Cybercrime soars and company losses amounts to billions. It is time for boards to engage and ensure that cyber defense is on the top of management’s agenda.
It is still challenging to receive proper focus on cyber security despite increasing awareness during the last decade”, says Philip Törner, who leads the consulting firm Venor in Stockholm. “It has become clear that attacks not only causes monetary losses, but also harm to our society’s infrastructure. That was evident in the ransomware attack against Coop”, he says. Coop is a retail chain in Sweden, who in 2021 had their 800 outlet cashier systems blocked for days.
The list of companies attacked in the Nordics alone is long. According to a recent report on Swedish Television (SVT) one company paid 300 million SEK to unlock their systems. Maersk, Norsk Hydro, Vitrolife, Gunnebo, Danish Vestas and Coop are examples of companies that have appeared in the news, but it is believed that many companies chose to keep attacks secret and pay ransom.
The example of Coop may have made the magnitude of potential losses clear to other retailers, but attention on cybercrime seems still to be sparse on top management level. The threat exists all over the business spectrum and losses do not only count in money but also in reputation and trust among customers and partners. Boards need to ask questions and keep top management alert. Audit committees should make a dive into security systems and scrutinize policies.
The role of the board
The board is ultimately responsible for the well-being and integrity of the company. Cybercrime may threaten its very existence.
What must the board do? In practical terms the board should ensure that cyber security is on the top of the agenda for the CEO and management. When the board repeatedly brings up cyber security, the CEO and his team are obliged to make it a priority.
Questioning will fill a potential knowledge gap for the board members and might reveal weak points in the organization. What is the position of the CISO, the top security officer? Does the CISO have strict budget limitations?
The boards should identify the “digital crown jewels” and ask how they are protected. What does the digital landscape look like? The board should ask about policies and guidelines for the employees. Does the company have systems for following up on compliance?
How do security rules coordinate with the overall culture, like flexibility and flattening of the organization and trust? Is delegation of decisions matched by access to information and what specific security protocols apply? Has the company listed persons who might be selected for cyberattacks?
To tap into the pulse of the company the board should ask about security projects, planned or underway. They should question the reasons for delays and demand reports when they are finished.
“Remember that management are very good at presenting ‘smoking mirrors’” says chair Tom Johnstone in our recent article about digital transformation. General information about firewalls and authentication systems will not reveal the true security status. The best way to check security is to ask for penetrations tests and have the results reported back to the board.
Board members themselves may become a security threat. Board material is normally sent digitally in encrypted format. But as one of the suppliers said: “We transmit in safe mode, but we do not know how it is received and handled”. Board members normally use their personal email addresses, with exception of the chair, who is often seen using the company’s email system. Some companies have board material on tablets, which are transported to each member before meetings. At the end of the meeting, they are collected and stored in the company.
Mobile phones are a listening device and should be left outside the boardroom.
Prepare for a ransom attack
The board and management should not look at an attack as an unlikely scenario but rather as a real threat and prepare themselves. The board should demand a map of the value of potential losses, extending from loss of sales and customers to long term damage. The board should have an overview of sensible information and what damage would occur to customers, partners, and the public at large, if data is exposed. Reputation and credibility are at stake. At the extreme the company may cease to operate.
No company small or large is safe from ransom attacks. If a company has published a profit statement of, for example, nine million SEK (around one million US dollars) an attacker knows that there is that amount and a little more to collect. Even a small municipality, like Kalix in northern Sweden reported a ransom attack on December 16th.
Is paying a ransom an option? It is believed that many companies do so and keep the whole thing silent. It was not an option for the Scottish Environmental Protection Agency, who could not use public money for ransom. Hackers publish data they had stolen. Systems were restored only after hard work and at a substantial cost.
Is your company prepared for an attack? The attack in Scotland was discovered in the morning of Christmas Eve. Does your company have a team ready to counter an attacker, limit the damage, get the intruder out and restore systems? Has the company procured outside expertise that can be deployed with short notice?
The Danish wind turbine producer Vestas announced on November 19th that they were exposed to a cyberattack and had to call for external help. The press release said: “To contain the issue, IT systems are shut down across multiple business units and locations.” It was said that there were no indications that third party operations were affected, but “data has been compromised”. Vestas confirms that it has been leaked and potentially offered to third parties.
