OTSIKKOALAOTSIKKO, KUUKAUSI VUOSI
UNDERSTANDING CYBER SECURITY RISKS IN ASIA
A FUTURE WATCH REPORT PREPARED FOR BUSINESS FINLANDBY CONTROL RISKS
About Control Risks 03
Introduction 05
Who are the threat actors in Asia? 09
What kind of attacks should firms be aware of in the region? 13
Regulatory & threat spotlight on China & Singapore 18
Moving forward and managing cyber security risks 23
The information contained herein does not constitute a guarantee or warranty by Control Risks Group Holdings Limited, its subsidiaries, branches and/or affiliates (“Control Risks”) of future performance nor an
assurance against risk. This document is based on information provided by the client and other information available at the time of writing. It has been prepared following consultation with and on the basis of
instructions received from the client and reflects the priorities and knowledge of the client as communicated to Control Risks. Accordingly, the issues covered by this document and the emphasis placed on them may
not necessarily address all the issues of concern in relation to its subject matter. No obligation is undertaken by Control Risks to provide the client with further information, to update this information or any other
information for events or changes of circumstances which take place after the date hereof or to correct any information contained herein or any omission therefrom. Control Risks’ work and findings shall not in any way
constitute recommendations or advice regarding the client’s ultimate commercial decision, which shall, in all respects, remain the client’s own.
This document is for the benefit of the client only (including its directors, officers and employees) and may not be disclosed to any third parties without the prior written consent of Control Risks.
Copyright © Control Risks. All rights reserved. This document cannot be reproduced without the express written permission of Control Risks. Any reproduction without authorisation shall be considered an infringement
of Control Risks’ copyright.
TABLE OF CONTENTS
Team Finland Future Watch Report, January 2018
ABOUT CONTROL RISKS
Team Finland Future Watch Report, January 2018
Team Finland Future Watch Report, January 2018
Control Risks is a specialist risk consultancy. We are committed to helping our
clients build organisations that are secure, compliant and resilient in an age of
ever-changing risk and connectivity.
Risk and opportunity
We believe that responsible risk taking is at the core of our clients’ success.
We have unparalleled experience in helping clients solve the challenges and
crises that arise in any ambitious organisation seeking to convert risk into
opportunity globally. The insight and depth of experience we have gained over
more than forty years proves invaluable in giving our clients the intelligence
they need to grasp opportunities with greater certainty.
Who we work for
Confidentiality is important to many of the organisations we work for, so we
don’t identify clients as a matter of course. They include national and
multinational businesses in all sectors, law firms, government departments
from many parts of the world and an increasing number of non-governmental
organisations.
We support small and medium-sized national and international companies on
their journey to greater security, compliance and resilience.
Our people
Control Risks is the sum of diverse expertise - bringing multiple perspectives
and deep experience to bear on our clients’ behalf. Our expertise reflects our
backgrounds as technologists, lawyers, aid workers, investigators, cyber
experts, political scientists, soldiers, strategy consultants, intelligence officers
and a host of other professions. It is this combination based in multiple offices
on all continents that makes Control Risks relevant and distinctive
About Control Risks
INTRODUCTION
Team Finland Future Watch Report, January 2018
Team Finland Future Watch Report, January 2018
Cyber threat landscape 2018-2020
Nation states are increasingly seeing data as a critical
element of national security and hence framing laws to
restrict the location of data to within their borders and
control the access to the data.
Examples include China’s new Cyber Security Law
and the EU’s GDPR.
Use of advanced technologies such as Artificial
Intelligence(AI) for cyber attacks will lead to powerful
hacking techniques. With the ability to process large
amounts of data quickly, AI can make attacks on
companies faster and easier to accomplish.
In recent years, large enterprises globally have been
increasing their spending on cyber security. As large
enterprises mature their cyber security capabilities, the
focus of cyber attacks will shift to the SME’s who may
not be ready for advanced cyber attacks.
