A Leadership Perspectives
White Paper
Securing Company Assets for Better Business
Recommended next steps for business leaders
Number 3 in a series
Executive Summary
Information security needs are changing fast. Businesses are facing a large-scale and wellresourced criminal network intent on defrauding them and their customers. On top of this,
there is a growing threat of cyber attacks and cyber espionage, and business faces the need
to meet ever more stringent customer data protection, privacy and compliance obligations.
At the same time, organisations are becoming inherently more vulnerable through greater use
of automated collaborative processes, increased online customer self-service, and more
flexible, remote and mobile working.
The adoption of so-called cloud IT and business services is another emerging aspect of this
new organisational model.
All of this calls for a new approach to data security – one that is based on protecting company
assets, rather than trying to defending the organisation’s increasingly virtual perimeter.
Produced by du enterprise marketing in association with Ovum, a preferred knowledge partner
Business case overview
Among the many changes in the business environment,
compliance, the protection of intellectual property, cost
reduction, and defence against online fraud and cyber
espionage have been identified as the most pressing
needs.
Although the ‘big bang’ of compliance initiatives that
followed scandals such as Enron are now in place,
businesses are facing refinement and extension of their
governance frameworks. These have to be in line with
global information compliance obligations like PCI in
retail, Basel II in banking, and Solvency II regulations in
the insurance sector, as well as prevailing data-protection
legislation and local UAE initiatives such as healthcare
insurance reforms with Thiqa, or screening programmes
like Weqaya.
Online fraud is an arms race against an adversary with
an increasing capability and determination. Frauddetection technologies are advancing and are
provisioned both within the data centre and with the end
user customer. Banks, for example, are using various
privacy, identity and authorisation products to improve
the online security of their customers. Many are
distributing hardware to provide two-factor authentication
when users log in to the online account, or are providing
free anti-malware and anti-spyware products, and
software products to enable the user to check that they
are really conversing with the bank’s site rather than a
hacker site masquerading as the legitimate site.
Once distributed, these software products are not limited
to protecting the banks, but can be used by the customer
to secure other online transactions.
On another front, cyber espionage, whether committed by
business competitors, states, or criminals, is now being
recognised as a major problem. Some computer security
specialists have speculated that malware such as the
headline-making Stuxnet virus was devised specifically to
target specific computer servers – such as those
comprising part of the Iranian nuclear infrastructure.
There are no complete solutions to any of these
problems, but technology is providing products and
service offerings to mitigate the threats and to allow
business to function within an acceptable risk envelope.
These will increasingly call on online services that collect
threat intelligence on a global scale, with enterprise
information security often delivered as a managed
service.
Quantifying the business risk of
inadequate security
Information security risk is an unknown quantity because
no organisation can predict the timing or the nature of a
future data security threat or breach incident. It might be
when spyware is planted on a server by cyber-thieves
which can be used to siphon off sales accounts data. It
might be the result of a lost and unencrypted disk which is
holding confidential customer records data. Or it might be
the downtime that results from a computing device that
has become infected by a virus and needs to be treated
by IT.
The cost and consequential business loss is hard to
measure.
It is one thing to temporarily lose productivity after being
hit by a virus or other malware-induced outage, but a
business that has a data security mishap by failing to
protect sensitive customer information or safeguard the
privacy of the virtual workspace, is a business with a
tarnished and lasting reputation – leading to potential loss
of customers, productivity downtime and loss of revenue,
or both.
The cost of a data breach can destabilise organisations of
any size. The Ponemon Institute, a specialist in the area
of business impact measures of security threats,
evaluated the cost of published data breaches in the US,
UK, France, Germany and Australia. It found that the
most expensive incident in the US was estimated as
costing $31 million. The Ponemon Institute calculated the
direct costs of notifying victims and remediating the
incident, along with the costs resulting from abnormal
customer retention, replacement, and churn. It did not
include intangibles such as damage to corporate
Produced by du enterprise marketing in association with Ovum, a preferred knowledge partner
The business benefit of a security technology will
generally be much greater if the measures are
preventative and offer protection, rather than simply
reduce the consequence of a successful attack, incident
or breach through detection and recovery mechanisms.
reputation, although accepts that it results in customer
churn. Actually, a large part of the costs recorded by
Ponemon were due to the abnormal customer churn
experienced after such events. It could be argued that
the figures underestimated the total damage, even
though the numbers are extremely large.