The containment of the attack is a task of management but is up to the board to weigh the consequences of alternative options. Vestas does not confirm that it was a ransom attack, but if that was the case the board would have to consider what harm published data could cause individuals, other companies and ultimately to Vestas itself.
Another example is the Swedish security company Bulten, mentioned earlier, hacked in 2020, is still having detailed plans of bank vaults all over the world laying open on Darknet.
The board should create a plan for how to handle information if an attack happens. It is good to know that there are regulations that state how you report loss of personal data and when you must inform about it – in the EU, GDPR rules states that you need to report it within 72 hours from the time of realizing personal data breach. “That gives you some time to figure out what has happened, or at least get an indication of scope depending on the size of the incident”, Philip Törner says.
“Transparency is the best way to handle a security incident. Don’t be ashamed of what’s happened or try to cover up – communicate to build trust. These incidents are going to become so common globally that notcommunicating will raise suspicion”, Philip Törner adds.
The audit committee
It is not enough to list cybercrime among other risk areas in the annual report. The audit committee should go to some detail and probe the security systems just like they follow up on financial data.
Has a security plan been set up for the CEO, management team and key personnel? Have they received advice, even rules, for the handling of company mail and about their presence on social media?
The audit committee should follow up on cyber security policies. What is the compliance among employees? Are security incidents monitored and reported back to individuals? How often do they happen? What are the qualities of passwords? You should ask if the company has implemented multi-factor authentication (MFA)? Over the years MFA has become easier to onboard and use. Large providers like Microsoft and Google offer them.
Intruders’ attempts to bypass security capabilities and penetrate the organization is a continuous activity. What record does the organization have about the time from an initial penetration to the point that it finds out the attacker is there? It can vary from minutes to months or more. It is called the “dwell time” and is an indicator of the quality of defense capabilities and training.
Intruders try to eliminate traces. The audit committee should ask for the existence and type of security logs that store events in a separate log platform. In the case of an attack, procedures and tools used by hackers can by analyzed. A cost benefit analyzes should be made.
Now, let’s leave the boardroom to get the full picture what is happening out there.
Who are they – the attackers and defenders?
“They are called the blue and red team”, says Philip Törner. “Blue stands for preventing, detecting and defending against intrusions, either from the company itself or from firms offering help and advice from outside”. A blue company like Venor may work alongside staff to protect, detect, and respond to ongoing attacks or give an outsider’s view on security capabilities within organizations.
Red teams try to penetrate defense systems. They are often called “hackers”. They are the bad guys but may also be defenders. Companies engage them to test their systems. Either you pay them by time, or you pay a larger reward when they find something, which is called a bounty. You can find some of the most skillful hackers here.
Those who we are concerned with are the reds who cause harm. It is a diverse group. You will find lone hackers or groups of hackers working together in Eastern Europe, Russia or anywhere in the world. Then you have the big guys, the system providers. They construct the tools that the hackers and even governments use. They charge a kind of license fee for the use of malware often paid in crypto currency. “The system providers can have a facade of an established computer company in basically any country and may attract very skillful data scientists to carry out their mission ”, says Philip Törner. On the blue side you have specialized data companies equally staffed with the best of kind.
The purpose of the attacks can be espionage directed to companies in defense or high-tech businesses or heavy transport sector. The motive can also be to disturb or block vital systems for political extortion or making full scale attacks from one country to another. Nuclear or hydroelectric power plants, energy transfer, dams, or steel productions can become targets.
The attacks we hear off most about are based on extortion, in other words pressurizing companies to pay ransom fees. When hackers have gained access to company systems data is encrypted and rendered inaccessible, so that the company can no longer function. If a ransom is paid, a key may be provided to unlock the systems. Another way to extort companies is to steal sensitive or secret data and threaten to publish unless a payment is made.
Blue against the red is like an arm wrestle with brain power. A Russian group called Conti has been attacking hospitals and emergency medical services. They have a double extorsion strategy – encryption of data as a first step and publishing seized data as a second. If an attacked company can restore data through a back-up extortion becomes less effective. So, Conti is attacking and trying to erase back-up systems, in this case systems provided by a company called Veeam. (WSJ, Lisa Vaas Sept 19, 2021)
Defense strategies are equally sophisticated. An example is to use deception techniques that alert defense. They are called canary files and are highly monitored. It could be files with lucrative names like “company passwords.xls”, “financial report 2022.doc” etc. When the attacker opens the file, an alarm is sent to a security monitoring team who can start an investigation.
