FORUM: Information technology and cyber security risk
April 2014 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
Larry Clinton at the Internet Security Alliance moderates a discussion on information technology and cyber security risk between Michael Bruemmer at Experian Data Breach Resolution, Emilian Papadopoulos at Good Harbor Security Risk Management, LLC, and Simon Calderbank at HCC International.
Clinton: In your opinion, what are the major information technology and cyber security risks facing firms today? Can you highlight any recent events that illustrate the threat?
Bruemmer: There are a number of security risks organisations are facing, and one of those risks centres on the mobility and storage of data. This includes susceptibility associated with the increased use of mobile device and BYOD programs, along with cloud storage. The latest news headlines show data breaches are happening with frequency and across industries, causing many companies to recognise it’s not if, but when a security incident may happen. It is more important than ever for companies to invest in setting up a data breach preparedness and response plan. Being properly prepared can help significantly reduce the impact of a breach – both for a company’s reputation and their bottom-line.
Papadopoulos: The most important thing to know here is that every company has unique risks, based on things like its business operations, geography and public profile. Often, those risks are not obvious: they may be supply chain risks, risks around sensitive transactional data that is only important for a short time, or risks around business processes or communications that are not the company’s ‘secret sauce’ but are essential to its operations. While every company is unique, three risk factors are particularly important to almost every company: companies are often at higher risk if they have not taken the time to identify their most sensitive information and processes, if their defences are overly focused on perimeter defence, and if they have not developed and exercised a breach response plan.
Calderbank: For me, the major information technology risks involve overreliance, inadequate backups and the volumes of data we are creating. Companies are focusing more and more on what they can automate through IT and how they can use the internet, but what happens if these systems fail? How are these systems and the data that they store being secured? The expansion of cloud computing and electronic storage provides potential efficiencies to clients, but this comes with risk. Where is their data? Who is controlling it? Who has access to it? If it is lost, what happens? Who is accepting responsibility for this? Recent figures suggest that 90 percent of the world’s data was generated over the last two years; this is a risk that is set to continue to grow.
Clinton: Have any major legal and regulatory issues in this space emerged over the last 12-18 months? How are these developments affecting the ways companies manage data and address cyber security?
Papadopoulos: The big, recent development is the roll-out of the NIST Cybersecurity Framework, which resulted from the President’s February 2013 Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The NIST Framework is interesting and useful for companies in a number of ways. It uses a maturity model approach, including letting a company set a target maturity profile. It allows a company to self-assess or to be assessed by an independent third party. It also incorporates compliance requirements, but it is not a compliance audit. The NIST Framework received significant business input during development and has the support of many C-suite executives from across industries. It has also been adopted by several states. We have already seen companies using the NIST Framework to manage their cyber security risk, and it could evolve into a standard of care for public and private companies.
Calderbank: The government has supported an industry-led organisational standard for cyber security. One of the major problems that companies have is that they are aware of the risks, but they don’t know what is actually considered good practice or not. This work should be completed by the end of March so that companies can begin to assess themselves and set a target which they wish to achieve over the coming year. In addition to this there is the continued discussion around when the law will change regarding notification of loss and data security.
Bruemmer: Based on what I am hearing, cross-border data breaches are causing new legal and regulatory challenges for companies. As cloud storage continues to become a popular resource for companies, online data is being storied in various states in the US as well as other countries. This creates increased risks and vulnerabilities for companies as they now need to comply with each state and country’s laws and regulations based on where the data was created. The current landscape makes it difficult for companies to properly and legally notify their affected parties. They need help in navigating this patchwork of laws, and companies might need multiple versions of notifications to cover people in different locations. Privacy attorneys who work in foreign jurisdictions are best suited to help companies understand the global notification responsibilities after a breach.
Clinton: Many IT products and business processes such as cloud computing, BYOD (Bring Your Own Device), international supply chains and outsourcing services can dramatically cut business costs but can increase cyber vulnerability. How do you balance this risk against the cost benefit of using less secure business methods?
Calderbank: This is a very difficult question to provide a definitive answer to. All companies will have a different risk appetite and use their computers and systems for different reasons. Some companies systems and data are more critical than others, so it’s vital to consider what you are trying to protect and the implications of that protection failing. Once the consequences have been assessed the value of any spend can be considered in the decision making process. The security for one company won’t work for another and vice versa, so the balance is different for all.
