Expert column of Group DF CIO Alexey Yankovski ‘Cyber Security: What Will the Global Companies Spend $76.5 billion on?’

Today no one doubts that we should pay close attention to the issue of information protection. Thus, according to the results of PWC’s research, on the average large companies lose $5 million due to cyber attacks. Consequently, providing data security becomes a top-priority task, and businesses invest more and more in it. According to Gartner’s forecasts, companies’ expenses for IT-security will increase by 7.9% and amount to $71.1 billion in 2014. In 2015, the growth will come to 8.2% more, up to $76.9 billion.

 

Virtual war affects not only corporate but also national interest. In 2014, cyber attacks are widely used against Ukraine during the conflict on the East of the country. This year Ukraine has faced unauthorized phone tapping and leak of negotiations; attacks on websites of government institutions, mobile spam during elections, TV signals jamming and radio interception.

 

Influential media, financial and government institutions suffer most from cyber attacks in Ukraine. At the same time, both number of attacks on information infrastructure and their complexity increase. Malefactors use different types of attacks: physical (attacks on television relay towers which resulted in stopping of TV or radio broadcast in the zone of anti-terrorist operation), DDoS attacks (on websites of Central Election Commission, Verkhovna Rada and key media), hacking of information resources (CEC’s website and politicians and journalists’ email inboxes), attacks on mobile networks (interception of conversations, spreading viruses via SMS, SMS to protesters on Hrushevskoho Street during Maidan).

 

Large companies and financial institutions of our country are willing to invest heavily in data protection. At the national level a few bills were drafted to change approaches to Ukraine’s information security. We just have to build up a new system, which will be able to identify information security risks in proper time and respond appropriately. What problems should be solved first and foremost?

 

5 key problems in information security:

 

• Absence of a unified government agency, which coordinates information security problems and IT issues on a national scale. What does this lead to? First, there is no unified development strategy in information security. For this reason, an effective system of information protection cannot be built up and development of the IT management system and the E-Government is hindered. As a result, draft bills and programmes of different government agencies usually are not synchronized. Secondly, money can be spent inefficiently. Thirdly, we have no answers to fundamental questions. For example, why is there no unified conception of digital signature use? What standards for digital signature will be used in Ukraine: domestic or international?

• The system of national standards of information protection is already out of date. It is detached from business practices and does not guarantee financially reasonable and reliable protection measures. So-called “Integrated Information Protection System” is used for technical information protection in Ukraine. According to it, the system has to be built up once, then specialized organizations check it and issue security certificate. It is expected that after this the system remains permanent. However, that doesn’t work in practice. Other countries have specialized branch standards of information security for business protection including for energy businesses, financial institutions and media. Manuals for providing continuous media broadcast during emergency situation are a standard practice in the world. There are no such standards in Ukraine, the only exception is banking sector where the National Bank of Ukraine sent out security ideology. The USA, Canada, Great Britain and other countries developed certain manuals for small business, which define the way a businessman should build up a cyber security of the business.

• Lack of information sharing about cyber attacks on governmental organizations and private business. In Ukraine almost no one shares information about attacks. No one tells: we were attacked from this server, let’s see what is happening there and let’s blacklist it. Exchange of information commences only among international payment systems: from which server the Internet banking was attacked, whence the DDoS attacks were made. Recently the Computer Emergency Response Team (CERT) was created on the basis of the State Service of Special Communication and Information Protection of Ukraine. A Coordination Centre was established to prevent information security incident, but it’s not enough. We need industry centres, which will respond to specific cyber attacks – media, energy sector, telecommunications industry etc. We need CERT for the army and the Ministry of Internal Affairs of Ukraine.

• Using counterfeit software. Large amount of virus-infected and misconfigured networks that are used in DDoS attacks. According to experts, there are thousands of virus-infected and misconfigured systems that are involved in attacks on other companies.

• Lack of effective public discussion on government initiatives in information security among experts. It is a problem because specialists in government bodies not always have enough competences and knowledge to take measures for providing cyber security.

 

An efficient national information security management system cannot be developed during a day, a week or a month. Nevertheless, we have to begin with something. I would like to point out 4 main tasks.

 

First, we should establish a unified coordinate body for information security and IT. Secondly, we should set a regulatory framework, which meets requirements of international standards. We can achieve immediate results using documents, which are available in Ukrainian and can be implemented. In particular, standard of providing information security ISO-27001/ISO-27002 translated by the National Bank of Ukraine and Cobit, and IT management standard developed by the Information Systems Audit and Control Association (ISACA).

 

Thirdly, branch centres for responses to threats in IT security have to be founded. These response centres should share details of attacks on corporate and government resources as well as blacklist servers, which launch attacks.

 

Lastly, we have to arrange the process of education and training specialists in IT management and information security that are lacking in Ukraine.

 

New approaches will help business and the government to reply to new today's challenges. In the long term improvement of the information and IT security will make the country stronger in geopolitical confrontation.