From Strategy to Security: Navigating the Cyber Threat Landscape in a Data-Driven World

With the aid of AI, hackers today can easily gain access to a company’s CEO account, crafting messages that convincingly mimic the CEO’s tone and voice. These messages could deceive employees into authorizing financial transactions or other critical transfers, resulting in significant losses. At Sasin Research Seminar, Kenneth Knight (Sasin Executive MBA 2015), Senior Director of the Global Insider Threat Program at TransUnion, shared how organizations can effectively navigate cyber threats in a data-driven world. Kenneth said that the information security industry is currently valued at $212 billion USD and is expected to continue its upward trajectory as AI technology advances and security concerns intensify.

Cybersecurity in a Data-Driven World

According to Microsoft, cybersecurity is “a set of processes, best practices, and technology solutions that help protect and defend critical systems, data, and networks from digital attacks.” Kenneth shared the top five cyber risks with the highest potential for financial loss. First, ransomware attacks, which can result in losses of up to $2.5 billion. Second, data breaches, which lead to significant regulatory fines and reputational damage. Third, Business Email Compromise (BEC), where attackers impersonate executives to deceive employees into transferring funds. Fourth, criminal fraud involving unauthorized wire transfers. And fifth, supply chain attacks, such as the SolarWinds hack, which targeted the software of U.S. government agencies and other organizations. Kenneth emphasized the growing threat posed by these risks and the need for organizations to adopt robust cybersecurity measures.  

Cyber Threat Actors

Kenneth also identified five primary types of threat actors that organizations should be aware of:

1. Nation-State Actors: These are cyber attackers sponsored by governments. They are highly funded and sophisticated, often acting to further their nation’s political or strategic interests. A notable example is the 2014 cyberattack on Sony Pictures, which was allegedly carried out by North Korea in retaliation for the movie The Interview, which mocked its leader.
2. Cyber Criminals: These individuals or groups are motivated by financial gain. They are typically well-organized, though not as well-funded as nation-states. Their main goal is to exploit vulnerabilities for monetary profit.
3. Hacktivists: These are individuals or groups with specific political or social agendas. Hacktivists target organizations or systems they believe are furthering practices or policies they oppose. For example, environmental groups may target petroleum companies to advance their cause.
4. Script Kiddies: These are novice hackers who use pre-written scripts to carry out cyberattacks. While they often lack technical expertise, they can still cause damage by deploying known attack techniques, sometimes for personal excitement or to gain experience.
5. Insider Threats: Insider threats come from individuals within an organization who have legitimate access to systems but may misuse that access, either intentionally or unintentionally, to cause harm. This could involve data loss, data destruction, or sabotage of IT systems. Insiders might include employees, contractors, or security service providers.

Mitigating Cybersecurity Risks

To address these threats, organizations must take proactive steps to secure their data and systems. Companies may start by assessing their own insider risk, by answering these questions:

What is your organization’s “Must Protect” data?

Does your organization meet the PDPA requirement for sufficient protections?

If an employee sent an email with the company’s salary data to their Gmail account, would it be detected?

Are data labels in place to keep departing sales team members from taking customer lists?

Is your company more or less vulnerable due to Gen AI?

How much money will your competitors save if they use your marketing data?

Kenneth outlined several key strategies for mitigating risks, particularly those related to insider threats: 1. Identify Regulated and Valuable Data. – Organizations must first identify the data they must protect, including the following:

• Personal Data (as defined by regulations like PDPA)
• Credit Card and Payment Data (PCI)
• Proprietary Information
• Credentials (logins and passwords)
• Crypto Keys
• Human Resource Data, Executive Communications, and more.

2. Determine Signatures and Regular Expressions for “Must Protect” Data. – Organizations can use Regular Expressions (REGEX) to create patterns for sensitive data, such as credit card numbers or social security numbers, to ensure they are not inadvertently exposed or accessed. 3. Reduce Access to the Minimum Required – Implement Role-Based Access Controls (RBAC) and Discretionary Access Control (DAC) to ensure that employees only have access to the data they need to perform their job functions. 4. Enforce a Two-Person Rule for Sensitive Access Expansions – Ensure that any request for expanded access to sensitive data must be approved by two individuals, adding an extra layer of security. 5. Identify Insider Vulnerabilities – Insider threats can often exploit various systems or processes, including:

• Email
• Data Storage
• Web Uploads
• Endpoints (e.g., USB drives)

6. Mitigate Known Vulnerabilities

• Email: Restrict outbound email use, apply automatic warning labels for emails sent to external recipients, and deploy Data Loss Prevention (DLP) tools.
• Data Storage: Implement deletion restrictions and enforce shared storage for critical data (no work allowed on personal devices).
• Web Uploads: Use DLP tools and a Cloud Access Security Broker to monitor uploads and block access to personal cloud storage.
• Endpoints: Disable USB storage devices and apply logging and DLP controls.

7. Reduce Insider Threats

• Limit access for contractors and departing employees by reducing their access to sensitive information and authorized protocols (e.g., no external email).
• Monitor all workers for potential threat activity, particularly high-risk individuals, through User and Entity Behavioral Analytics (UEBA).

8. Hunt for Unknown Vulnerabilities – Regularly test and improve your security measures by identifying and mitigating vulnerabilities that may not yet be known.