8 June 2016
More than two decades in the financial and cybersecurity industry and law enforcement have made British-born Paul Jackson one of Hong Kong’s foremost digital forensics and cybercrime investigation experts. The Managing Director of Stroz Friedberg, a US-headquartered global firm specialising in risk management, was a moderator at the high-level Cyber Security Summit 2016, held in Hong Kong in May.
Tell us about Stroz Friedberg.
Stroz Friedberg opened a Hong Kong office in 2012, via acquisition, to serve our Asian markets. Centralising everything in the Hong Kong office allows for more effective quality control. It means as a hub, we have all our expertise in one place, and of course, we’re in a location where we can travel anywhere within Asia very quickly, so it makes a lot of sense.
The core of Stroz Friedberg is built on technology – forensics, incident response, cybersecurity, among others. We are regarded as one of the elite companies in terms of the depth of our expertise in this field. Our clients are Fortune 500 companies – big financial institutions, the IT industry, retail, healthcare, hospitality and major manufacturers. We’re built for purpose, we solve problems that are often too difficult for, say, more generalist companies. In Hong Kong, we have 26 staff; globally just over 550.
“It is no longer just financial data being targeted, but a diverse array of disparate information, which can have value when collated and analysed.”
What’s your assessment of the current state of cyber risk?
It is clear that organised crime groups engaged in cybercrime activities are becoming increasingly sophisticated. The criminal underground is becoming more structured and organised with org-charts similar to those of legitimate organisations. Those with hacking skills are being brought together with those with analytic skills, big data skills, trading skills and corporate espionage skills. What this means is that it is no longer just financial data being targeted, but a diverse array of disparate information, which can have value when collated and analysed. Hence, companies and organisations may not realise the value of data that they hold, and accordingly, may not have commensurate protections in place.
What types of data are at risk?
We’re talking about confidential information that may move markets – relating to M&A activities, drug trials and new technologies, as well as data that may hold value as competitive intelligence.
Last year’s hacking of the business newswires in the United States gave a glimpse of where organised crime was heading. There, the hackers were reportedly “for hire,” and it was rogue traders who sought access to advanced information relating to corporate media announcements in order to profit from trading ahead.
It is no longer the case that businesses that don’t hold financial data or process credit cards are less likely to be targeted. Companies now need to be cognisant of the fact that data they hold, in combination perhaps with other data, may be used to draw inferences, to predict market movements, or to gain other competitive advantage in the business world.
Also, the cybercrime underground economy is becoming smarter in terms of monetising in other ways; you can clearly see the trends in ransomware, for instance. Business Email Compromise (BEC), sometimes referred to as CEO fraud, is causing losses exceeding US$2.3 billion, according to the US FBI. Attacks on mobile devices are perhaps the most insidious, as we carry these devices everywhere. If phones are compromised, they can not only record your location, but can also record from the mic and even take photos from the camera. In combination with other cyberattacks, they can be very effective for criminals.
As a leading financial centre, is Hong Kong especially vulnerable to such attacks?
Naturally, Hong Kong can be viewed as a very attractive target for criminal organisations, but the city is not unique in that regard. Hong Kong businesses need to keep abreast of the prevalent threats, and most importantly, prepare for the worst – most large organisations do some kind of crisis scenario and resiliency planning and this must incorporate cyber incident and data-breach exercises.
Many businesses suffer more from poorly planned response than the actual breach. Additionally, the hours after a data breach are the most critical. Many businesses or organisations waste precious time trying to identify who can provide expert assistance, or even worse, instruct untrained internal IT staff to try and investigate. The latter often results in the destruction of digital evidence that provides clues about how the breach occurred. A simple step that can be taken is to identify a qualified incident-response vendor and ensure that they are on a retainer, such that they are able to respond immediately in the event of a breach.
And yet, does Hong Kong offer companies a degree of protection?
Yes. Hong Kong is fortunate to have a world-class police force, which is well resourced and well trained; certainly a leader in the APAC region. The city has specialist companies on hand to respond if the worst happens. Stroz Friedberg, for instance, has experience with working with some of the world’s biggest data breaches globally. We are able to bring this experience to Hong Kong companies to help them to be proactive in terms of preparing for incidents and assessing current security posture as well as reactively in effective response to any threat.
What was achieved at the Cyber Security Summit in May?
The conference was significant in that it was the first time the police and IT industry held an event of this scale, supported by the regulators. It was a huge step in the right direction, and the event was a sell-out.
The overriding sentiment to emerge was that where we are failing is with the human element. It includes hiring the right people to begin with, and ensuring mistakes and social engineering don’t happen, through good training and education, but perhaps most importantly, paying more attention to those on the inside who may present a risk to the organisation.
In an age where almost every aspect of our lives is documented online via social media, crime groups are increasingly conducting sophisticated online research and subsequently leveraging employee vulnerabilities to gain access to information that allows for bypassing of an organisation’s cybersecurity. Stroz Friedberg has long advocated that organisations should have a commensurate understanding of their employees, especially those with access to critical data, in order to proactively identify at-risk employees.
The extent to which employees should be analysed for risk behaviours was a hotly debated subject at the conference. Organisations, though, are increasingly coming to the realisation that greater understanding of employees is not only critical to ensuring information security, but when done in the right way, can greatly enhance the overall health of the organisation.