Over the past few years the business world has started to wake up to the notion that it is not just governments that are the victims of cyber attacks. There have been a number of attacks recently that have demonstrated the potential risks faced by businesses that handle large volumes of sensitive information -- in particular, the past few weeks have seen both traditional and new media institutions such as the New York Times, Wall Street Journal and Twitter suffering targeted cyber intrusions.
The reality of course is that most companies store sensitive and high-value data, but media outlets, with their access to confidential and delicate information, are a particularly prominent target as their business often involves making this private information public.
The cyber attacks on the New York Times and Wall Street Journal had the hallmarks of what we would class as a tactical intrusion - an attack triggered by an event which intelligence agents have an interest in collecting information on.
As the New York Times itself admitted, traditional security technology such as firewalls and anti-virus were unable to stop these events. This is because such technology has not been designed to counter the type of bespoke targeted attacks by adversaries with a strategic interest in accessing an organization's networks.
We have investigated intrusions from similar origins against media organizations -- attacks devised to steal sensitive information such as correspondence around a specific topic of interest between journalists and their sources. These attacks aim to view the content of conversations, who the sources are, or what the next story angle might be. This type of activity is obviously an acute worry for any news organization.
So how can organizations prevent such targeted cyber attacks? Following these four steps to cyber health is a good start.
1. Make sure it is clear who is accountable for the attack and the governance and processes that support them;
2. Understand the size and shape of the risk to your organization;
3. Make an active decision on how to prioritize your resources to best manage those risks -- don't aim for complete protection of everything;
4. Plan for active resilience -- monitor and be ready to respond to inevitable attacks rather than mounting a fixed defense.
It's this final point of constant vigilance and monitoring that is worthy of further thought. The NYT and WSJ attacks showed that current defenses failed and it was only the additional detective work on their networks that identified the type and scale of the attack. We would encourage all organizations that are concerned about their information, to consider proactive monitoring, looking for the things that their existing security tools aren't telling them. Technologies have improved and this can be done efficiently and effectively.
There is no quick fix to preventing what are complex and asymmetrical threats; only through consistent diligence and preparedness can businesses put themselves in the strongest position possible to combat cyber attacks.