Political and social uncertainties and policy
disagreements across Asia Pacific and the use of
cyber as an instrument of power will increase threat
profiles for many organisations
With 50 billion devices expected to be
connected to the internet by 2020, new
opportunities will be created for information to
be compromised.
But the security of most IOT devices is not yet
mature, thus many organisations will need to
grapple with new cyber security challenges.
New regulatory requirements such as the
Singapore’s upcoming mandatory breach
notification and its draft cyber security bill will
challenge traditional technical approaches to
cyber security and require organisations to
improve their capabilities.
The ability to launch a cyber attack is becoming
commoditised by the day with readily available
‘Ransomware as a Service’ and ‘Botnet as a
Service’ kits. The capability to carry out cyber
attacks will become accessible to less
technically capable actors.
Cyber attacks used to be mainly intended for
financial gain or general disruption, but are now
becoming life-threating. Cyber attacks on
critical infrastructure have the potential to
damage physical assets – such as utilities and
industrial infrastructure - that are essential to
modern life.
Cyber
threats
Commodisation
of cybercrime
Cyber attacks
using
next-gen
technologies
Data
nationalism
Enhanced
regulatory
requirements
Digital
enablement
threats
Political &
economic
threats
Victimise small
& medium
businesses
Cyber – physical
attacks
Team Finland Future Watch Report, January 2018
More mature countries have a mix of
regulation:
Data breach notifications, almost all
related to personal information, are a
growing trend in the region.
Clear and comprehensive consent
processes for personal information
But developing countries face challenges:
Difficult to find IT expertise with
enterprise-level experience and
capability
Lack of attention to basic cyber security
creates easy targets for attackers
Mobile-first societies mean
vulnerabilities and security weaknesses
may bleed into companies via mobile
and IOT devices
China’s size and political dynamics make it
different:
Beijing’s goal of ‘internet sovereignty’
has created a highly regulated
technology space
Sophisticated criminal operators are
very capable and creative in who they
target and for what assets
Regulation and technology maturity in the region
WHO ARE THE THREAT ACTORS IN ASIA
Team Finland Future Watch Report, January 2018
Team Finland Future Watch Report, January 2018
Asia: nation state threat actors targeting countries and companies
ABOUT NATION STATE CYBER THREAT ACTORS
Cyber activity by nation states, also known as computer network operations
(CNO) is divided into two main categories. Within this category, computer
network exploitation (CNE) or cyber espionage refers to the theft of data from
targeted networks or systems, while computer network attack (CNA) covers
efforts to disrupt, degrade or destroy systems or information. CNA operations
represent a small but increasingly significant portion of CNO activity. These
disruptive operations are generally conducted to achieve political or security
objectives and project political power over rival states, and are often
undertaken under the guise of cyber activist groups to achieve plausible
deniability.
Intent High to
very high
Nation states’ general focus is on gathering
intelligence. For strategic industries,
countries of special interest and involving
regions of heightened concern/interest,
intent is high to very high.
Capability Medium to
very high
Nation states typically have more resources
and patience than cybercriminals to execute
complex cyber operations. Capability varies
in the region, with China the strongest
practitioner.
Sectors targeted How they were attacked Assessment
Relevance for Business
Finland
Sectors targeted
include a range of
government agencies,
think tanks, transport
and shipping
companies and
maritime organisations
A total of 92% of these
targets were based in
China
The operation began through
strategic web compromises
(also known as watering hole
attacks) and later amended to
use spear-phishing emails.
The weaponised attachments
purported to offer news on
terrorist attacks in the Chinese
province of Xinjiang, and
information regarding wage
changes for Chinese civil
servants.
The Ocean Lotus group, also dubbed APT32, reportedly conducted
cyber espionage campaigns against multinational companies
across various sectors operating in China and the Philippines.
The APT campaign was attributed to the Vietnamese government,
with an interest in the South China Sea.
