U.S. companies and government entities are facing external security threats with more frequency from advanced persistent threat (APT) cyber attacks.
However, only 49 percent of some 1,700 private and public sector organizations polled in an Ernst & Young survey said their information security functions were meeting the necessary needs of the organization. How to solve this apparent lack of confidence in business information security was the focus of a media roundtable Tuesday at Ernst & Young's offices in New York.
Jose Granado, principal and America's Practice Leader for information security services at Ernst & Young, said "organized attacks from nation-states" are becoming more common against American companies, though he declined to specify which nation-states he was referring to. Granado referenced the "Operation Aurora" attacks against Google in early 2010 as an example of the new type of cyber attacks organizations must deal with. That attack originated in China and resulted in theft of intellectual property.
"Malware now changes dynamically, by the second," said Granado. "Companies should be looking every day for behavior that doesn't look right." He added that attacks now target specific people -- usually executives -- within companies. "The human being is now the perimeter, not the systems," he said.
Granado said the level of sophistication of APT attacks against American companies rivals the likes of what he helped combat during his time in the U.S. Air Force as an information warfare specialist.
While many cyber attacks are designed to steal intellectual property, most attacks against banks and financial institutions are, not surprisingly, aimed at stealing money, noted Chip Tsantes, principal in the financial services office of Ernst & Young. Tsantes added that data breaches against FIs happen far more frequently than reported in the media.
"Everybody has data leakage; it's just a matter of when you find it," he said.
To help combat these attacks, Granado said companies can't rely on "signature-based antivirus programs," which can be ineffective since they require constant updates to the known virus signature directory, and because newer viruses mutate constantly.
Instead, Granado advised companies' IT teams to take a behavioral approach by looking for unusual activity, such as a system that's is running much slower or faster on a particular day than usual.
Banks face a bit of a different challenge, said Tsantes, as cyber attacks against them are often targeted at vendors or other third-party partners who might have weaker security, as a way to gain a bridge into the bank's systems. "You have to get the vendors involved," he said. Banks also face a challenge as much of their resources are shifted towards compliance with new regulations, such as Dodd-Frank, he said.
Organizations also face a threat as employees increasingly bring their own technology to work, a trend commonly known as "the consumerization of IT." Tsantes said companies, especially banks, should have firm policies in place for employees who use tablet computers or other mobile devices with work information on them, and they should be educated on using the proper security precautions.
"If you can educate someone to be the CISO at home, they will be that at the office," he said.
Overall, both Tsantes and Granado said that CEOs and executive board members often in the past did not concern themselves with cyber security, leaving it to the IT team. However, as attacks grow more sophisticated, a CEO should be heavily involved in the information security process at his or her company.
"An executive should know their CISO well and be in constant contact," said Granado.