage the impact.”