It’s difficult to put a number on cyber security. Which threat actors are interested in which business areas? How would targeted attackers gain access to targeted files? How much is ransomware a threat to the company? As it is, these questions can be difficult to answer, and assigning a measurable value to these risks can be even more challenging.
However, this quantitative assessment is important when thinking about budget allocation, in order to enable security teams to implement appropriate solutions. By identifying the different drivers of why someone might target your organization, and correlating these with their associated financial impacts, we can begin to draw a more measurable picture of the cyber risks that your business faces.
In the following sections we examine some of the key motivations for attacks that we see on a daily basis, what the financial impacts are likely to be on an organization and reference some examples we’ve seen over the last few years;
Motivation for attack: Financial transactions
Financial impacts on the business:
– Value of money stolen
– Potential reputational damage
– Backlash on share prices
Example:
– In the last year alone there have been many cases in which a system breach resulted in financial theft. Two examples include the $72m theft from Bitfinex Exchange, and the SWIFT hacks.
– A social engineering attack at the beginning of last year further demonstrates the potential impact of cyber-fraud. In January 2016, Austria’s FACC admitted it was defrauded out of €50m, leading to its share price plummeting by 35% over the following days. The fraudster impersonated the CEO and requested a money transfer from the finance department – the finance employee, her boss (CFO) and the CEO have since been sacked over the event.
Motivation for attack: Ransomware
Financial impacts on the business:
– Disruption in business operations
– Remediation costs
– Potential long-term damage if encrypted data is not recovered
– Amount of ransom paid
Example:
With huge surges in both ransomware variants and attacks, this is one of the fastest-growing modern threats. Further to this, certain nation-states are now utilizing ransomware to support their own campaigns. A recent survey showed that ransomware is one of the biggest concerns for the financial industry, whilst attacks hitting the legal and healthcare industries continue to spread from the US to the UK.
Motivation for attack: Mass theft of docs or personal info
Financial impacts on the business:
– Client confidentiality breach (with repercussions including fines, lawsuits, reputational impact, and share price backlash)
– Stolen data may be used to extort a ransom
Example:
These attacks are often the most publicized because it affects the general public. With TalkTalk in 2016 being a prime example of the difficulties involved in public incident response, Yahoo promptly followed suit and may see its takeover value (by Verizon) fall as a result.
Another example in September 2016 includes the theft of internal documents from WestPark Capital. The hacker gradually published files online (including NDAs, internal presentations, reports, contracts, and more) and demanded payment in order to stop.
Motivation for attack: Info on markets and M&A
– Insight can be used for insider trading purposes
– Information on negotiation stances can be used by opposing parties to gain an advantage in business dealings
Financial impacts on the business:
– Client confidentiality breach (with repercussions including fines, lawsuits, reputational impact, and share price backlash)
– Opposing side in takeover deal doesn’t have to over-bid; this could potentially cost firms tens of millions in terms of value
Example:
The famous case last year came out in March, whereby hackers broke into computer networks at some of the largest law firms in the US and were suspected of trying to access insider information on M&A deals.
Alongside this criminal threat, there are certain nation-states which conduct cyber espionage in this area. One example includes an Australian company which held talks within the last year on a deal with foreign investors. It was reported that several hundred efforts were made to break into the company’s IT systems, in order to access data relevant to those negotiations.
Motivation for attack: Intellectual property/R&D
Financial impacts on the business:
Difficult to quantify as there is almost no immediate impact on finances. However, potential damage can be felt on long-term competitiveness, through the release of rival products into the market at a lower price (competitors can price more competitively since less money has been spent on activities such as research and testing).
Example:
The threat has shifted across a range of industries over the last few years, the key ones being:
– Defense and aerospace
– Pharmaceuticals and biotechnology
– Renewable energy (including nuclear)
– Computer technology (such as nanotechnology, semiconductors, robotics)
– Research institutions
Reported as recently as October 2016, it was discovered that a research center at the University of Toyama was breached. Infiltrators stole the lab’s tritium research, along with the personal details of 1,493 researchers (potentially setting up for more targeted attacks in the near future).
Motivation for attack: National intelligence gathering
– Information and communications (such as government operations, lawsuits, comms intel)
– Network infrastructure, especially industrial systems, in preparation for a future attack, disablement, or degradation
Financial impacts on the business:
Client confidentiality breach (with repercussions including fines, lawsuits, reputational impact, and share price backlash)
Example:
The following example is another that was blamed on national threat actors and demonstrates the connection between geopolitical landscapes and cyber espionage drivers. Following the ruling against China regarding the South China Sea, F-Secure released a report on “NanHaiShi” – a malicious program targeting entities involved in disputes relating to the South China Sea territorial claims. This includes the Philippines DoJ, the organizers of the APEC Summit, and a major international law firm representing one of the parties involved.
Another example of relevance is Operation Cleaver, a campaign run by an Iranian hacking group. They exfiltrated sensitive data from 50 critical infrastructure companies around the world; this data could enable them to target and potentially damage the companies’ systems in the future (particularly ICS and SCADA).
Motivation for attack: Disruption/Destruction of systems
Financial impacts on the business:
– Inability to conduct business operations (higher impact areas may include industrial environments and financial/trading firms, as well as those where fee earners bill by the hour)
– Inability to deal with client demands (financial and reputational impact)
– Remediation costs
Example:
Given the impact of these attacks, they are largely well-publicized. There are several examples conducted by both criminal and nation state groups. The following list touches on a few, with the likely threat actor responsible shown in brackets:
– Stuxnet, 2007-2010 (USA/Israel)
– Shamoon, 2012 (Iran)
– Dark Seoul, Mar 2013 (North Korea)
– Sony, Nov 2014 (North Korea)
– TV5Monde, April 2015 (Russia)
– BlackEnergy, 2015-2016 (Russia)
While these are all examples of state-sponsored attacks, hacktivists also frequently conduct disruption/cyber-vandalism campaigns.
To conclude
This set of motivations and impacts represents the foundations for organizations to assess their cyber risk, in order to approach security in a more comprehensive and definitive manner. It is by no means one size fits all – the risks here may affect organizations at varying degrees of severity, sometimes more or less than the examples given. However, only by establishing a common understanding of these impacts across senior leadership, will the threat be met with the appropriate level of security controls.
Categories