To stay competitive in our networked world, organisations race to keep up with digital developments and embrace innovation.
However, this also makes corporations vulnerable and a target for digital attacks – as Stefan Rojacher found at first hand when his company, Kaspersky Lab, was hacked by Duqu 2, a highly sophisticated platform for cyberespionage. We invited Stefan and cyber security experts Jaya Baloo and Roel Van Rijsewijk to share insights into the fight against cybercrime.
The following are experts of interviews that were conducted separately. Image: Thinkstock
What are the most common fears your clients have about security?
Jaya Baloo: The fears tend to be things that rarely happen but are so commonly publicised in the press that our clients tend to worry about them. People are worried about advanced persistent threats, hacking by state agencies or their competitors, and they’re afraid that it’s happening on a very large scale. When in fact what they should be worried about is very basic things that they can deal with themselves, vulnerabilities that they simply don’t know about. They don’t always have a very good idea about where their weak spots are, what to do about them, or very simple network system hygiene that’s required like making sure your patches are up to date and your password policy is in good order. Those are the kind of things that tend to go wrong.
Roel Van Rijsewijk: I talked our executive clients all over the globe and one of the conclusions was that, although maybe 10 years ago there was an awareness challenge, currently it’s all on their agenda. Every CEO understands that they are completely dependent on technology and that this will only increase. Technology is getting more open and connected, the CEO is becoming more vulnerable, and he’s looking at the papers and TV and sees that threats are increasing. So they understand there is a problem.
And how do you advise your clients to defend against threats?
Jaya Baloo: It really depends on the customer and what they have to protect and who they have to protect it from. If they actually have intellectual property to protect from competitive intelligence gathering by competitors intent on stealing that IP, then we won’t say to them that it’s nonsense and to stop worrying about it. No, it really is important to understand that company’s business in order to advise them accurately in terms of security. That being said, the generic thing we see happening is these companies want to have novelty detection, advanced techniques in place when they haven’t even done the simple stuff first. So what I’d like to make sure is that we’re not jumping on the fear-uncertainty-doubt bandwagon that’s used by a lot of security vendors and that we’re actually taking a moment to consider the nature of the threat and the ability to cover all the basics.
Roel Van Rijsewijk: The problem is that 100 per cent security is just impossible. It would be too costly and it’s an asymmetric fight. As a defender you need to plug all the holes in an ever-changing IT landscape and the attackers only need one tiny gap to get in. And you don’t know what they’ll come up with tomorrow - all these technological developments that we use to improve our lives or services can be used to attack in new ways. What organisations all over the globe are doing now to create value is exactly the same thing which also creates cyber risk. Continuous innovation – not only technological but also new business models, global expansions, M&As– all these innovations are designed to share information, not to protect it.
Stefan Rojacher: I would say from a communication point of view our strategy after being attacked was a good one, earning a lot of credit from people in the industry. (In retrospect), there have been a few changes. For example more audits on our networks, more training – all our staff is highly educated on cyber security of course but now there is more training and more education so that everyone is aware of where the threats are and how they can protect their company from such an attack.
Ready for action: the Anti-Virus Lab at Kaspersky
Do your clients accept that 100% security is impossible?
Jaya Baloo: I always say that there is no protect, there is no prevent. You really need to focus on when it happened and how quickly can I find out that it’s happening in order to be able to mobilise all of the necessary actors into action. That being said, it’s not OK to just react ad hoc to every incident. We do a lot in terms of crisis management training, exercising our defence strategy, how quick we are to mobilise when we see something happening, whether we take the right action for the right people.
Roel Van Rijsewijk: What you need is not security but resilience. I can’t prevent the danger from getting in, but I’m confident that I have the ability to detect it timely and respond adequately. So you don’t want to eliminate cyber risk, you want to manage it. And that is perfectly possible. One of the most important building blocks of trust is vulnerability and vulnerability actually is a strength.
But you try convincing an executive board that.
Roel Van Rijsewijk: That’s the challenge I have daily. As a security consultant it’s very tempting to stick to a story of fear, to explain to the executive board that hackers are very sophisticated, very determined and are getting better every day. We try to avoid that. Because that leads to a compliance-based strategy around cyber security. Basically, “I will tick all the boxes and comply with all the industry standards so when the shit hits the fan I’m not accountable”. The smart business out there recognise that the very things that the business is doing to grow and create value are the very things that create cyber risk - continuous innovation, trust in your people, and getting more value out of data.
Are companies trapped by looking at information security from a defensive perspective?
Jaya Baloo: I think it was Sun Tzu who talked about having a healthy respect for your opponent. And this is no different. In order to be able to understand what you need to do, you need to be able to understand the mentality, the motivation, the modus operandi of your opponent. So whether those attackers are opportunistic hackers just seeing where they can break in, or targeted attackers like hacktivists, or cyber criminals or state-sponsored actors, they’re all going to share some commonalties in modus operandi whenever they do reconnaissance or they go through the kill chain in order to get what they came to get from your company. It’s really a requirement that we understand all of those things - who they are, what fires them and how do they work - in order to create an effective response on the other end.
Stefan Rojacher: When we found out there we were under attack, no one knew about it so it was just the two parties, ourselves and the hacker. So we had time to think about our strategy. Of course, maybe a public company would never have made an announcement about the attack, but we are a privately-held company with transparency guidelines and principles, and they say we publish every incident we find. So for us the decision was clear: to analyse this attack and then publish our findings.
What can communicators faced with a hack say to stakeholders?
Jaya Baloo: A certain degree of honesty is always best practice. And although you always have an amount of uncertainty, what you need to covey is that you are still in control, that you are assessing the situation, that you are doing everything possible. Part of any good crisis management plan is communication. In fact, we’ve embedded communication into every part of our incident response plan, and I think that’s the starting point. If you already have communications enabled, it means that these people are trained, they’ve done the same exercises as the incident response team and already anticipate what they’re going to say when a minor incident, an intermediary incident or a major incident happen. They know already how to respond, they’ll know what they can give away and what they can’t give away.
Stefan Rojacher: Analyse what kind of crisis can happen and try to prepare for it in advance. And try to get people in a team to develop a strategy - but make sure the team is really experienced. This is what we learned. Our team was a global team, from different cultures and all of them were very experienced people. In this kind of crisis it is really helpful to have experienced other crises in your career, maybe not such big ones but you know how to get along in such a situation.
Roel Van Rijsewijk: The other role is not only about technology but about raising awareness of employees about, for example, fishing emails that you shouldn’t click on, or how to handle data. Because you are giving people very powerful technologies for sharing data, lots of the responsibility is now distributed to your people. To handle that responsibility they need to understand, for example, privacy laws, what is sensitive data and what’s not, what can I share or what I shouldn’t. So there’s a communications challenge there. And the other role that is lacking is proactive communications about expectations. Let’s say that 100 per cent security isn’t feasible, but managing this risk to an acceptable level is something that you also proactively can communicate. You can try to explain that after the crisis has occurred but maybe there is also a role for communications to manage expectation with a wider audience, with clients, with regulators.