The ‘internal threat’ – which usually refers to incidents
and losses due to both deliberate and accidental causes
by employees, contractors, and some business partners
– is a major concern. Contrary to what many
commentators say, it is less of a threat than the external
one. A Verizon Business study, which focused on larger
incidents, found that two-thirds of internal breaches were
deliberate, but this was not borne out across the wider
field of surveys.
Verizon Business found that 74% of attacks were
external to the organisation, compared with 20% coming
from malicious insiders. Business partners were
implicated in 32% of attacks, down from 39% in the
previous year. In contrast, Deloitte’s cyber-crime survey
attributed the greatest level of concern (26%) to hackers,
compared with just 19% to current employees. Organised
crime was the leading concern among 6% of
respondents.
Metrics to support the business case for security
expenditure are far less sophisticated than those that
have been developed for investment appraisals in
corporate functions such as finance, human resources,
or logistics. Perhaps the most useful measures are those
which show how much a security problem would cost a
business in terms of liabilities, lost business, or
reputational damage. Rather than examining return-oninvestment, experts in the field have introduced a
concept known as return-on-prevention.
THREAT
FREQUENCY
of risk event
Probable
number of
events in a
year
SEVERITY
of risk event
Experts recommend using more than one
countermeasure against expected threats: a security
engineering principle known as defence-in-depth. One
cost-effective way of achieving this is in the use of fixedprice managed services which provide multiple protection
mechanisms like firewalls, two-factor or double-strength
authentication, virtual private networking, anti-virus
software and encryption. By reducing and containing
threats they deliver real business benefit and drive a
positive return-on-prevention.
According to independent experts at the Internet Security
Alliance, the most common risk measure technique used
among information security professionals is to combine
the probability of loss with the expectation of loss
summing the product of both to get the annual loss
expectancy.
The ISA has suggested that today the field has matured,
and the notion of expected loss and techniques to
measure it have also improved. In its exhaustive report
The Financial Impact of Cyber Risk: 50 Questions Every
CFO Should Ask, the Financial Cyber Risk working group
convened by ISA and the ANSI presented a
recommended formula shown below which can be used
by organisations to quantify the net financial risk of
enterprise cyber threats.
VULNERABILITY
CONSEQUENCE
x
Stopping a virus attack, blocking spam traffic or plugging
a data leakage hole is the best way of countering the risk
of a threat, incident or breach.
x
Probable
loss from
an individual
event
LIKELIHOOD
or % of damage
–
RISK
TRANSFERRED
=
Given the risk
mitigation
actions taken
GROSS FINANCIAL RISK
(Annualised expected loss)
Produced by du enterprise marketing in association with Ovum, a preferred knowledge partner
NET
FINANCIAL
RISK
Plotting the best course of defence
There are several recommended steps that will help executives steer their organisations along the best course of
action against the current trends in the information security threat landscape.
1.
2.
3.
4.
Monitor the business environment.
Scrutinise the technology portfolio.
Select solutions and services.
Manage deployment and outcomes.
The table below outlines the various trends to watch in the context of enterprise level security.
Monitor the business environment
1. The bulk of security threats emanate from the criminal fraternity, much of which operate on an international scale. Fraudsters are
opportunists who make money where they can. They are not wedded to one particular form of crime, and will adjust their activities to
the conditions in the (black) market. While past activity has focused on stealing banking and credit card credentials, the market for
these appears to have become saturated and prices are falling. Consequently fraudsters are turning to industrial secrets and IP theft,
and offering more bespoke ‘steal to order’ services.
2. Compliance demands are increasing both because of new regulations and because current regulations are being strengthened or
more vigorously enforced.
3. The extension of the enterprise to include external partners requires an extension in the reach of security policies and implementation.
Business needs to monitor security in partner organisations and understand how this impacts on the internal risk posture.
Scrutinise the technology portfolio
1. The extension of the enterprise IT environment beyond its physical boundaries requires security to be applied to assets and services
wherever they are located. It emphasises the importance of an integrated identity-management and access-control system across the
infrastructure. It also requires some degree of integration of security event information management and reporting across the
environment.