Company defense strategy
Start defining how your company may appear in the eyes of an intruder. Can you be a target for espionage? Does your company possess cutting edge or military technology? Can an attack cause harm for the function of the society, banking, traffic- and energy systems, hospitals etc. It lifts the issue to the level of national security and puts data security in par with military defense. There is a line from the threat of critical systems for society to the very existence of a company and to theft and publication of data. The bigger the harm done the more powerful an extortion will be.
A company must organize its defenses starting from the top. The responsibility in the organization lies with the Chief Information Security Officer, CISO. For companies in the financial sector the CISO must report directly to the CEO. The cyber security standard ISO 20017 has the same ruling, and many companies are demanding suppliers to adhere to the standard. The position of the CISO relative Chief Information Officer, whose task is development, should be investigated by the board.
Ongoing digital transformation is expanding the data landscape. The companies are handling a much larger amount of data which makes surveillance and security measures increasingly complex. Questions arise regarding where to store data. Servers can be held in house or shared or dedicated elsewhere for you and may have high physical protection. New directives limit the geographical location for the storage of personal or government data. Cloud storage is sometimes looked upon as a haven, but the cloud does not automatically provide safety. It must be built with tools that are available in the cloud. “Security experts are today integrated in development teams and mechanisms for detection and protection are built in right from the start”, says Philip Törner.
The board should have a map of the company’s data landscape and corresponding safety measures. Every company should have defined what their most valuable data are – often called the “digital crown jewels” and chose where such data is stored and build sophisticated systems to keep intruders out.
To create a defense strategy, one widely used tool is abbreviated “C I A”. “C” stands for Confidentiality – who in the company has access to data. “I” for Integrity – information is correct and not manipulated. “A” for Availability – access to data. To visualize the C I A it is sometimes mapped on the edges of a triangle and given a position indicative to their relative importance.
For a bank correct information will have highest priority, while access to the system can be ranked a little lower. Users will come back if the system is down temporality. For an online vendor or gaming company availability will probably get a very high rank. Trip Advisor’s revealed that their data 2020 contained 3,6% false evaluations, certainly a blow to their credibility.
How you define “C I A” should mirror the culture of the company. Organizations like banks will limit access to classified data to a limited number of persons. A company with an outspoken delegation of decisions must give access to important data to a larger number of individuals. It should be combined with internal surveillance and policies about handling of passwords, access points and location.
Being prepared and still hacked
It is believed that the number of attacks and ransom paid by far exceeds what is reported. Cyber extortion has become a lucrative business. A small company or organization is an attractive bait because their resources for defense are limited. Large companies like Vestas (turn over around 15 billion Euros) are a good prey as the very scale of harm inflicted could strengthen the extortion.
Not even the systems we use in our daily work are fool proof. Apple and Microsoft are regularly sending out updates to their programs referring to security. We hear in the news that someone is informing Apple that they have discovered a security “hole”. One of the biggest incidents so far in the latest years happened December 9 in 2021 when a flawed Java (Log4j) opened doors to hackers and summoned blue teams in defense worldwide. The use of the cloud feels as a relief because somebody else takes care of upgrades. But attention must not slacken for all remaining on premise software that still needs upgrades and patches.
Companies are not isolated digital islands. Supply chains interconnect companies all over the world. Digital services based on cloud are offered and managed by other companies. An attack on a supplier may have your company as the ultimate target. That was the case of the attack on the Swedish retail chain Coop. The initial attack was on the American software company Kaseya, whose services were used by Visma Esscomto manage cash registers for the retailer. The attack was geared to cause maximum damage to build pressure on the victim.
Data systems also require physical protection. Once inside a building an intruder can plug in a computer in the internal network or use sensors as a connection point. It applies not only to office buildings but also the location of servers. Distance work requires safety. The pandemic opened the doors to hackers when personnel with short notice started to work from home and inhouse systems lacked protection when exposed to the Internet .
