This article originally appeared in BRINK on January 14, 2020. It was co-authored by Paul Mee, partner of Digital and Financial Services at Oliver Wyman, and Greg Rattray, senior advisor for Oliver Wyman.
The four nation-states considered most active and most threatening regarding targeted cyberattacks are China, Russia, North Korea and Iran. Each is motivated to undertake cyber-offensive moves with varying ambitions. Iran may not immediately deploy “high-end” cyber-offensive capabilities — retaining them for when the conflict situation escalates. Such an approach to escalation may mean that mid-sized firms could be attractive targets for Iran to test its cyberattack efficacy while sending a strong signal that it has the capability to potentially inflict greater harm.
Historically, Iran has launched cyberattacks against U.S. dams, financial systems and government networks. It is widely assumed that the regime attacked a major U.S. resort company in a so-called wiper attack, which took out three-quarters of the company’s Vegas-based servers (estimated at a cost of more than $40 million). Wiper attacks often enter a company through common tactics like spear phishing, password spraying and credential stuffing.
Importantly, Iran has sustained ambitions to disrupt and impair U.S. financial services. For a long time, the regime has agitated for a move from the U.S. dollar as the international currency of the world to an alternative. While this ambition is unlikely to be met, the nation’s leaders could be motivated to impact confidence in the U.S. currency and the U.S. financial services system more broadly.
So What Actions Should Companies Take?
Below, we share 12 practical steps that every organization can take.
- Exercise and test incident-response capabilities for a potential nation-state attack, with special emphasis on “crown jewels”-compromise scenarios (recognizing that what you consider crown jewels could be different to those representing the objectives of a nation-state hacker).
- Verify that cyber response playbooks and associated execution mechanisms are up to date and correct. For example, named personnel are accurate and available, alert levels are understood and the basis for declaring an alert level is clear and consistent with the risk appetite of the enterprise. Also, be sure your organization is prepared to deal with situations where the sector is under attack even if your institution has not been specifically attacked yet. For example, prepare for counterparty vulnerabilities and utility outages.
- Confirm that an executive incident response team can be ready at short notice and that those on the team know their responsibilities. Ensure that advanced preparations such as considering corporate communications that may need to occur are in place. What will you tell customers if you suffer from a cyberattack? What will you tell regulators? Conduct a targeted attack assessment to determine if the firm’s controls and response arrangements are appropriate for more advanced nation-state cyber threats.
- Remind employees of the potential of phishing attacks, ensuring they are extra vigilant regarding suspicious emails, and be prepared to test their acuity in this regard.
- Initiate resetting passwords for executives, executive assistants, systems administrators and those with privileged access.
- Analyze third-party relationships for security vulnerabilities — especially large scale and critical data processing and payment services.
- Confirm with third-party vendors their level of preparedness for cyber events, especially where they are a critical service provider that would play a role in your organization’s response to a cyber event.
- Review outstanding security vulnerabilities to ensure that all critical patching has been conducted and is up to date.
- Re-examine recent service outages or glitches that may have been attributed to a technical fault but upon re-examination could be tests by an external hacker regarding your defenses (as the London Stock Exchange has recently done).
- Energize and reaffirm strategic relationships with government and law enforcement agencies like the Financial Services Information Sharing and Analysis Center and the Financial Systemic Analysis and Resilience Center, ensuring your organization is in the know with regard to the latest threat intelligence. If you have a direct connection to or are an InfraGard or Electronic Crime Task Force member, make a call and ask for a perspective from an FBI or Secret Service agent you know.
- Heighten physical security of locations outside the United States.
- No one can predict whether, when or where Iran may attempt an attack. But rising geopolitical tensions translate into elevated cyber risks, and companies need to prepare themselves now.
No one can predict whether, when or where Iran may attempt an attack. But rising geopolitical tensions translate into elevated cyber risks, and companies need to prepare themselves now.