The group reportedly used spear phishing emails embedded with
malicious attachments. Once opened, these attachments execute
malware that creates a backdoor to the victim’s network, allowing
the threat actors to exfiltrate information
Finnish firms active in the
transport and shipping sector
should be aware that they
may be targeted not because
of “who” they are, but
because they may have
information about another
party.
Team Finland Future Watch Report, January 2018
Indonesia: cybercriminals defrauding e-commerce customers
ABOUT CYBERCRIMINAL THREAT ACTORS
The primary motivation for cybercriminal groups is to be able to monetise
crimes committed in the cyber domain. The normal way of achieving this
objective is some form of fraud or extortion, to which the cyber attack,
whichever form it takes, can be seen as preparatory work or a means to an
end. However, there are forms of monetisation available to cybercriminals
that do not directly involve the use of fraud or extortion, such as the ability to
sell data, information or access – most likely on dark and deep web
marketplaces – also known as the “crime as a service” model.
Intent High to
very high
The opportunity for financial gain in a region
with a varied mix of technological maturity,
cyber security awareness, and regulation
presents an inviting target to regional and
international cybercriminals.
Capability Medium to
high
There are very few exceptionally skilled
cybercriminals, but there is a proliferation of
tools and technology that are available
criminals
Sectors targeted How they were attacked Assessment
Relevance for Business
Finland
Customers of and
country and
regional consumer
e-commerce
platforms that sell
their own goods as
well as provide a
sales platform for
members.
The attackers registered a series of
domain names that contained prominent e-
commerce firm names prefaced by a word
such as “sale” or “Mubarak” (referencing a
Muslim holiday).
They then cloned the content of a section
of the e-commerce provider’s web site,
replacing the payment accounts with their
own. The fake website was hosted in a
neighbouring country.
They then sent out messages over social
media and through blogs promoting sales
of mobile handsets at heavily discounted
prices.
With the expansion of payment systems and steep growth in
online shopping in the region, there are numerous
opportunities to target emerging e-commerce companies
and their customers.
Executing an attack requires little money and relatively low-
level technical skills. Attacks are easy to execute and, with
limited jurisprudence and investigative capability around
cyber attacks, present little risks to the hackers. That attack
domains can be hosted outside the country creates further
ambiguity for law enforcement and lessens the likelihood of
effective action.
No specific organized group has been highlighted as this is
common throughout the region.
Finnish firms should be
aware of the potential
reputational impact of
fraudulent e-commerce sales.
The risk may extend to
Finnish products sold online
in the region. This form of
attack may also be used as a
channel to sell counterfeit
goods, including
pharmaceuticals.
Team Finland Future Watch Report, January 2018
Malaysia: Indonesian hacktivists disrupting web operations
ABOUT HACKTIVIST THREAT ACTORS
Cyber activists are the most ideologically driven of the three broad categories
of threat actors considered in this assessment. Their targeting patterns tend
to be repetitive, meaning sectors or organisations subject to past campaigns
are often targeted again by the same group. The intent to carry out an attack
is often dictated by external events, such as negative press coverage of a
company or sector, the impact of new national legislation, or simply decisions
that run counter to the ideological narrative of these groups.
Intent High to
very high
With a mix of cultures, countries, religions
and politics in the region, there is always
the chance that an individual or group will
take offence and react. The rapid spread of
the internet in the region gives them the
means to draw attention to their grievances
and causes.
Capability Low to medium
There are isolated, highly capable individual
actors and groups. However, most
hacktivists in the region rely on scripted
tools to compromise or disable poorly
protected internet-facing systems.
Sectors targeted How they were attacked Assessment
Relevance for Business
Finland
Indiscriminate.
Generally attacks are
opportunistic and
target high profile firms
and organizations
associated with a
country or issue the
hacktivists oppose.
The attackers, in response to a
misprint of the Indonesian flag
in the 2017 South East Asia
Games program, found
vulnerabilities in Malaysian web
servers and exploited them to
replace the landing page
content with a protest message.
