Long gone are the days when a cyber-intrusion evoked images of pimple-faced teenagers hacking away in their parents’ basements. These days, cybercrime is global and gravely sinister.
We face state-sponsored espionage, powerful organised crime syndicates, and highly trained uber-hackers armed with black-ops level technology. Each passing day brings more attacks carried out with increasing precision and sophistication. As quickly as organisations develop new security mechanisms, cybercriminals cultivate techniques to sidestep them. As massive scale data breaches make headlines and the resulting damages mount, cyber risk is becoming a central concern for every type of business around the world.
Over the past two years alone, organisations ranging from major US brands (Target, Home Depot, JPMorgan, Sony, Michael’s, etc.) to insurance and healthcare companies (Anthem, Premera, etc.) to government agencies (OPM and many more) and even cyber security firms (LastPass, Hacking Team) have fallen victim to sophisticated cyber-attacks. These attacks, motivated by financial gain, extortion, disruption, or some combination thereof, have led to the exposure of millions of records containing personal data, healthcare records, passwords, sensitive emails and internal records.
By the time most intrusions are detected, enough time has passed for significant damage to be done—millions of records collected and sold to the highest bidder, government and trade secrets exposed, or passwords stockpiled to be leveraged in future attacks. Breached companies are liable for significant restitution to customers and suppliers, face closer scrutiny and higher fines from regulators, and often struggle with sudden drop in sales or loss of business.
Many enterprises are acquiring cyber insurance to hedge against these losses, but some damage is harder to quantify and protect against. The harm done to brand reputation, for example, can be long lasting and hard to control. Repeated attacks or unpredictable fallout from a breach can significantly unravel public goodwill that took decades to build. The trust dynamic that exists amongst suppliers, customers and partners – is an appealing and high profile target for cybercriminals and hacktivists. The Sony breach, which exposed toxic executive emails, institutionalised pay inequities, and industry infighting (not to mention the movie premiere held hostage), is a fascinating example of the myriad ways a breach can turn nasty for the most beloved of brands.
Driving successful executive engagement
Managing information risk effectively has never been more critical. It must be elevated to a board-level issue and given the same level of attention afforded to other established risk management practices. Organisations face a daunting array of challenges, many of which are interconnected. In addition to cyber security, executives must address the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies.
In many organisations, cyber opportunities and risks have already become a board-level issue, with the cyber security head working to engage everyone up to and including the board of directors. Information strategy and risk should sit comfortably alongside other types of risks that the board already oversees. In order to balance risks vs. rewards, cyber security chiefs must drive collaboration across the entire enterprise, bringing business and marketing needs into alignment with IT strategy, and vice-versa. To manage risk, IT must transform the security conversation so it will resonate with leading decision-makers while also supporting the organisation’s business objectives.
Creating enterprise cyber resilience
Every organisation must assume they will incur severe impacts from future cyber threats that cannot be predicted or prevented. Planning for resilient incident response in the aftermath of a breach is imperative. Traditional risk management is insufficient to deal with the potential impacts from unforeseen activities in cyberspace. It’s important to learn from the cautionary tales of past breaches, not only to build better defences, but also better responses. Business, government, and personal security are now so interconnected, resilience is important to withstanding not only direct attacks but also the ripple effects that pass through interdependent systems such as supply chains, social and healthcare services, and customer cohorts.
To achieve greater resilience, I strongly recommended that your organisation establish a crisis management plan that includes the formation of a cyber resilience team. This team, made up of experienced security professionals (employees, investors, customers and others), should become the driving force behind your cyber security initiatives. The cyber resilience team will be charged with ensuring that all relevant players communicate effectively, and that all facts are determined for each incident; this is the only way a comprehensive and collaborative recovery plan can be implemented in a timely fashion.
Today’s most successful and cyber-resilient organisations are appointing a coordinator, such as a Director of Cyber Security or a Chief Digital Officer (CDO), to oversee all activities in cyberspace and to apprise the board of its responsibilities for operating in cyberspace. This coordinator also highlights the board’s obligation to establish meaningful cyber resilience programs that closely protect the organisation’s assets and preserve shareholder value. The new legal aspects of doing business in cyberspace bring even more urgency to these efforts. For example, an enterprise that is unable to prove compliance with HIPAA regulations could incur significant damages even in the absence of a breach, or face more severe penalties in the event of a successful attack.
