Businesses and governments need to completely change their thinking in terms of cybersecurity and start planning their controls around the paradigm of guaranteed failure against attacks.
So says Michiel Jonker, director: IT Advisory at Grant Thornton, who adds: “A change in thinking will enable companies to focus sufficient attention on the efficacy of detective and corrective controls, and thereby recover much faster, following cyber-attacks.
“Too many organisations still place an over-reliance on preventive controls when it comes to cybersecurity, in other words: trying to prevent attacks from happening. We have been conditioned to plan for success in the war against cybercrime, but we have not been able to prevent all attacks” he says.
He believes this is outdated thinking which is not appropriate for the modern interconnected world in which we are operating.
“Companies are often caught on the back foot when they do get targeted by a cyberattack. It will take them longer to recover and restore integrity to their systems, as their detective and corrective controls – those used to find and solve the problem – will be weaker than the controls relied upon to prevent attacks from happening,” explains Jonker.
The crippling effects of a cyberattack are well known, and these have been highlighted again in the past few days as new hacking and ransomware attacks shook the world, particularly the UK, USA and Europe. New examples include the ransomware attack of the UK company and global advertising giant WPP, the hacking of parliamentarians’ email systems in the United Kingdom, as well as the most recent ransomware attack that targeted the Ukrainian government and some of the biggest companies in Europe. According to cyber experts, this week’s attacks are “more sophisticated than the WannaCry worm.”
Jonker urges organisations to shift their focus to improving their detective and corrective controls.
“This is not an approach that will sit well with many risk managers as nobody likes to plan for failure, but it is unfortunately the new reality.”
In addition to bolstering these controls, he suggests organisations take an unconventional approach to protecting the integrity of critical systems.
“We have believed for some time that strategic infrastructure assets – such as nuclear power stations, dams and hospitals – are increasingly at risk of attack, which would have a devastating impact on potentially millions around the world. And today, we have learnt that the monitoring system of the Chernobyl nuclear plant was one of the targets in the Petya ransomware global attack which occurred earlier this month,” he says. (Petya is an alternative encrypting malware ransomware system.)
Jonker believes that the nature and frequency of attacks on strategic assets will increase in severity, and that governments need to plan appropriately.
“They need to consider disengaging certain elements or systems of critical infrastructure from the grid and operating these ‘offline’, which should go a long way to securing the integrity of important assets.”
He acknowledges, however, that this complete disengagement (avoidance) is not always realistically possible for many other organisations, as there is often a need for access to some form of online system.
“There has been some global research into creating closed cyber eco-environments for very sensitive assets or infrastructure in organisations – for those who don’t want to totally disengage from the grid, for many reasons. These stealth mode systems allow companies to disengage from the grid to a certain extent, by allowing them to operate – including via email, voice and instant messaging, with a much higher level of security.”
It would still be theoretically possible to compromise such a system, but it is much more difficult to infiltrate this type of network. Grant Thornton is in the process of developing such a system with a local partner in South Africa to secure the most sensitive parts of its operations.
Jonker believes the increasing complexity of cyberspace calls for a drastic change in risk management.
“It is unrealistic to expect employees to ‘think like a hacker’, as cybercriminals and their tools have become much more sophisticated over the years. Normal users cannot outsmart criminals. Companies and governments are infinitely more complex than they were in the past, yet our thinking around protecting the integrity of the crucial systems have not evolved to the same degree.”
He explains: “The complexity of today’s cyberspace lies in the relationship and interaction of multiple components. There are currently more than three billion people on the internet, and their actions are highly unpredictable.”
This is just the beginning. The worst is still to come. The sooner organisations realise this and plan appropriately, the better prepared they will be against inevitable future cyberattacks, Jonker concludes.