The stakes around cyber are as severe as they’ve ever been. According to PwC's CEO Survey 2020, Australian CEOs rank cyber as the number one threat to their organisation’s business growth.
Part of this heightened concern is because organisations are finally catching up with the true nature of cyber risk. For the vast majority of companies, a cyber attack is not a question of ‘if’, but ‘when’.
To help audit and risk committee members better understand – and therefore prepare for – the inevitable, here’s a brief overview of how a typical cyber attack plays out.
Hackers spend lots of time trawling publically available data to identify targets that hold something they consider to be of value. It may be personally identifiable information (one person’s complete health insurance data can be worth up to US$1,250), company intellectual property, or commercially-sensitive details about a current deal.
At the same time, hackers look for vulnerabilities and potential entry points, such as the contact details of employees collected from company websites, LinkedIn or social media. They then use a variety of methods – such as fake ‘phishing’ emails with executable malware or links to hacker-controlled websites – to gain access to the company’s network.
Once inside the network, hackers spend a fair amount of time ‘poking around’. They go from system to system and database to database, working out what information is there, what security systems are in place and how they can obtain deeper or simpler access. This stage lasts on average 200+ days but may go on for years undetected.
Increasingly, hackers are finding vulnerabilities and pathways through third-party businesses or other systems that are part of a target company’s information ecosystem. For example, some cyber attacks have taken place via operational networks, such as air conditioning or maintenance systems.
This stage starts when the hackers push the ‘go’ button and launch the attack. It may involve taking data out of your system, also known as ‘exfiltration’, or it may be the activation of ransomware.
While a company will certainly know if it’s being held to ransom, it might not necessarily be aware when data has been stolen. It’s not uncommon for companies to learn about an attack via their customers, suppliers, or even the media. Some may never find out as hackers can go to great lengths to cover their tracks.
How a company responds to a cyber attack is critical. And this may mean acting in the face of uncertain information. For example, when Sony was hacked in 2014, it issued an alert to employees nine days after the attack saying it was still ‘not yet sure of the full scope of information that the attackers have or might release’.
One of the key considerations for Boards is knowing when to escalate the incident and trigger their crisis management plan. But to be effective, the plan must apply to a cyber incident and both senior management and the Board need to be comfortable in implementing it. In other words, they need to have practised their response and be familiar with the process.
Here are some questions to put to management to make sure the organisation is ready to respond to the next cyber attack.
To find out more about what business leaders think about cyber and other risks to growth, explore the findings of PwC's CEO Survey 2020.
© 2017 - 2020 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.