Activist campaigns primarily focus on damaging the reputation of
target organisations and achieving notoriety for the perpetrator. In
this case websites were defaced, but another common attack is
making the target’s website unavailable via DDoS attacks. In rarer
instances hacktivists have been known to publish data stolen from
databases via SQL injections.
Events may trigger a tit-for-tat series of escalating attacks between
hacktivist groups in contending countries (this often happens
between China and Vietnam). Companies have been caught in the
middle with no recourse other than to invest in further mitigation
tools or, in some cases, may be forced offline.
Finnish firms operating in
countries or sectors may
become targets for web
defacements and/or denial of
service attacks.
While the firm itself may have
nothing to do with the issue, it
could a convenient target to
attract more attention to the
issue.
WHAT KIND OF ATTACKS SHOULD FIRMS BE AWARE OF IN THE REGION?
Team Finland Future Watch Report, January 2018
Team Finland Future Watch Report, January 2018
Ransomware that locks access to computers and information
Countries
affected Sectors targeted Assessment Relevance for Business Finland
Indonesia
Malaysia
Philippines
Singapore
Thailand
Vietnam
Healthcare
Organisations
from other
industries were
also affected
The WCry 2.0 campaign , also known as WanaCrypt0r or
WannaCry campaign infected several companies in South-East
Asia by the second wave of the ransomware.
The ransomware distributed itself within organisations by
leveraging known critical vulnerabilities within their Microsoft
operating systems. A security researcher was able to activate a
so-called ‘kill switch’ that slowed the malware infection. However,
later WCry samples were seen without this kill switch, suggesting
an evolution in the ransomware.
WCry proved destructive capabilities of
ransomware. The Petya ransomware campaign
that targeted organisations around the world
quickly after WCry, originated from ransomware-
as-a-service (RaaS) group Janus.
The global impact of WCry and Petya have
inspired other unsophisticated threat actors to
undertake copycat campaigns. Similarly, it has
encouraged further development of the RaaS
market, with developers looking to replicate the
success of Petya and previous campaign WCry.
WHAT IS IT?
Malware designed to intimidate or force victims to pay a ransom
typically by encrypting victims’ files. It can introduced into a PC via a
website, emails, USB devices, attachments, etc. Once it has infected a
computer, most ransomware looks to further propagate other computers
on the same network.
Industrial control systems can be particularly at risk as they often use
older operating systems with much slower update cycles. They may be
rife with vulnerabilities the ransomware exploits to infect computers.
WHY SHOULD COMPANIES IN ASIA BE CONCERNED?
Ransomware, as a form of extortion, has immediate, tangible financial
benefit which makes it very attractive for the criminal groups.
The rise of Ransomware as a Service has armed cybercriminal groups
that would otherwise lack the capability to launch their own campaigns.
A 2017 survey suggested that one in three small-to-medium enterprises
in Singapore have been the victim of ransomware attacks over the past
year. The survey also suggested that 15% of affected organisations
faced 25 or more hours of downtime as a result of such an attack, and
that 30% were unable to identify how they had been infected.
Team Finland Future Watch Report, January 2018
Distributed denial of service (DDoS) attacks disrupt websites (and hide other attacks)
WHAT IS IT?
DDoS attacks aim to disrupt websites and network systems from
operating normally and preventing legitimate users from accessing
them.
DDoS actors use a collection of co-operating ‘zombie’ computers
(‘botnets’ or ‘bots’) to flood target websites or network systems with data
requests.
Newer form of DDoS attack called ‘pulse attack’ seek to stress networks
and security systems .
WHY SHOULD COMPANIES IN ASIA BE CONCERNED?
DDoS attacks are common in the region and retail and e-commerce
firms are often targeted.
Some criminal groups use DDoS attacks to distract and hide an
information theft or unauthorized transaction as a target’s IT team’s
attention is focused on the DDoS attack.
