According to the 20th Global Information Security Survey, 95 per cent of companies stated that their cybersecurity function does not fully meet their organisation’s needs. An outrageous number, especially when looking at critical infrastructure such as the energy or oil and gas industry, a field where disruption caused by hacker attacks can cost more than just money. In this article, Yuval Porat, co-founder and CEO of KAZUAR, assesses the threat and explains how businesses can protect their assets from cyber crime.
We hear every day about the cyber security threat and in a more digitized world, it is now more important than ever to understand the true threat to industries that have strict rules and regulations in place. This is because the fallout of an attack goes way beyond earning the organisation a fine for not being compliant or minor financial loss. A new wave of cyber criminals, using new types of cyber attacks, with new motivations for carrying can at best cause operational disruption and at worse lead to fatalities. And between those outcomes, there is a range of other business implications, such as damage to brand reputation, exposure of critical and private data and significant financial loss.
To understand more, it is firstly, important to provide a bit of background. Today’s cyber criminals are highly-skilled, well-funded and extremely innovative, unencumbered as they are by legislation and regulation. They include ex-members of leading global intelligence agencies who have worked for nation states, developing new ways to hack and disrupt systems. And, while they’re not regulated, these criminals are as organised and professional as leading experts in nation-state organizations. As a result, cyberattacks have reached new levels of sophistication: they bring a wide and deep research base, greater technological innovation, exploitation of unprotected layers, better operational capabilities, long-term planning and the ability to orchestrate multi-dimensional attacks that target software and hardware, both on the endpoint and the server-side.
To show the true extent of the modern-day threat, let’s take the energy industry as an example. A heavily regulated sector that is rich in resources to invest in cyber security, its traditionally ‘linked-up’, large-scale approach meant that once an issue was discovered, it could be isolated and resolved before it spread to the wider network. However, with the new trend towards digitalized, decentralized service provisions providing alternative energy, the energy sector is open to new opportunists: there is almost an unlimited number of targets for them and it is now much harder to protect every separate plant to a high level. The move towards a "smart grid" also turns the digital “oil field” into a network of data. This data is a highly attractive asset, which can be used by attackers to threaten both security and privacy. In short, there are more targets, so more data to be accessed, giving criminals more motivation to exploit those targets, leading to an increased threat to security and privacy.
Furthermore, criminals are still also targeting employees and third-party partners as a way to access networks. No organisation can assume all its employees have the same level of understanding regarding the sophistication of the attacks that could target them, as a way into the network – and they certainly can’t be sure third-party partners and contractors have the same level of security applied to their systems. A recent survey by BAE systems, for example, found that 71% of organisations they had been affected by phishing scams enabled by employees and 65% had been targeted by viruses and malware that was opened by mistake.
This issue is compounded further if a security system is too complicated or clunky to use. With busy days and deadlines to meet, if the cyber security system is not user-friendly, workers will bypass the protocol in place to expedite their tasks and finish their workload.
Unfortunately, all current security systems are failing by design. They don’t take into account the changing nature and sophistication of attacks because they were created based on a different threat assessment – before the profitability of stealing data and causing disruption existed. And, maybe most importantly, different solutions do not work together. Currently, the foundation for cybersecurity is based on the integration of separate products, largely software, with each designed to protect a specific part of the system against a specific type of known threat. So while this application-specific security software may be getting better, it does not cater for weaknesses outside of the threat it tackles.
The cyber security industry needs to develop a comprehensive, holistic solution, from keyboard to cloud that keeps sensitive data safe without disrupting the usability of data. It will require expertise from regulators, legislators and organisations to create a universally recognised standard of protection. The industry is not quite there yet, but hopefully by explaining how cyber criminals are thinking and how security could be approached differently, organisations will start to plan for the new era of cyber threats that require a new approach to stopping them in their tracks.
Biography: Yuval Porat, Co-founder & CEO KAZUAR
Yuval Porat is co-founder and CEO of KAZUAR – an Israeli Cyber-Security start-up, which has been created by former senior executives from the Israeli intelligence community. Among the team – the former CTO and deputy director of Mossad, the former CTO of the Israeli Security Agency, the former deputy director of 8200, the former director of the CIA and prof. Adi Shamir – a world-renowned expert in cryptography and the winner of the Turing Award.
KAZUAR is developing a holistic cyber security platform including hardware and software which provides businesses with intelligence-grade security in order to address the new level of cyber threats. KAZUAR was created as a result of Yuval’s experience dealing with state-level cybersecurity threats and his forecast that these sophisticated attacks will proliferate to the private sector and expose businesses to a new level of threats. As well as his expertise in the strengths and weaknesses of modern cybersecurity protection, Yuval also has 20 years of experience in strategy design, execution and crisis management and is highly connected with decision makers in both private as well as government sectors worldwide.