World class cybersecurity requires a 360 degree approach

The investigation of data theft will most probably remain in the domain of Cybersecurity experts, however to the larger CFE community it is critical that we remain abreast of the pertinent issues related to this topic.

Understanding the impact on business

Cybersecurity is one field where complexity can quickly overwhelm the role players and potentially cloud judgment. The speed of change associated with digital crimes and risks further exacerbate this. Explaining technical concepts like patch management is not difficult, but correlating these concepts to business value while highlighting the risks can be challenging at times. Failure to adequately communicate the key technical concepts in a meaningful and tangible manner is one of the key reasons why cybersecurity for a large segment of all businesses today remains misunderstood, with a sometimes dire consequence at various levels in organisations. At its core, cybersecurity is defined as the protection of IT-related systems, with the indirect goal of protecting associated data and services. Cybersecurity has evolved into a function far more complex and advanced than this very simplistic description.

The value of good cybersecurity should not just be considered for the protection of IT systems but also as a means to enable the provision of evidence. Cybersecurity controls should be configured to allow the successful conclusion of an incident response process and should also be able to preserve evidence for the purpose of compliance audits, forensic investigations and prosecutions.

Empowering our CFE community

To understand cybersecurity or “risk management with a cyber view” is not the responsibility of the cybersecurity teams but that of the business, the client and the forensic investigator. This by no means implies these role-players should be technical experts on cybersecurity technologies and platforms, but each has a responsibility and contribution to make in the fight against cybercrime, fraud and corruption.

At the heart of that responsibility is knowledge about the topic to allow world-class cybersecurity protocols to be applied at various levels.

CFE’s need to be aware of the following key areas:
1. What are the key elements of cyber attacks used by criminals?
2. What should a robust cybersecurity system be able to withstand?

Some insights to help answer these questions:

  1. Advanced attacks
    – More than 100 well-known threat actor/specialist groups were identified in 2019. Each one, a specialist by global region and/or industry.
    – The first death occurred in Germany in September 2020 as a direct result of a cyber attack on a hospital.
  2. Insiders
    – Inadequate IAM (Identify and Access Management) and PAM (Privileged Account Management) controls and monitoring, which sees current dwell time (length of time a cyber attacker has free reign in an environment from the time they get in until they are eradicated) of 284 days.
    – Social engineering practices are been applied to naïve or untrained employees,
    – BEC (Business Email Compromise)
    – 3rd party contractors
    – Managed services providers
    – Shortage of skilled cybersecurity employees which may cause misconfiguration and vulnerabilities. (Globally 1.8 million cybersecurity positions available).
  3. New Innovation
    – Currently there are over 20.8 billion devices connected to the internet. The speed and volume of new technology brings unknown risks and threats.
  4. Compliance
    – POPI and GDPR non-compliance now has very real implications with fines to the total of €158,135,806 having been issued since May 2018.

Factors that either mitigate or aggravate the cost of a data breach

The South African Information Regulator reported during August 2020 that they have seen a spike in data breaches during the preceding four months, recording 25 breaches of which 19 were self-reported. South African organisations are most certainly on the radar of local and international cyber criminals.

Very seldom do we find the cost of a data breach reported by the victim organisation. Accounting formulas and methods do however exist to calculate the average cost of a single lost record. Input costs such as direct expenses (forensic experts, hotlines, etc.) and indirect expenses (in-house-investigations, the value of customer loss, reduced new business, etc.) incurred by the victim organisation are calculated as part of the formula.

An international study in 17 countries published by Ponemon Institute and IBM in their Cost of a Data Breach Report 2020, reported that the South African average cost of a single lost or stolen record was US$ 2,14 (R36,48) on the date of reporting. European countries reported almost double the average cost and four times the cost in the USA.

The table below depicts some of the statistics relevant to the South African context:

Criteria
Type of records stolen (International) 80% of single stolen records contained customer personally-identifiable information
Industries with the highest average cost per record (International) Healthcare
Energy
Financial
Root cause with the highest impact (RSA) Malicious attack – 48%
System glitch – 26%
Human error – 26%
Root causes by threat vector (International) Compromised credentials – 19%
Cloud misconfiguration – 19%
Vulnerability in third-party software – 16%
Cost mitigating factors (International) Incident response testing
Business continuity
Formation of the IR team
Cost amplifying factors (International) Complex security systems
Cloud migration
Security skill shortage
Average security deployment (RSA) Fully deployed – 16%
Partially deployed – 40%
Not deployed – 44%
Average time to identify and contain a data breach (RSA) Days to identify – 177
Days to contain – 51

 

Malicious attacks on South African organisations are by far the biggest cyber risk, albeit that the country ranked third best in this category of the study. In contrast, South Africa ranks the third worst in data breaches due to human error. As CFE’s we have a pro-active role to play in raising awareness of the risks associated with skill-based and decision-based human errors leading to security breaches and loss of data. If such a huge amount (44%) of South African organisations do not consider secure networks a priority we will remain a prime target to international cybercriminals.

Probably the most important contribution we as CFE’s can make, is to become part of the process of informing our employers or clients to invest in sustainable and secure corporate networks. We need to help drive awareness of the critical importance of having a 360 degree approach to implementing cybersecurity systems across the entire breadth and depth of a business.

Sources:
Euoropol: Internet Organized Crime Threat Assessment 2020
Report to the Nations: 2020 Global Study on occupational fraud and abuse
IBM: X-Force Threat Intelligence Index 2020

By:
Leon Towsen, COO, CFE
Pieter van Rheede van Oudtshoorn, CISSP, CFE