With millions of IOT devices forming a botnet, cyber criminals can
launch DDoS attacks which generate crippling volumes of requests that
existing defences can’t handle.
With the rise of botnet as a service, even less sophisticated criminal
groups have the ability to launch a very damaging DDoS attack.
Countries
affected
Sectors
targeted Assessment Relevance for Business Finland
Malaysia Financial
services
A DDoS attack attributed to a APT called Armada Collective (a
Russian-based extortion team) or their copycat attackers hit financial
firms in Malaysia. The DDoS attacks were carried out in two phases
targetted several online brokerages and banks.
The attackers demanded a ransom of 10 Bitcoins (worth RM110,500)
or threatened they would attack again.
Separately, there has been an increase in the use of DDoS attacks to
distract and confuse cyber security teams while stealthily carrying
lethal cyber attacks inflicting serious damage on organisations.
Attacks of this nature are increasingly likely to be
directed at companies whose business models
depend on the accessibility of their online
presence, particularly those in the media, online
banking, online entertainment and retail sectors.
The simplicity of DDoS approach, the increasing
availability of online DDoS attack tools, and the
group’s apparent success in extracting ransoms
from their victims all suggest that other groups
replicating these tactics would emerge.
Team Finland Future Watch Report, January 2018
Supply chain attacks that spread through third & fourth party vendors
Countries
affected Sectors targeted Assessment Relevance for Business Finland
South Asia
South East
Asia
Manufacturing
Energy
Healthcare
Information
Technology
Utilities
A backdoor was identified in a legitimate software update for a
NetSarang product. NetSarang is a US and South Korean
company that provides server management software for large
organisations. The backdoor, called ShadowPad, was
downloadable from NetSarang’s website for about a month until
a clean version was released on 5 August.
The malicious payload was hidden under multiple layers of
encryption, suggesting threat actors went to significant lengths to
ensure malicious activity would go unnoticed.
The compromise of legitimate software updates to
deliver malware is an effective infection method,
due to the challenges companies face in
mitigating compromises of their supply chains.
This delivery method closely resembles that used
by the NotPetya infection, indicating the growing
threat posed by such compromises. The two
campaigns do not appear to be linked, which
reinforces our assessment that compromising
legitimate software updates will likely become a
more widespread infection vector
WHAT IS IT?
A type of cyber attack that targets an organisation’s less secure
elements of the supply network such as vendors and vendors of
vendors to ultimately penetrate the organisation through them.
Traditionally, suppliers have been targeted to exploit trusted
connections and credentials between the initial victim and the intended
target.
WHY SHOULD COMPANIES IN ASIA BE CONCERNED?
Compromise of software vendors to infect their products with malicious
code and spread it through software updates have been on the rise.
Example of recent attacks include NotPetya, CCleaner, ShadowPad.
Challenges companies face in mitigating compromises of their supply
chains make it an effective infection method.
We expect a growing use of malicious software updates as a means to
conduct targeted network intrusions.
These attacks easily serve as the launching pad for more advanced
persistent attacks.
Team Finland Future Watch Report, January 2018
Advanced persistent threats (APT) targeting multiple companies in an industry sector
Countries
affected Sectors targeted Assessment Relevance for Business Finland
China
South Asia
South East
Asia
Telecom
Information
Technology
Energy
Insurance
Retail
Pharmaceutical
The Patchwork group (India based espionage group), an
advanced persistent threat (APT) also known as Dropping
Elephant, targeted a range of companies in 2017. Most of the
victims have been in China and South Asia.
The group used spear phishing email containing malicious
attachments, typo squatting, website phishing and drive-by
downloads with a fake Youku Tudou site (China’s equivalent of
YouTube) to gain entry to the targeted organisations.
Having previously used only open source malware, this APT
campaign saw the group now using propriety backdoors and
information stealing programs which indicated that their
capability had been vastly enhanced.