Data is used everywhere in society. For companies it has become a strategic and valuable asset. Data is used to monitor consumer behavior, to overview equipment, steer industrial processes and to drive cars. In principle every entry point, every sensor or device connected to the internet can be a venue for an attack. In one case a coffee machine connected to the internet became the gateway to take over a company.
Artificial intelligence (AI) requires huge amounts of data. It must be collected by the company and/or, exchanged, or traded with other companies. In all this integrity must be checked and protection ensured through protocols and procedures.
Nobody is one hundred percent secure. “We recommend a security assessment” says Philip Törner. “One example is to perform a penetration test, where a contracted outsider (hacker) is engaged to try to breach the company’s defense. The organization will monitor intrusion that the test generates. This will not only give the organization a good start with a list of things to mitigate, but also provide an insight into the organization’s capacity to detect an intruder, should it occur.
The human factor
All cyber security ultimately boils downs to its weakest points – and that is rarely a system but human beings.
One of the weakest links in the company’s defense are weak and reused passwords. People and their handling of passwords is one of the biggest risk factors. Hackers use special programs that scan large amounts of combinations until there is a hit. In a recent report Swedish Television engaged hackers to test defenses of a midsized real estate company. They came back with a list of 120 passwords they had unlocked. “As soon as a hacker gets hold of a personal password, he/she will test if the same combination provides access to sensible information, for example your company’s login and your social media. Hence it is important to use multi-factor authentication wherever possible.”, says Philip Törner.
Every company should have guidelines on how to use passwords and multifactor authentication. This should be part of the IT security policies and guidelines.
Another threat are seemingly authentic emails, called phishing, where you are asked to click on an attached link that contains malware. One employee at the aluminum smelter Norsk Hydro clicked on a vicious link and the company lost control of all their data. The company managed to restore data from a back-up with an initial estimated cost up to 41 million dollars.
When hackers have identified a company, they set up a team. Conti, mentioned earlier, start an attack with a group that selects and traces individuals across social media to learn as much as possible about them. The targeted individuals get an email that seems legitimate. It may look like it came from his/her golf club or from a schoolmate long not seen. When the receiver clicks on a link the attacker gets access to the system and other people at Conti take over and start to explore from the inside.
Every company should make a list of employees who are likely to become potential targets. The list should contain not only top management but also persons who clear invoices, financial managers, and security officers among others.
Conclusions
The drive behind of cybercrime is financial gains or to get access to strategic and/or secret information. Cybercrime is a lucrative business and companies must be prepared.
Perpetrators range from individuals or groups to large companies or governmental agencies on both sides of the political landscape. The threat to national security and vital functions in the society is real.
The cybercrime problem will not diminish, on the contrary. Companies are under constant attacks. The question is how far penetration goes and what damage it causes. Company management must secure early detection and limit the impact.
The board is ultimately responsible. It must assure that cyber security is a priority for management and the whole organization.
Appendix. Personal advice to board members
Passwords should be long and hard to guess. You must probably remember many passwords for different purposes. To make it easier you could form funny phrases and make them hard to guess using words in different languages. Better still, use a password manager and construct a master password that is long and complicated, which unlocks a vault where you have all other passwords kept safe. The password manager helps you to sign-in to different websites with automatic filling.
But even long and complex passwords are not sufficient since websites are hacked and stolen. Multi-factor authentication (MFA) adds a layer of protection. They provide additional proof of identity for example with a finger-print or a challenge (code or approval), which is received over the cell-phone. Make sure that MFA exists and if so use them whenever possible.
If you have an exposed position being a chair, top management, security officers and even as a board member, avoid social media, think of what you publish. All information can be used against you. Image collection and search is so effective that it can be used to gather data about you.
Leave your mobile phones outside board rooms. Espionage is not only about weapon systems or advanced technology but also used to tap business secrets, for example a forthcoming bid on a company.
Scrutinize e-mails. Phishing attempts can use well-known e-mails with a character exchanged, for example an “l” for “i”, which is hard to detect.
Be cautious if something is said to be so urgent that it requires immediate action. Be suspicious if you get a flattery invitation to give a speech or be invited to an event. I can be a scam.
Do not use open public networks in shopping centers and airports. They will log on automatically if you do not delete them. Use your own cell phone to connect to the net.