Cyberspace is constantly evolving and presenting organizations with new opportunities, as the desire of businesses to quickly adopt new technologies, such as using the Internet to open new channels and adopting cloud services, provides vast opportunity. But, it also brings unanticipated risks and inadvertent consequences that can have a potentially negative impact.
Hardly a day goes by without news of a new cyber threat, or major data breach, arising from “malspace” — an online environment inhabited by hacker groups, criminal organizations and espionage units. Regularly we’re reminded that these international groups have access to powerful, evolving capabilities, which they use to identify, target and inevitably, attack.
The recent revelation that a Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses simply reinforces the fact that cybercrime is something that has the potential to affect all of us, from the individual to the largest corporations.
With Opportunities Come Serious Risks
Cyberspace has become an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. In this day and age, organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events.
McAfee recently reported that cybercrime is a growth industry where the returns are great and the risks are low. In fact, McAfee estimates that the likely annual cost to the global economy from cybercrime is more than $400 billion, a number that is more than the national income of most countries. Unfortunately, governments and businesses tend to underestimate how much risk they face from cybercrime and how quickly this risk can develop.
Cybercrime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect storm. With cyberspace so critical to everything business related, from supply chain management (SCM) to customer engagement, holding back adoption or disconnecting from cyberspace completely is not realistic. But the commercial, reputational and financial risks that go with cyberspace presence are real and growing every day.
If senior executives don’t understand cyberspace they will either take on more risk than they would knowingly accept, or miss opportunities to further their strategic business objectives such as increasing customer engagement or market leadership. These organizations are more likely to suffer embarrassing incidents, and when they do, they will suffer greater and longer-lasting impact.
Understanding cyber risks and rewards is also fundamental to trust. If organizations can’t maintain a trusted environment in which to communicate and interact with their customers, their business could suffer or even collapse.
Cybersecurity Is Not Enough
So all businesses need to do now is establish cybersecurity within their organization, right? Wrong!
Establishing cybersecurity alone is not enough. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberspace activity.
As I alluded to earlier, cybercrime often involves sophisticated, targeted attacks against an organization, and additional security measures are required to respond to specific cybercrime-related attacks and to put in place cyber resilience programs that anticipate uncertainty. There is an ever increasing need for a prepared and comprehensive rapid-response capability, as organizations will continue to be subject to cyber-attacks regardless of their best efforts to protect themselves.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognises the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves.
Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
Re-Examine Existing Cyber Resilience Assumptions
The first action businesses must take is to re-examine the assumptions the organization has made about the Internet and adapt their cyber resilience to this new paradigm. For example, one of the threats describes how a key component of Internet security — encryption — may fail to hold up. This points to the need to take action immediately. Waiting for the ball to drop is not advisable.
Secondly, resilience to ongoing threats of operating in cyberspace must be reassessed regularly as:
Cybercriminals are still well ahead of information security professionals. The bad guys are getting better at what they do faster than ever before. At the same time, the good guys often struggle merely to respond. The situation is made worse by cybercriminals having no budget restrictions, nor having to conform to legislation or comply with regulations — an increasing burden for organizations.
The cost of investigating, managing and containing incidents will rise as they grow more complex and regulators’ demands increase.
The insider threat will continue to challenge organizations, because people will remain the weakest link in information security. Whether it is through deliberate or inadvertent actions, organizations will still face threats from within.
Finally, although government’s have a role in securing cyber space, it’s highly unlikely that they will clean up the mess they’ve made over the next two to three years. Regulations and law enforcement can’t keep up with the speed of technology, and for this reason, organizations need to give immediate consideration to additional actions they may wish to take to counter possible impacts from the recent disclosures.
Frankly, no one can better protect an organization’s information than the organization itself.
Creating a Cyber Resilience Team
Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from future cyber threats that cannot be predicted or prevented. Traditional risk management is insufficient to deal with the potential impacts from unforeseen activities in cyberspace. That’s why enterprise risk management must be extended to include organizational risk and cyber resilience — just ask Target, Neiman Marcus, Michaels and so many others.
To achieve this goal, I strongly recommended that your organization establish a crisis management plan which includes the implementation of a formal Cyber Resilience Team. This team, made up of experienced security professionals including employees, investors, customers and others, will become the driving force behind your cybersecurity initiatives. The Cyber Resilience Team will be charged with ensuring that necessary communication takes place between all relevant players, and making sure all facts are determined for each incident in order to put a comprehensive and collaborative recovery plan in place.
Today’s most successful, and cyber-resilient organizations, are appointing a coordinator, such as a Director of Cybersecurity or a Chief Digital Officer (CDO), to oversee all activities in cyberspace and to apprise the board of its responsibilities for operating in cyberspace. This coordinator also highlights the board’s obligations to establish cyber resilience programs that protect the organization’s assets and preserve shareholder value. Such efforts are especially important due to all of the legal facets of doing business in cyberspace.
Do I Need Cyber Insurance?
Privacy exposure has been a key motivator for some organizations to purchase cyber insurance. Others are motivated by growing regulatory exposure. It’s no longer just the organizations that we’ve traditionally focused on, including financial institutions, retail, healthcare and higher education. These industry groups have been buying insurance for a long time. The healthcare industry players have been particularly large buyers of cyber insurance, due to the enormous volumes of customer data they have to handle. I’m also seeing players in a number of new industries, such as manufacturing and supply chain, who are purchasing cyber insurance because it’s a regulatory concern.
But remember: cyber insurance is no replacement for sound cybersecurity and cyber resilience practices. On the contrary, well-resourced and industry and standards compliant practices can oftentimes positively reduce the associated premiums for cyber insurance. Secondly, look very carefully at the small print — many policies do not cover state sponsored attacks and may not provide you with the full financial cover that you would wish.
Data breaches have become a regular feature of modern life. This will continue as long as efficiency and ease of data access trump security, a state of affairs which makes economic sense for many organizations, that is, until they suffer a breach of their own. Once a breach happens, the value of security as a business enabler becomes clearer. Prevention and detection will evolve, but will continue to rely on technical and intelligence-based solutions. This will involve a discrete number of stakeholders and departments who implement the basics and thereby manage the majority of information risk.
The real difficulty lies in acknowledging that breaches are inevitable, and that resources invested in advance can pay dividends when a crisis occurs. It takes maturity for an organization to recognize it cannot control the narrative after a data breach goes public, and that leadership involves being honest and transparent with customers to maintain credibility in difficult circumstances. A robust breach response begins before things go wrong, including the development of a plan, regular scenario planning, taking decisive action and managing the message. These actions will involve a wide range of internal stakeholders, and may involve the services of external crisis management and media experts.
In a world where data breaches are becoming all too common, organizations that produce an imaginative and credible response will have a comparative advantage over those that are slow and confused, and this will translate to tangible business value. By instituting a Cyber Resilience Team, and adopting a realistic, broad-based, collaborative approach to cybersecurity and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of today’s increasing cyber threats and respond appropriately.
Remember: Don’t think cybersecurity. Think cyber resilience…in everything that you do.
Steve Durbin is Global Vice President of the Information Security Forum.