Having previously focused on political targets, as
well as the aviation, broadcasting, energy,
pharmaceutical, publishing and software sectors,
the Patchwork group has expanded its targeting to
include the Chinese and South Asian companies
in the retail, telecommunications, media and
financial sectors.
Although the infection vectors it uses are
common, the diversification of its methods and the
refinement of its capabilities make the group a
viable threat.
WHAT IS IT?
A sophisticated threat actor – usually with a political or business
motivation – able to gain access to a network and stay there undetected
for a long period of time.
APT usually refers to a group, such as a nation state, that has both the
capability and the intent to persistently and effectively target a specific
entity.
WHY SHOULD COMPANIES IN ASIA BE CONCERNED?
Sophisticated nation state cyber threat actors have been known to go
beyond political intelligence gathering to target industries and specific
companies.
Some of these attacks are focused on private sector firms to gather
information on their products, services and business activities.
REGULATORY & THREAT SPOTLIGHT ON CHINA & SINGAPORE
Team Finland Future Watch Report, January 2018
Team Finland Future Watch Report, January 2018
Key China regulation: the 2017 Cyber Security Law (CSL)
China’s
goals
Driven by President Xi Jinping, the
evolving regulatory environment of
China’s cyberspace is rooted in
“national security” and “social
stability” concerns, both of which
being frequently cited and legally
weaponised in order to assert control
over cyberspace.
This has led to a growing number of
laws and administrative regulations
and standards revolving around
content filtering, user monitoring,
identity and transaction control,
security measures, IT localisation,
etc.
The
Cyber
Security
Law
(CSL)
The Cyberspace Administration
of China (CAC), the agency
charged with this effort, seeks to
minimise key risks associated
with the foreign state exploitation
of systems and data; and
domestic cybercrime, terrorism
and dissent.
For all sectors, enforcement
priorities will likely be personal
information collection and use,
cyber security processes and
systems, the use of “secure and
controllable” technology, as well
as data localisation.
Enforcement
The Cybersecurity Law (CSL),
implemented on June 1, 2017, is
the capstone of this effort, with a
plethora of supporting policies,
regulations, and standards
across various ministries and
localities.
Team Finland Future Watch Report, January 2018
The impact of the CSL for Finnish businesses in China
Critical infrastructure operator’s customer
data must stay in China
Data localization
Some data will need review
before transfer outside of China
Data export reviews
Demonstrated security people, process & tools
Security programs
Tighter controls over how the
internet is used
Tighter technology controls
Industries will have further requirements
for data management
Important data
Personal data and
some “important
data” will be subject
to review before
leaving China
The CSL calls for
best practices for
cyber security to be
in place for all
organizations
More internet
services (VPNs, on
premise web
servers) will require
licensing or will be
blocked
Industry regulators
will establish what
information is
sensitive and
requires further
security controls
RAPID REGULATORY CHANGES DIFFICULT TO KEEP UP WITH
The pace of regulatory output, across of range of issues and sectors, is intense.
Several agencies are pushing out rules that are simultaneously vague and
specific, leading to a high risk of non-compliance as businesses try to keep up
with the dizzying array of requirements.
CHALLENGES WITH OVERLAPPING ENFORCEMENT
The Cyberspace Administration of China (CAC) has issued strong warnings and
penalties to companies regarding content.
Local Public Security Bureaus (PSB, the local, tactical policing entities of the
Ministry of Public Security) has carried out several warnings, arrests, and
convictions for domestic companies related to the cyber security non-
compliance.
Ministry of Industry and Information Technology (MIIT) has issued “Critical
Information Infrastructure” (CII) questionnaires to foreign companies and plans
to send out teams to review industrial controls.