2. The defence against criminal activity of all types is moving into internet services. Defenders have to be able to see a global picture to
correlate malicious activity across the criminal networks. Malware is morphing so quickly that the traditional signature-based detection
methods have been overwhelmed, and it has become impossible to create and download signature-update files quickly enough.
Fraud networks can be disrupted if the network is understood, but individual victims can no longer defend themselves. Businesses
need the support of a service provider partner with a global reach and strong local presence, to be able to accurately and constantly
monitor the threat landscape and provide preventative protection.
3. People doing business on the internet, including banking transactions, face considerable risk from spoof websites, infected legitimate
websites, and man-in-the-middle data interception attacks. Technology is providing tools to authenticate the web site the user has
connected to, and once connected can protect against the infected parts of a genuine site. Strong authentication tools are also
reducing the risk of a thief impersonating a legitimate user.
Select solutions and services
1. Security technology has to be selected to deliver the compliance requirements the organisation has to satisfy. In particular, managed
security service providers must be open about submitting their security policies to compliance auditors, a requirement that most fail to
meet. They must be able to satisfy requirements for data-protection legislation, including meeting any geographical limitations on
where data is held or copied to. du has gained the ISO/IEC 27001:2005 certificate of approval for its Technology Security and Risk
Management division.
2. There are wide differences in the approach of anti-malware vendors and fraud-detection service providers. The scale and distribution
of their intelligence operations, and their industry focus, should be considered in the selection process. Because they ‘own’ the
network, telcos are particularly well placed as a managed security service provider and MSSPs like du provide a line of defence
against security attacks before they reach a customer’s premises and can address the full spread of potential vulnerabilities with
prevention from the cloud itself (e.g. email security services), remotely (e.g. security event and incident management), monitoring and
managing customer’s on-premise environments, recovering lost data, or providing an overall security governance model (with data
loss prevention practices).
3. Ease of management and an integrated approach to security deployment are important features in choosing a security infrastructure
that will support a business-centric risk-management strategy. An MSSP provides a systematic approach for managing an
organisation’s security needs. With the increased sophistication of threats, MSSPs also provide specialist proficiencies at a lower cost
of ownership.
Manage deployment and outcomes
1. Security is a wide and disparate discipline, even the information security function is kept separate from building access controls and
other aspects of business risk.
2. Some security tasks are more aligned to business process management and systems management (such as configuration control)
than they are to other security disciplines.
3. This level of synergy is leading to the major IT vendors playing an ever-increasing role in security provision. This trend can be seen in
the accelerating consolidation in the industry, such as the acquisition of software security supplier McAfee by chip-maker Intel.
Produced by du enterprise marketing in association with Ovum, a preferred knowledge partner
The shifting UAE threat landscape
Security experts in the Middle East have warned that
the growth in the region of on-line banking could create
a breeding ground for new forms of computer malware.
Egypt and Saudi Arabia are among the top three
countries to be hit with a cyberthreat known as a Zeus
or Zbot. These Trojan viruses could become one of the
most challenging yet, as the malware often goes
undetected by the popular desktop anti-virus packages.
The code infects PCs, waits for the user to log onto a
list of targeted banks and financial institutions, and then
steals their credentials which are sent to a remote
server in real time. It can also modify, in a user’s
browser, the genuine web pages from a bank’s web
servers to ask for personal information such as
payment card number and PIN, one time passwords.
The UAE Telecommunications Regulator (TRA) has
flagged phishing e-mail attacks as the most pervasive
type of cyber threat currently undermining consumer
confidence about online e-security. TRA’s e-security
arm known as aeCERT acts as a local cyber security
coordination centre and will block access to high risk
websites, working in association with du and the global
Anti-Phishing Working Group (APWG).
There is a clear need for these sorts of initiative with
reports that in Abu Dhabi alone, 235 cyber-crimes were
registered in 2010 compared with just three such cases
reported three years early. It is estimated that a
staggering 80 million spam messages are now targeted
at UAE businesses and consumers every day.
Specialists suggest the best way to prevent infection is
to simply be cautious of opening dangerous file
attachments in email, and by enabling browser
protection. Web filtering is one powerful technique
which is also available to enterprises as a managed
security service, which helps limit the effectiveness of
such attacks by preventing them from spreading.
