February 21, 2017 Toomas Viira

What cyber incidents should organisations prepare for?

Not a week goes by without reports of yet another cyber attack in the media. We often hear about attackers sending fake e-mails, spreading malware, organising DDOS attacks, stealing user names and passwords (or password hashes) from service providers, defacing websites, etc. Attacks like these can disrupt or completely shut down the services of the organisations under attack. Attackers can also disrupt or shut down production. In addition, if websites are defaced or if attackers manage to steal certain data, this can put organisations’ reputations on the line. Thus, cyber attacks can chip away at organisations’ trustworthiness, drive away customers, and decrease profits. Recovering from cyber attacks can often take several weeks, sometimes even months. In some cases, attacked organisations have seen significant drops in value, resulting in organisation CEOs or several units’ managers being forced to step down.
To what extent should CEOs, risk managers, and business managers be concerned about cyber security issues? How prepared should organisations be for cyber incidents, if at all? Is there any need for concern or precautions if there have been no prior incidents? Or if information systems have all been functional, users have had no problems working with them, and there have been no customer complaints either?
Even though cyber attacks are discussed more and more, it often feels as though the issue isn’t taken seriously by organisations that haven’t faced any serious cyber security incidents. Many organisations still have low cyber security level. Even minimum required security measures often go unimplemented. Such measures are rarely ressource intensive but could still prevent a significant number of cyber incidents. Putting minimum required security measures in place goes a long way towards security.
However, this alone is not enough. Attackers are constantly employing new methods. Their skills are always growing. New vulnerabilities are discovered every day. It is an endless process, where one side is constantly on the defensive and the other on the offensive. Unfortunately, defending against cyber attacks is much more difficult, especially considering the current situation and trends in cyberspace.
Information system disruptions may not always be caused by cyber attacks. Cyber incidents can also occur due to disruptions in the services offered by external service providers, for example. Cyber incidents caused by intra-organisational factors can be the result of someone’s personal errors. Sometimes cyber incidents happen because of technological malfunctions as well. This can come down to malfunctioning servers or storage devices, network equipment, cooling equipment, fire-extinguishing systems, etc.
Every organisation should assess the risks that pose a potential threat to their business activities. Assessing cyber risks should be a part of general risk assessment. One way to assess cyber risks is by using a scenario-based approach. This involves describing possible scenarios and assessing their probability as well as preparedness for such situations.

Below are 10 possible cyber incident scenarios which organisations may be faced with:
1. DDOS or distributed denial-of-service attack – the attack involves flooding customer-oriented service servers, which denies customers access to said service. Targets can be e-services websites or just organisations websites.
2. Data theft – into an organisation’s intranet is broken by someone outside of the organisation, who gains access to internal data and makes personal copies. Information about the attack may be made public. As may the stolen data. On the other hand, information about successful attack or leaked data may never become public. Sometimes, even the organisation from which the data were stolen might not discover the attack.
3. Data theft using an insider – similar to the previous scenario, with the only difference being that the data leaks are facilitated by one of the organisation’s own employees. This may be a disgruntled or affronted employee, for example.
4. Data integrity attack – a cyber attack that involves changing certain data. The motives and purposes of such attacks can vary widely depending on the attacker. What happens or can happen when we can no longer trust our data? What happens when we trust data that have been altered? What are the potential consequences of such alterations?
5. Ransomware attack – this involves encrypting an organisation’s data by using malware. The data are only promised to be decrypted when a ransom is paid. If there are no backups of the data, the organisation is faced with the choice of whether or not to pay the ransom. Paying the ransom might allow the data to be recovered, or it might not.
6. Laptop theft – in this case, a laptop is stolen. The place of theft might be one of the organisation’s offices, a hotel room, a seminar room, etc. The goal of the theft might be material gain, meaning the attacker simply sells the laptop without concerning themselves with the data contained on the computer. In other cases, the attacker might also start investigating the data on the computer. Therefore, depending on how well the laptop is secured, the data may become available to the thief. Similar situations can arise when a laptop is simply forgotten somewhere and found by a dishonest person.
7. Fire or flood in server room – this can cause damage to devices in the server room and lead to destruction of stored data. If your organisation stores all of its data in a single server room and there are no backups, you will lose the data.
8. Website defacement – malicious alteration of website content for a specific purpose. These kinds of attacks may involve writing political statements on an organisation’s website, defacing the site, or replacing the existing website with a completely different one.
9. Disruption in service provider’s service – for organisations, this can result in, for example, power cuts, loss of internet connection, access to data stored in the cloud, e-mail services, or other external IT services. Service disruptions can last anywhere from a few minutes to several hours or even to several days.
10. Attack against industrial control systems– this attack involves hacking into industrial control system networks and devices connected to these networks. Attackers can obstruct system operation, shut it down, or manipulate technical system readings. Industrial control systems are used, for example, by organisations offering electricity production, water supply, or district heating services.
11. Internet of Things attack – this consists in attacking smart devices connected to the internet, which may include building ventilation control systems, heating control systems, elevator control systems, smart home appliances, telemedicine devices, physical security systems, etc. Attackers can monitor device operation, make alterations, obstruct device operation, or shut devices down completely.

The scenarios above are some examples of possible cyber incidents. These can be used for organisational risk assessment. However, this shouldn’t be treated as a complete list, and every organisation should assess such risks based on their specific peculiarities and environment.