Bruemmer: There is no way to avoid cyber vulnerability with the technological ways business is conducted today. Even the most modest organisation is storing data and that data needs to be protected. Simply, to balance the risk a company must be diligent about its security practices whether it involves its use of the cloud, business associates who have access to data, or employees. While there are costs associated with enhancement and maintenance of a strong security posture, it is worth the investment as the impact of a breach can be far more costly, especially if a company is unprepared to manage the breach response properly.
Papadopoulos: Companies have to go through a methodical process of evaluating risk, evaluating benefits, and weighing them against each other to determine what risks to accept and where to invest risk management resources for optimal effect. This process must be led by a senior management officer. At the same time, it is also important to remember that certain business processes, such as cloud computing and outsourcing, can be higher risk but do not necessarily have to be – for example, cloud computing and outsourcing can be useful ways for small and medium businesses in particular to benefit from economies of scale before they can build their own cyber security team and secure their own infrastructure. The devil is in the details, so companies must take a close look at each decision in context to determine what is best for that company.
Clinton: Even if you do all you should to protect your internal corporate cyber systems, you may still be vulnerable due to the interconnections your network has with others. What advice do you have about how to manage cyber risk brought on by interconnection with partners, vendors or customers?
Bruemmer: Outsourcing can create vulnerabilities for companies. In fact, the Ponemon Institute report ‘Securing Outsourced Customer Data’ found that 65 percent of companies which outsourced work to a vendor have had a data breach involving consumer data and 64 percent say it has happened more than once. As a best practice, companies should look to hold any third parties or business associates to the same level of security they leverage internally. When outsourcing consumer data to vendors, guidelines companies should follow to safeguard the information include: ensuring the vendor has appropriate security and controls procedures in place to monitor potential threats; auditing the vendor’s security and privacy practices and ensuring that a contract with them outlines that the vendor is legally obligated to fix data problems should a breach occur, including notifying consumers; and requiring background checks for vendor employees who have access to confidential information.
Papadopoulos: The good news is that several of the mechanisms to manage third party risk are free, for example, inserting contract language that requires third parties to notify you if your information is breached, or reviewing a vendor’s security plan. Companies should decide on their minimum requirements and implement them in every vendor contract they have. The second thing about vendor risk management is that it reinforces that we need to move beyond perimeter defence to protecting information on the network. Even if you have a strong perimeter, an attacker could get in through the supply chain; but, once they do, the same policies and technologies that protect the network from a remote attacker will protect the network from a supply chain attacker.
Calderbank: The first thing is that the risk is recognised. For too long IT departments have advised the board that IT security is not an issue. Probably because it’s felt that acknowledging that the security is not 100 percent secure could be seen as a failing on their behalf. However, recognising vulnerabilities and tackling them is the key is what is needed. Knowing your partners and customers is the first step. Do you ask what security they have in place? One of the biggest risks that companies face around security is the interaction with those outside the company. One thing I’m beginning to see is contracts insisting that cyber policies and cyber insurance are in place in the same way as public liability and professional indemnity. Potentially, insurance can give some comfort that if something does go wrong at least the impact can be reduced.
Clinton: Employees are a company’s biggest asset and its greatest vulnerability. What processes should companies adopt to reduce the threat of staff members compromising the company’s data, either intentionally or unintentionally?
Papadopoulos: Even with the best training and most well-intentioned employees, mistakes or even malicious acts will happen. People will click the wrong link, leave a password set to default, or send sensitive information outside the network. So, screening, training and awareness only reduce your risk so far. While these steps are all valuable, the starting point for a more complete solution has to be a ‘fault tolerant’ cyber security strategy that lets an employee make a mistake or even attempt an intentional cyber attack without creating a damaging incident. Key parts of the solution are identity and access management to control who can access what, insider threat solutions to detect anomalous behaviour – whether intentional or not – network and endpoint protection to protect against malware, and data loss prevention to keep information within the network.
Calderbank: The first thing would be to know your employees when hiring. What are their backgrounds, socially, in work and financially? Are they at risk of being ‘turned’ by a brown envelope of cash for some data? Are they likely to have one too many drinks and leave the company laptop on the train home? All very difficult to evaluate, so you also need to protect the company once employees are in place. Once in the company, only give employees access to the data that they need to do their job. Use software which tracks who enters which systems. If someone tries to gain entry to a system they don’t need to then it should be flagged up and challenged. Employees are most likely to attempt to jeopardise a company when they leave, either through redundancy or choice. If it’s redundancy, be aware that for some they will want a passing swipe at the company – what better way than to wipe its data? If the employee is leaving through choice, they will probably have taken all the data that they want before they resign, so monitor what employees are downloading and copying, where possible. Once someone has resigned or is going to be made redundant, stop their access to any sensitive data immediately.
