2014 Global Cyber Executive Briefing. A Deloitte Global Report
Advanced Persistent Threats have become a reality for all organizations that depend on digital technology
Businesses will experience cyber-attacks: Deloitte report outlines top threats for seven industries and provides tips to understand greatest risk
Moscow, 8 July 2014 - Today’s C-suite must deploy a cyber-defense that is secure, vigilant, and resilient, according to a report released by Deloitte Touche Tohmatsu Limited (Deloitte Global). The report, Global Cyber Executive Briefing, finds that virtually all organizations will be attacked so C-level executives need to better understand their biggest threats and which assets— typically those at the heart of their business’s mission— are at the greatest risk.
This report examines threats and vulnerabilities across seven key sectors: high technology, online media, telecommunications, e-commerce, insurance, manufacturing, and retail. It outlines potential for attacks, reasons and possible scenarios and potential impact to business.
“People think cyber-attacks are confined to specific sectors. In reality though, any organization that has valuable data is at risk,” said Ted DeZabala, Cyber Risk Services Leader, Deloitte Global. “Not a single sector is immune to this. Knowing the value of your data, the value of that data over time, knowing the potential attacker, their resources and motivation, are some of the first steps in making business decisions about adequate protection.”
According to the report, being secure starts with tackling weaknesses in applications and reinforcing the digital infrastructure. Organizations that are vigilant should subsequently be alert and identify any attacks as early as possible. Being resilient involves early-stage identification of the direction of a threat, the reason for such threat and how it will manifest itself. Rapidly detecting an attack can spur an organization into action so it isolates and removes the threat.
“Whereas in the past malefactors needed direct physical contact with their intended victims in order to gain benefit, nowadays everything is much easier for them. With technology developing very quickly, information has become of paramount importance”, says Sergei Bukhanov, Director of Enterprise Risk Services at Deloitte CIS. Indeed, the latest statistics show that the vast majority of profitable crimes are committed remotely: cash lifted from hundreds of customer accounts on popular POS networks; credit card details stolen en masse from the hundreds of thousands of online customers of one of the world’s largest transport companies. As a result, banks have been forced to limit or completely block card functions for thousands of their clients. On top of this, we are hearing more and more often of bank employees abusing their authority by transferring funds from clients’ accounts to their own, or issuing unauthorised bank guarantees via the SWIFT system. With all of that in mind, we are seeing increasing awareness among the executives of major companies across the world regarding the significance of emerging threats to information security, and an increase in measures to clamp down on these threats when using information technologies.
It is also important to note that over the last few years Russia has been working to optimise its legislation in the areas of IT security and personal data protection. The Bank of Russia recently issued new standards for banks’ information security systems, and there are ongoing discussions on means to increase criminal liability in the banking sector for cases of embezzlement with the use of technology.”
Highlights of the report, including threats by sector, include:
- High Tech: Consistently a target for attacks with the biggest threats being loss of intellectual property (IP) and hactivism. Threats are also used as a stepping stone to attack and infect others.
- Online Media: Has the greatest exposure to cyber-threats with ones that cause reputational damage topping the list. Threats are also used as a stepping stone to attack and infect others.
- Telecommunications: Facing increased, sophisticated attacks, including by Government agencies using Advanced Persistent Threats (APT) to establish covert surveillance for long periods of time. Another critical threat unique to the telecommunications sector is the attack of leased infrastructure equipment, such as home routers from Internet Service Providers (ISPs).
- eCommerce: Database breach (i.e. loss of customer data, including names, physical addresses, phone) and online payment systems are vulnerable areas often attacked. Denial-of-service attacks also top the list, particularly by hacktivists that want to disrupt an organization in a highly visible way.
- Insurance: The sector typically has a lot of sensitive data to protect. Cyber-attacks are growing exponentially as insurance companies migrate toward digital channels with sophisticated attacks combing advanced malware with other techniques such as social engineering. While current attacks appear short-term the report predicts the number of long-term attacks may be silently growing.
- Manufacturing: Increasing in the amount of attacks by hackers and cyber-criminals as well as through corporate espionage. Types of cyber-attacks in manufacturing vary widely from Phishing to Advanced Malware, targeting not only IT but also connected Industrial Control Systems.
- Retail: Credit card data is the new currency for hackers and criminals. Insider threats in retail are is increasing, giving rise to a new breed of criminals that focus on stealing information -- especially the valuable cardholder data that flows between consumers and retailers.