The real business impact of a cyber attack must be discussed at board level if companies want to effectively protect themselves from cyber criminals, says BAE Systems Detica chief

Understanding the true financial impacts of a cyber attack is the first step towards protection from cyber criminals, according to BAE Systems Detica chief technical officer for cyber security, David Bailey. 

Speaking to StrategicRISK, Bailey said: “You need to quantify the impact and then use that to drive security spend. When you make a decision on where to spend your security budget, you want to be able to spend it effectively with the greatest risk mitigation by protecting the greatest exposures the business faces.”

He added: “If you can drive the business impact of cyber attacks out at a top-level board discussion, then you can use that to prioritise the security spend within the organisation where you get the most benefit.”

Research by BAE Systems Detica found one of the world’s most sophisticated cyber threats, Shylock malware, is being distributed through compromised legitimate websites and has cost the banking industry millions of euros over the past two years.

Bailey conceded that although Shylock may be focusing on UK banks, the malware is likely to spread using methods such as ‘watering hole’ attacks which he describes as similar to a crocodile in the water – hidden but deadly.

Detica’s Shylock report, published earlier this week, suggests the criminals behind the malware are working five days a week in an organised group and highlights the advanced techniques Shylock creators have used to remain undetected by traditional security defences.

The analysis of the malware also reveals that its modular framework allows a serious “future upgrade” potential and is consequently likely to return in different guises.

In light of the organised nature of new cyber threats, Bailey said organisations should expect cyber attacks, but should also be looking to hone their security with detailed analysis of their specific exposures.

He said: “You can’t rely on the defences you’ve built – there has to be an acceptance by businesses that they will be attacked and that some of those attacks will succeed.

“The challenge then is to ensure that you are monitoring your network and making best use of the intelligence you can get from your own organisation, from partners and have that network of sharing and that means being the best protected you can be on an ongoing basis.”

He added: “I think an important step is sharing experiences between boards at executive levels with companies that have and haven’t been attacked.”