Bruemmer: Employees can often be the source of a security incident. According to a 2013 Ponemon ‘Cost of a Data Breach Report’, two-thirds of all data breaches are the result of human error. This includes mishandling sensitive information, failing to protect devices that contain or can access sensitive information and neglecting to follow a company’s cyber security plan. Companies can reduce the threat of employees leaving data vulnerable by implementing formal data protection and security programs to detect cyber security risks; conducting risk assessments and frequent monitoring to identify data breach risks; establishing security objectives and setting actionable metrics to measure that your company is meeting security goals; ensuring that employees’ mobile devices are properly protected with anti-virus and anti-malware protections and encryption technologies; and educating workers through training and awareness programs on the importance of following proper security procedures.
Clinton: No matter what precautions are taken, no company is immune to cyber risk. How should firms respond if they fall victim to cyber-crime? What steps should be taken in the immediate period following such an occurrence?
Calderbank: Before an event happens there should be a written procedure which outlines what to do and this should be tested. Speed is essential. Nobody is 100 percent secured and ideally there should be an insurance policy in place. If you have a policy then you should make sure that it also provides a ‘service’ as well as indemnity. If so, a call to the insurer should start the process rolling of getting forensic investigations completed, securing the rest of the data, and created a PR message to go out to clients. If you don’t have insurance, speak to specialists, but don’t expect them to be cheap. I’d suggest that this isn’t something to be trying to solve in-house.
Bruemmer: It is important to act quickly and efficiently following a data breach. One of the first things to remember is to collect, document and record as much information as possible about the data breach, including conversations with law enforcement and legal counsel. A complimentary response guide is available to help companies within the first 24 hours of experiencing a breach. The recommendations include alerting and activating everyone on the response team, including external resources, to begin executing your preparedness plan; securing the premises around the area where the data breach occurred to help preserve evidence; stopping additional data loss by taking affected machines offline but not turning them off or starting to probe into them until a forensics team arrives; interviewing those involved in discovering the breach; reviewing protocols regarding disseminating information about the breach to stakeholders; and bringing in a forensics firm to begin an in-depth investigation.
Papadopoulos: The answer to this question has to be in place before an incident happens. Trying to figure out, after a breach, what sensitive information you had that may have been compromised or whom you need to contact is not a good place to be. The most important steps you will have to take after a breach are to figure out what happened. What data may have been compromised, and ideally how? Decide who you have to contact, who else you may want to contact, and what you want to communicate to investors, regulators, law enforcement, customers, employees and other third parties. Also make sure the damage is not ongoing.
Clinton: What strategies have you found to be the most effective to get senior executives, or board members, more interested in funding enhanced cyber security?
Bruemmer: Reputation is one of an organisation’s most important and valuable assets. The reputational damage caused by a breach is difficult for the C-suite or board members to ignore. In fact, a Ponemon Institute study titled ‘Reputation Impact of a Data Breach’ revealed the average value of brand and reputation for the study’s participating organisations was approximately $1.5bn. Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184m to more than $330m. It is certainly becoming an easier case for risk managers to demonstrate the need for a company to prepare for a data breach in the same way they would a natural disaster or other major business risk.
Papadopoulos: External events, especially successful attacks against well known companies, seem to have the most impact in galvanising action. That said, there are a few things CISOs and others can do. One is to find ways that cyber solutions can enhance efficiency, rather than being purely an added cost. An example is identity and access management, which improves security but also might help an organisation manage its information management, onboarding and other HR processes more efficiently. The most important thing one can do to support enhanced cyber security, though, is to follow a methodical risk management approach rather than jumping right to a solution. Instead, start by understanding the threat and the risks to the company, then agree what risk is acceptable and what risk needs to be mitigated, and finally decide on a strategy and solutions to achieve that risk mitigation.
Calderbank: Nobody wants to spend money on something that they can’t see and so this can be a difficult sell. However, two questions tend to get people thinking. If your systems are down due to a security incident, how much profit will you lose a day? If your systems are down, how easy is it for your customers to move to a competitor of yours? You can’t look at the question of security by assessing just the cost today. You also have to consider the impact of not spending. Ask yourself, if I had a choice of one supplier that has had an issue and one hasn’t, who would I go with?
