Are there any particular attacks or vectors in A/NZ that are more common? Do we have any unique threat characteristics as a market?
The attacks are now ubiquitous. The attacks occur across every vector. 80 percent of malware is only used once. Its tightly focused on an objective. They're smarter, they're better funded, the tools are more available, you can go online to websites and buy malware. Standardised, commoditised malware -- when they're targeting an enterprise, its one and done, then they're onto the next thing.
They are run like startup businesses. Malware-as-a-Service. They are really well funded. They have CFOs, they are well oiled machines. They guarantee their malware, for example, so if it doesn't breach the company, you get your money back.
The vectors have been standardised. Its now more about how they customise the attack, to go after an individual in an organisation, to go after some specific piece of information is what is so startling.
The patience and professionalism is astounding. One of our clients was talking about a German automobile manufacturer, that was targeted over time with the aim of capturing plans on a new automobile. It really compromised the launch of that automobile outside of their home country. Because all the IP, all of the designs, everything, had been exfiltrated over a period of 10 years.
The retrospective angle is interesting -- do you work with any Big Data or business analytics partners? Looking back at old data patterns and finding threats or fraud?
My organisation is about developing alternative partnering routes to market. For example, the opportunity we announced with Visa is really interesting. What's at stake for them and their 100,000s of merchants. Obviously they're in the business of providing financial merchant services, but for them, security is paramount. It's not the business they're in, but as an adjunct, if they can secure those transactions in a different way, or a more comprehensive way for their merchants, then that creates a competitive advantage for them in their space.
I imagine for a company like Visa its as much intangible, reputational damage as it is financial, nevermind what a big hack would do to things like their insurance premiums...
Great example. We've actually been developing a new program with the world's largest cyber defence insurance company, both the underwriters and brokers. Imagine if you now had to rewrite the policy for Target, as an example, or indeed any company? How do you even assess the risk? And how do you create a policy and what kind of a premium do you charge?
We've just announced some very specific cyber insurance companies who now want to create a more comprehensive risk profile for their customers, so they can do a better job.
Sign up for CIO Asia eNewsletters.