Security of Chinese
citizen’s data for
the State is a
fundamental goal
Team Finland Future Watch Report, January 2018
Cyber security & compliance
Companies will need to demonstrate
A suite of policies for cyber security (in
Chinese)
Incident management planning
Mature consent program necessary for
user information
Cyber breaches will now involve the police
(PSB)
Mandatory reporting of data breaches
(but the threshold is unknown)
6 months of logs must be kept (they will
be reviewed in investigations)
Whistleblower provisions expose
companies to malicious reports and
mandated investigations
Key ongoing cyber security threats
Nation state threat actors remain
Cybercriminals are capable and ubiquitous
Fraud of one kind or another online is
very common
Sophisticated cybercriminal groups steal
intellectual property on behalf of
competitors
Ransomware has plagued Chinese
companies big and small, foreign and
domestic
Hacktivists within China
Very little hacking by activists, but
considerable social media activity
(controlled somewhat by the government)
Insiders
While there is no general category of
“insider” threat actors, they remain the
biggest cyber security challenge
China cyber security risks
Counterfeiting is
now digital, with
fake web sites,
payment scams,
etc.
The convergence of
social media and
payment in China is
an opportunity for
innovative frauds
Restrictions on
content and external
connections are
likely to increase
Personal
information theft is
rampant in China
Team Finland Future Watch Report, January 2018
Key regulatory concerns
Personal Data Protection Act (PDPA)
Regularly enforced with fines that may go
up to SG$1 million (typically fines are
~$10,000 with the highest known fine
$50,000)
Will require 72 hour breach notification to
Personal Data Protection Commission
Mature consent program necessary for
user information
Do not call requirement
Singapore Cyber Security Bill
Small number of critical infrastructure
operators in 11 sectors
3rd party provision of services to these
firms likely to meet cyber security
requirements
Commission investigators will have wide
latitude to investigate cyber crimes,
including mandating remediation,
requiring audits and removing systems for
further analysis
Key cyber security threats
As a regional financial hub, Singapore and
Singaporeans are often targeted
High incidence of ransomware,
particularly for smaller firms
At mid-year 2017 reported CEO fraud and
vendor email compromise had already
stolen SG$21 million. Actual totals for
attacks and money are likely much higher
Ongoing activity by regional advanced
persistent threat groups targeting
Singapore government agencies and high
profile firms
Singapore overview
The new cyber
security bill is
presented in
Parliament Jan
2018
The average CEO
fraud email victim
lost SG$136,000
1 in 3 SME
companies were
victims of
ransomware
Breaches of more
than 500 personal
information records
must be reported
MOVING FORWARD AND MANAGING CYBER SECURITY RISKS
Team Finland Future Watch Report, January 2018
Team Finland Future Watch Report, January 2018
Best practices for mitigating cyber security risk
Process
People
Technology
Governance
Align cyber security with business operations:
Establish clear roles and responsibilities for cyber
security activities.
Deliver security awareness training for non-
executive directors to help them ask the right
cyber security questions.
Establish dedicated cyber security liaisons within
each business unit
Follow cyber security best practices:
Implement a defence in depth architecture to minimize
reliance on single security solutions.
Subscribe to cyber security threat intelligence to
understand current attack trends.
Implement strong detection & monitoring controls to
recognise and effectively respond to attacks.
Contract for a forensics capability to analyse and develop
lessons learned from cyber attacks.
Establish clear operational responsibilities for cyber security:
Practice a well defined risk management process.
Develop a practical and tested incident response and crisis
management plan.
Ensure that the business continuity plan is tested regularly.
Implement segregation of duties for critical business activities.
Ensure that all company assets, including data, have been
accounted for, and have an 'owner' who is responsible for their
security.
Ensure executive understanding and oversight:
Establish a cyber security function aligned
to business needs
Ensure cyber security has visibility at the
senior business management and board
level.
Define clear metrics have been defined for
measuring cyber security activities.
Establish accountability for security metrics
for all business units.
Ensure cyber security compliance
requirements, regulatory standards and
expectations have been defined and well
understood by all business units.
Control Risks Pacific Limited
2501-02, The Centrium
60 Wyndham Street
Central, Hong Kong
China
+852 6963 0040
Team Finland Future Watch Report, January 2018
Top Related