On September 11th and 12th, INTERPOL and Palo Alto Networks co-hosted roundtable events at the INTERPOL Global Complex for Innovation (IGCI) in Singapore, a cutting-edge research and development facility for the identification of crimes and criminals, innovative training, operational support and partnerships. Noboru Nakatani, Executive Director of the IGCI, joined Palo Alto Networks’ Sean Duca and Egon Zehnder’s Jiat-Hui Wu and Elaine Wen Suen as moderators for a discussion about the security business risks that today’s enterprises face, as well as the best ways to engage with INTERPOL. The audience was made up of board members, CEOs, CIOs, and other senior executives from major global corporations.
With innovation to drive digital competitive advantage and applications and data becoming more distributed, additional avenues for compromise spring up. As criminals continue to take advantage of new technology, it’s more important than ever for law enforcement to innovate the ways in which they share and communicate threat information. Building a relationship with local law enforcement is a crucial part of setting up a truly cyber-resilient organization. These were the themes upon which the roundtable was based.
INTERPOL’s Nakatani began the discussion by noting that, while the web is offering a more connected world, the connections must be handled carefully, because “criminals are taking advantage of any misstep.” Policing in cyber space, he said, is very challenging—“it’s paradigm shift, in which we’ve moved from footprint and fingerprint forensics to digital forensics.”
Interpol has its own cloud, Nakatani explained, into which member countries feed their data, and it’s up to each country to decide what data they want to include in their database. “Interpol is in a pilot phase to allow private industry to also participate in the data share. If private companies participate, it benefits the greater good.”
Nakatani offered this advice about what private companies should think about sharing: “Share information with law enforcement that will protect your customers, your employees, and your company’s assets. Law enforcement is shifting from the old idea of ‘need to know,’ to the new idea of ‘need to share.’”
Share and share alike?
While the sharing of information was a topic of interest among attendees, there was not a lot of consensus about what that means. Said Palo Alto Networks’ Duca: “CTA is our Cyber Threat Alliance, which was founded by us together with our competitors because we need to come together as a community for the greater good. As our CEO, Mark McLaughlin, once said, ‘companies shouldn’t compete on what they know but what they do with what they know.’ But what we see is that many want to consume but few want to produce. So, I ask you: Why are companies opposed to sharing?”
One attendee was quick to respond: “They don’t want to say they were attacked or share their chain of supply or they are afraid of the damage of disclosure.”
According to another attendee: “We must rethink our strategy because, over time, everything will be known about everyone. We’re entering a completely new game. The question is, how do we defend ourselves once you know everything about everyone?”
One executive put it this way: “There are two kinds of sharing. One, we will share if there are some threats; I’ll tell the regulatory figures, but, two, if we are compromised, we will not disclose that.”
Cybersecurity culture, Nakatani noted, can be as simple changing passwords—but real awareness comes from the top. Changes in people, process, and technology are what’s needed to prevent, for instance, Business Email Compromise in which scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals. Said Nakatani: “Don’t be fooled, Cyber crime is industrialized, and that BEC numbers are skyrocketing—$5.3M in BEC, which has grown 23 times since 2016—is proof.”
Palo Alto Networks’ Sean Duca told the audience, in the end, that “this isn’t about scaring you. It’s about waking up to the issues and growing awareness.”
To know or not to know
One of the main topics of discussion among the attendees was the they don’t really know what they need to know. Said one executive: “We don’t always know what’s going on–that’s the truth. We think we know, but we don’t. What I do know is that we can’t win this by being defensive—attack and respond, attack and respond. That just keeps repeating, and the people who are caught are at the low end and not the people at the top. So, it will never end. I’d like to know about a more offensive approach: How do we move from being on the defense all the time, to a more offensive stance towards cyber attacks? How do we get ahead of the curve? How do we predict the unpredictable and be prepared for it?”
Another attendee said: “What is the unknown is the unknown. I need to know what I don’t know.
Someone might be moving inside the organization already. So, I am here to know what we don’t know.
Maybe it’s not foolproof, but we need to try.”
“Security comes from the top, and awareness is important,” said Palo Alto Network’s Sean Duca. “People continue to be the weakest link. Despite running plenty of in-house ‘cyber education,’ the click-through rates on phishing email, for example, is still 30% to 40%. How do you get that down to zero? Well, zero is close to impossible, because all it takes is one employee to click.”
At this point, there was some give and take about the current dangers in the news. Said one CIO, “With wannacry petya, do we think we’ve learned those lessons?” To which INTEROL responded, “Who is we? Some people don’t care. But we should be concerned with critical infrastructures. In any case, our goal is to make it more expensive to succeed in an attack.”
One other attendee suggested that “We need to look at many layers of defense—there’s no silver bullet. What other risk management controls do you have? In the end, human beings are always the weakest link—it’s not the systems.”
“Continuing education and raising awareness is important, but the whole chain of people-process-technology needs to be robust to contain damages post-breach. Incident response post-breach cannot be neglected.”
No wonder one CIO in attendance summed up his plight this way: “Companies get robbed every single day. It’s surprisingly easy—and it’s absolutely real.”