Anatomy of a cyber attack

Boards know they need to stay on top of evolving cyber threats, but many are still unclear about how attacks actually ‘work’.

The stakes around cyber are as severe as they’ve ever been. According to PwC's CEO Survey 2020, Australian CEOs rank cyber as the number one threat to their organisation’s business growth.

Part of this heightened concern is because organisations are finally catching up with the true nature of cyber risk. For the vast majority of companies, a cyber attack is not a question of ‘if’, but ‘when’.

To help audit and risk committee members better understand – and therefore prepare for – the inevitable, here’s a brief overview of how a typical cyber attack plays out.

Stage 1: Reconnaissance

Hackers spend lots of time trawling publically available data to identify targets that hold something they consider to be of value. It may be personally identifiable information (one person’s complete health insurance data can be worth up to US$1,250), company intellectual property, or commercially-sensitive details about a current deal.

At the same time, hackers look for vulnerabilities and potential entry points, such as the contact details of employees collected from company websites, LinkedIn or social media. They then use a variety of methods – such as fake ‘phishing’ emails with executable malware or links to hacker-controlled websites – to gain access to the company’s network.

Stage 2: Compromise

Once inside the network, hackers spend a fair amount of time ‘poking around’. They go from system to system and database to database, working out what information is there, what security systems are in place and how they can obtain deeper or simpler access. This stage lasts on average 200+ days but may go on for years undetected.

Increasingly, hackers are finding vulnerabilities and pathways through third-party businesses or other systems that are part of a target company’s information ecosystem. For example, some cyber attacks have taken place via operational networks, such as air conditioning or maintenance systems.

Stage 3: Attack

This stage starts when the hackers push the ‘go’ button and launch the attack. It may involve taking data out of your system, also known as ‘exfiltration’, or it may be the activation of ransomware.

While a company will certainly know if it’s being held to ransom, it might not necessarily be aware when data has been stolen. It’s not uncommon for companies to learn about an attack via their customers, suppliers, or even the media. Some may never find out as hackers can go to great lengths to cover their tracks.

Stage 4. Response

How a company responds to a cyber attack is critical. And this may mean acting in the face of uncertain information. For example, when Sony was hacked in 2014, it issued an alert to employees nine days after the attack saying it was still ‘not yet sure of the full scope of information that the attackers have or might release’.

One of the key considerations for Boards is knowing when to escalate the incident and trigger their crisis management plan. But to be effective, the plan must apply to a cyber incident and both senior management and the Board need to be comfortable in implementing it. In other words, they need to have practised their response and be familiar with the process.

Be prepared

Here are some questions to put to management to make sure the organisation is ready to respond to the next cyber attack.

  • Can you ‘bring to life’ for us the cyber risks faced by the business and how these are being mitigated and managed? (for example, through case study or simulation) 
  • What are the information assets that we have, where are they stored, who has access, and who do we share them with?
  • How are we protecting those assets? What commercial decisions have we made about balancing the level of security with cost effectiveness?
  • What are we doing to ensure good cybersecurity ‘hygiene’ practices among employees – including senior management and the Board?
  • Are we ready to apply our crisis plan? Have we rehearsed it as a governance team?

To find out more about what business leaders think about cyber and other risks to growth, explore the findings of PwC's CEO Survey 2020.

 

Contact us

Peter Malan

Peter Malan

Partner, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 413 745 343

Follow PwC Australia