No security technologies are specific to particular
verticals, but some are related to business processes
such as payment transactions. The financial services,
healthcare, and government sectors have traditionally
been the leading adopters of security technologies, and
their needs have driven innovation but there is a
general increased expenditure by other companies with
high-value information assets.
Laying down a depth of defence
These companies understand security can only be
Data Defenses
Application Defenses
Host Defenses
Network Defenses
Perimeter Defenses
Physical Security
Policies, Procedures, and Awareness
achieved if attempted attacks are blocked along as
many channels as possible. No single type of defence
is much use in isolation. It is not possible to achieve
security just by inserting some magic defensive
components in the infrastructure.
A depth of defence is called for, which can be
supplemented by a service partner capable of gathering
and acting upon the extensive threat intelligence. The
service provider can offer protection against risks
including interception of corporate data, unauthorised
access to corporate networks, spyware, misuse of data,
spam through various channels, and fraud.
Organisations are facing increasing pressures from
regulators, shareholders, business associates,
customers and employees to improve their information
security at the same time as the range of threats grows
and budgets are constrained.
The increasing level of competition in the security
market is causing vendors to deliver their technology in
a more flexible way. There are ways to replace capital
expenditure with operating expenditure. In addition to
more flexible licensing options, the traditional methods
of buying either a software product or an appliance preloaded with the security product are now widely
supplemented with managed security services and
cloud-based services in the Internet.
Security, authentication, and compliance management
are expensive and specialised tasks that some
organisations prefer to outsource to experts. There are
some real business benefits to be had in using external
specialist service providers for security management.
The service provider can be relied on to configure and
maintain security infrastructure, monitor assets and
security threats, generate alerts based on its and the
client organisation’s policy (and compliance
requirements), and offer 24x7 remediation services
through a group of security specialists.
Produced by du enterprise marketing in association with Ovum, a preferred knowledge partner
Managing the spread of security threats
A managed security service provider like du can take a
global view across the Internet to monitor threats and
identify malware and the activity of cyber-criminal
networks. This intelligence is key to developing the
services that mean defences put in place for customer
organisations can react quickly enough to prevent and
block potential attacks.
It is often easier to track unusual traffic patterns than to
identify malicious content. The flows may consist of
malware coming from an attack centre, or data going to a
criminal collection centre. Most attacks involve a
combination of attack vectors and are referred to as
‘blended attacks’. For example, a spam email campaign
might direct readers to a web site URL from which the
real malware is downloaded onto the user’s computer.
This malware may turn the user’s computer into a
remotely controlled end-point which can then be used in
a future malware campaign. Most malware is now
distributed from websites, and a high proportion of these
sources are legitimate websites that have been corrupted
by hackers.
Other social network technologies are increasingly being
used by criminals, and social-engineering attacks remain
popular on all channels. Research has shown that
people are much less guarded when entering information
into a machine, such as through a phone keypad, than
when talking to people.
All the technological and procedural solutions available
are needed in order to protect against the varied and
growing security vulnerabilities found in today’s business
environment. Most organisations look to strong
authentication as one way to secure user access. Others
look to newer technologies to secure other business
assets, with software that remotely renders a lost or
stolen device inoperable and protects the information
stored on it.
Conclusions: A mandate for secure
business
Organisations can help themselves and their customers by adopting good security practices and maintaining an
adequate security budget. If they fall victim to an attack, the cost of a single incident can range from a few
thousand dollars for an individual to millions for a large corporation.
Agenda item 1 – the industry concurs that the total volume of security threats is increasing at up to 50% per
annum, and that criminal gangs looking for fraudulent financial gain mostly drive the threat. Conduct a
comprehensive security audit at least once a year.
Agenda item 2 – The gangs behind cyberthreats are resourceful and flexible in the strategies they are adopting.
In particular, they have recently harnessed social networking services and the tactic of delivering ‘scareware’– that
is, false anti-virus products. HR must issue a clearly worded Internet usage policy to employees about what is and
what is not ‘good behaviour’.
Agenda item 3 – For the most part hackers still use tactics based on malware. They often target high-value
victims, customising their tools and messages and conducting pre-attack espionage to find the attack avenue with
the greatest chance of success. Make sure customers and business partners have the best security tools in place.
This is the third in a regular series of Leadership Perspectives White Papers, produced by du enterprise marketing in association with
Ovum, a preferred knowledge partner
For more information, please email [email protected] or visit www.du.ae