The rise of state-sponsored cyber attacks: what companies need to know

Chris Gould, cyber leader at EY in the UK & Ireland, on why state-sponsored attacks are becoming more common, the form they take and what firms can do to protect themselves

In what may come as a troubling realisation to many companies and their chief information officers (CIOs), there are very few (if any) firms in the world today whose data is not at risk of being stolen through a cyber attack.

The value of information and the ever-increasing resources and patience of hackers means that companies need to be completely confident that their security mechanisms are robust enough to monitor and repel any attempt to infiltrate a system or steal data.

It is true that any organisation, whether it operates in the public or private sector, will hold information that could potentially be of interest to a third party.

Whether it's in a bid for competitive advantage through the acquisition of intellectual property, allowing a reduction in the time and money spent on bringing a new product to the market, or through causing disruption for political gain, many companies store a wealth of data that someone else would be more than happy to possess.

The "traditional" image of a hacker has been somewhat altered in recent years due to the rise of state-sponsored cyber attacks. Increasingly more prevalent, this new form of attack cannot be thought the responsibility of an individual, but of an organisation itself.

"Traditional" cyber crime groups tend to be orchestrated and disparate, made up of small numbers of people who target entire organisations and who are looking for a "quick win". They often don't have the time or resources for a lengthy campaign or to target specific individuals, so they make their economic gain and move on.

Conversely, the organisations behind state-sponsored attacks are often run more like corporations. They are larger in scale, able to invest huge amounts of time in researching and targeting specific executives within companies and run their campaigns over a longer timescale.

They are also in a better position to develop new methods and techniques, which can make it more difficult for companies to prepare for.

Furthermore, the prevalence and impact of "leapfrogging", where one organisation is used to gain access to another and an entire supply chain is infiltrated, should also not be underestimated. The private sector can sometimes be used as a route into the public sector, and vice versa.

The effectiveness and profitability of attacks for the perpetrators is one of the main reasons why they are becoming more frequent. Successful attacks can provide access to organisations, individuals and data.

Also, with the organisations behind state-sponsored attacks often acting like "real" companies, we're seeing hackers whose "day job" is to target companies and infiltrate their systems, meaning there are many more attacks now than before.

However, as most state-sponsored attacks go undetected for such long periods of time, the statistics available often don't provide a fully accurate, real-time representation of the true extent of the problem.

It's extremely difficult to gain any information over and above what's been made publicly available, given the pervasiveness and very nature of state-sponsored attacks. This means that firms can often struggle to search for (or monitor) a possible state-sponsored attack as they do not always know what they're looking for.

The biggest challenge organisations face is that many have only a relatively small group of people who are responsible for their IT security, compared to what can be an industrial-sized, very patient and very skilled cyber crime organisation that is only focused on acquiring a specific set of information.

Another challenge is the amount of time these organisations have to create new tactics with which to hack the systems of their targets or to follow specific individuals. This is an ever-changing landscape and it's often the case that companies may not have solved one type of attack before receiving another, completely dissimilar one.

It goes without saying that organisations need to have a modern, robust and secure system protecting their network, but in truth more effort should be spent on planning for when a hacker does make it in and how best to minimise the damage they will cause.

Firms need to be quicker in detecting a breach and ensuring that as little data is lost as possible.

Moreover, staff need to be educated to keep an eye out for scams: any emails or links that look suspicious need to be reported as quickly as possible so that the rest of the company can be warned swiftly.

Chris Gould is cyber leader at EY, UK & Ireland