Cyber insurance anyone?
Data breach liabilities are spreading swiftly. As a result, I’m seeing more organisations respond by purchasing cyber insurance, which has become a viable option for a growing range of organisations and industry sectors.
For many, privacy exposure is the key motivator for acquiring cyber insurance. Other organisations are more concerned about growing regulatory exposure. These concerns no longer confined to the traditional sectors like financial institutions, retail, healthcare and higher education. These groups have been buying insurance for a long time; cyber insurance is particularly common in the healthcare industry given the enormous volumes of highly sensitive customer data it handles. I am now seeing players in a number of new industries, such as manufacturing and supply chain, purchasing cyber insurance due to regulatory concerns.
Allow me to offer an important caveat: cyber insurance is no replacement for sound cyber security and cyber resilience practices. Indeed, well-resourced practices that are compliant with industry standards can often reduce cyber insurance premiums. Moreover, look very carefully at the fine print—many policies do not cover state sponsored attacks and may not provide you with the full financial cover that you seek. With each class action lawsuit prompted by data breach damages, case law precedents change and insurance companies adjust policies accordingly—see recent developments in the Home Depot, Sony, and Schnucks Markets cases.
Securing the supply chain
When I look for key areas where information security may be lacking, I always come back to the supply chain. Supply chains are the backbone of today’s global economy. Businesses are increasingly concerned about managing major supply chain disruptions, and rightfully so. In fact, a recent World Economic Forum report (in cooperation with Accenture) entitled Building Resilience in Supply Chains, indicates that significant supply chain disruptions reduce the share price of affected companies by as much as seven percent on average.
Security chiefs everywhere are concerned about how vulnerable their supply chains are to various risk factors. Businesses must focus on the weakest spots in their supply chains now. Unfortunately, in today’s complex global marketplace, not every security compromise can be prevented beforehand. Being proactive now means that you— and your suppliers—will be better able to react quickly and intelligently when something does happen. In extreme but entirely possible scenarios, this readiness and resiliency may dictate competitiveness, financial health, share price, or even business survival.
How can the ISF help your organisation?
Business leaders recognise the enormous benefits of cyberspace—innovation, collaboration, productivity, competitiveness and engagement with customers. Yet they have difficulty assessing the risks versus the rewards. That’s why the Information Security Forum (ISF) has designed its new tools to be as straightforward as possible. These ISF tools offer organisations of all sizes an ‘out of the box’ approach to address a wide range of challenges: strategic, compliance-driven, or process-related.
For example, the ISF’s Standard of Good Practice for Information Security (the standard) is the most comprehensive and current source of information security controls available. It enables organisations to adopt good practices in response to evolving threats and changing business requirements. The standard is used by many organisations as their primary reference for information security. The standard is updated annually to reflect the latest findings from the ISF’s research program, input from our global member organisations, and trends from the ISF benchmark, along with major external developments including new legislation.
Don’t find yourself left in financial and reputational ruin
Organisations of all sizes need to make sure they are fully prepared to deal with attacks on their valuable data and reputations. The faster you can respond to these problems, the better your outcomes will be.
Here is a quick recap of the next steps that businesses should implement to better prepare themselves:
- Re-assess the risks to your organisation and its information from the inside out
Change your thinking about threats
- ‘It couldn’t happen here’ is not a great backup plan
Revise cyber security arrangements
- Implement a cyber-resilience team
- Put a recovery plan in place
Focus on the basics
- People and technology
Prepare for the future
- Be ready to provide proactive support to business initiatives in order to protect your reputation and minimise brand damage
As the world’s businesses, governments, and economies grow more interdependent, knowing how to build resilient organisations and nimble incident response will be vital to more than cyber security. We no longer hide behind impenetrable walls, but operate as part of an interconnected whole. The strength to absorb the blows and forge ahead is essential to competitive advantage and growth, in cyberspace and beyond.
This article is brought to you by Enex TestLab, content directors for CSO Australia
About the author Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.