The High Cost of Laxity in Cybersecurity
Updated: Aug 30, 2019
On October 2018, Cathay Pacific revealed that the company suffered a data breach that affected 9.4 million customers. It is unfortunate that small and large companies continue treating cybersecurity as an immense and “unnecessary” expenditure within their budgets. This attitude impedes a company’s ability to address security incidents – issues that need to be handled with urgency.
According to the Hong Kong Privacy Commissioner for Personal Data Stephen Kai-Yi Wong, two groups targeted the airline. The first dropped a keylogger on a reporting system. Cathay Pacific said it is uncertain how the group was able to enter the system. Given the sophistication of the hackers with their tools and expertise, the security response team will need to deploy modern solutions to identify these types of risks and enhance policies and procedures to eliminate gaps and reduce potential threats.
The second group exploited a known vulnerability on an internet-facing server allowing them to bypass authentication and access administration tools on the server. In this case, Cathay claimed it was unable to update the server because the update was incompatible with an Airbus fleet manual application. It is not an uncommon practice for legacy systems to be kept in operation for several years. There are cost-effective solutions, such as network micro-segmentation or VLAN, that will partition these legacy systems to minimize vulnerabilities and threats.
Wong concluded that “Cathay adopted a lax attitude towards data governance, which fell short of the expectation of its affected passengers and the regulator.”
Whether it is the “lax attitude,” the sophistication of the hackers, or a lack of cybersecurity expertise, etc. the lowest cost for businesses to reduce these threats and risks is to increase cybersecurity awareness throughout the organization. When that is accomplished, the next step would be to build the “Lego Castle,” or block-by-block, beginning with a Baseline Assessment to Know the Unknowns.
Unfortunately, for many successful businesses, cybersecurity is not a part of their overall business strategy. This allows opportunities for hacker communities around the world to be more aggressive. This is especially true for Hong Kong, one of the world’s top finance centers, and hackers know this. The Hong Kong business hub is an easy prey with large financial rewards, especially with Small-Medium businesses that prefer to pay ransomware in lieu of spending a fraction of the cost for preventive measures. A cybersecurity strategy is clearly not a priority to many organizations in Hong Kong – including Cathay Pacific – otherwise, they would be performing (recommended) a weekly or (at a minimum) a monthly vulnerability scanning as standard practice as a foundation to their landscape of cybersecurity
According to another report, Hong Kong saw a record number of user data breaches in 2018, totaling 129. Privacy Commissioner Wong said key issues were “hackers and lapses in protection.”
A study commissioned by Microsoft in the Asia-Pacific region showed potential economic losses in Hong Kong caused by cybersecurity attacks could reach US$32 billion (HK$249.6 billion) annually or approximately 10 percent of the city’s gross domestic product within the next few years.
Austrade Hong Kong Senior Business Development Manager, Wilson Tang, explained that being Asia’s leading financial hub makes Hong Kong “highly vulnerable to malicious cyberattacks.”
Why have business executives been lax with cybersecurity?
For most business leaders, “cybersecurity” is just another I.T. issue. For many I.T. professionals think having an antivirus for the desktop and a firewall for the network is all they will ever need.
Cybersecurity is not a temporary fix to a problem. Cybersecurity is beyond a anti-virus software and a firewall. It must be an ecosystem within the company and consists of the triad of Technology, People, and Process. These three elements must work together continuously and consistently to identify, remediate, and prevent to achieve a long-term reduction in risks and threats.
So, where to start… business leaders of companies need to know FIVE fatal risk-assessment cybersecurity mistakes which may cause a business to fail:
1. Failure to understand the relationship between investments and risk
Cybersecurity is an investment. And this investment has a direct impact on attacker behavior. If business leaders remain willing to pay ransom in the event of an attack, threat actors are only encouraged and are newly funded to continue investing in making their ransomware more dangerous to victims and a more expensive ransom for the next attack. The threat actors are more likely to target those more vulnerable organizations where only one or two layers of defense are used, like antivirus & firewall.
2. Not taking intangibles into account
There are costs to any size business, with the relative costs being higher for a small to mid-size business.
Reputation: Cyber-attacks always result in a certain amount of damage to an organization’s brand and reputation. It is difficult to calculate the monetary costs of loss of trust and loss of potential business. It can often take years for a company to win back lost customer trust; and according to an article in the Denver Post “60 percent of small companies go out of business within six months of a cyberattack.
Lost Time: Even if the ransom is paid, the productivity of the company and its ability to continue business is adversely impacted. The average number of days a ransomware incident takes 7.3 days to recover.
More reference for SMB: https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html
3. Thinking that an “honor among thieves” mentality still prevails among attackers
Not all organizations that paid ransom to cybercriminals were able to get their data back. Some of these criminals never intended to give the data back and others did not have the skills to fulfill their promise of decrypting the files that they held hostage. More importantly, the hackers already have access to the organization, and it will be much easier to target another device at the same organization after they received their pay from the first attack.
4. Trying to predict the costs of a ransomware attack
Most of the attackers today demand payment in Bitcoin or other cryptocurrencies. Since the value of these cryptocurrencies varies daily, it is difficult to estimate the exact amount that an attacker may demand.
5. Believing that your business can survive an attack
Simply put, no one is safe from a cyberattack. Many I.T. professionals believe their data are backed up effectively and they are too busy to test them until it is too late. “Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.”
It is time to get to know the unknown and take steps to build your castle block-by-block.
Are you still uncertain about how effective your current cybersecurity strategy is?
Do you know how to lower your risks?
Can your business get back to doing its business quickly?
We recommend performing a vulnerability assessment scan with a third-party vendor to know what you don’t already know. The cost of this Baseline Assessment can be as low as USD1 per device.
Without this Baseline result, the organization is operating blindly and throwing resources in random without KPI. Please contact us to learn our 3 Steps to C.A.R.E. program to bring you the peace of mind you deserved or, please visit our website, https://www.netswitch.net