Clinton: What insurance options are available to firms in connection with cyber security and data breaches? How are insurance providers adjusting or enhancing their insurance solutions to meet evolving market demands?
Papadopoulos: Many insurance companies offer cyber insurance, especially to cover costs related to personally identifiable information breaches – notifying people and providing fraud protection – and business disruption, for example if a website goes down and business transactions cannot happen. Often, those policies come with many exemptions or caps, so buyers need to review policies carefully. The area that insurance companies have stayed away from so far is cyber attacks involving intellectual property and industrial espionage, primarily because the damages and likelihood of an incident are harder to identify and quantify. Insurance companies are trying to figure out how to address this need, and those efforts will probably accelerate when demand grows.
Calderbank: There are a number of options available, but what they cover varies wildly from small extensions to PI or liability policies through to standalone policies. The superior policies now include indemnity and also a ‘service’ element which provides forensic and PR services to clients. For most clients, they won’t have been through a cyber-incident before, so I’d suggest that it’s vital to have the assistance of experts to help through what can be a very uncomfortable time.
Bruemmer: There has been a large increase in adoption of cyber insurance over the last year. What we see in the industry is that cyber insurance can be customised for a business’ need, just like other types of insurance. In general, cyber insurance policies cover the replacement of lost or damaged equipment, forensic and investigative costs, along with legal expenses and crisis management. The plans also typically cover breach response costs, such as notifying the breached victims and providing them with credit monitoring. With data breaches becoming more commonplace, it’s important for business to consider purchasing cyber insurance as it is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage and cyber extortion. A cyber insurance policy can be one way to protect the company against future losses.
Clinton: Cyber attacks are becoming increasingly sophisticated, including attacks possibly sponsored by nation states against commercial entities. What assistance do you think government should be providing to assist commercial entities in combating sophisticated cyber attacks?
Calderbank: It’s very difficult for any one government to do anything. The international reach of the internet means that setting up a big brother state to monitor the actions of all is currently impossible due to differing laws and public rights. Apart from education on the risks and allowing business to come up with solutions, there is very little that can be done. It’s down to the individual to protect themselves accordingly. Changes in the law would focus people’s attention to consider the exposures further but it won’t actually help to protect them.
Bruemmer: I’ve noticed more communication between attorneys general and companies and it is likely that in the absence of a federal law, we’ll continue to see many attorneys general devote attention to help organisations better manage breaches. This could include expanded enforcement action, but also opportunities to share best practices in helping prevent incidents and protect consumers. For companies and organisations that suffer an incident, communicating early and often with the appropriate regulatory offices can be beneficial in the long term. Regardless of the legislative outlook, data breaches present a significant business risk and companies must take steps to prepare for how they will respond if it happens to them. Creating a security response plan and identifying the proper outside counsel, forensics experts and data breach resolution specialists ahead of an incident can help save time and money during an incident.
Papadopoulos: The government can provide assistance in a number of ways, for example to protect critical infrastructure, to share threat information, and to use post-breach forensics to identify attackers and try to hold them accountable. One area where the government could do more, especially around the nation state threat, is to advocate for international norms around cyber, for example to make certain activities off limits or to improve coordination against cyber crime. Governments should engage with the private sector to find out what norms would be most valuable and should advocate for those in the international arena.
Clinton: What are your predictions for the cyber security landscape over the next 12-18 months? Do you expect any further regulatory or legislative changes, and how will this impact the way companies manage and protect their data?
Bruemmer: In looking at what is coming ahead for the industry, signs point to a continued rise in security incidents, making it critical for companies to understand their vulnerabilities and prepare to handle a breach. Based on our experience, we anticipate that the cloud and big data will create a new layer to manage. Attorneys general are going to continue to ramp up engagement efforts with companies on data breach responses. As breach notifications become more frequent, consumers may begin to suffer from ‘data breach fatigue’. We are also likely to see a surge in cyber insurance adoption.
Papadopoulos: Widespread adoption of the NIST Framework will bring some transparency to the market and how we understand a company’s cyber security maturity. What would be truly interesting to see, from a company that is not itself a security company or a sophisticated defence company or bank, is a company that says to its customers and investors, “Choose us, because we do a better job of protecting your information and your investment in us”.
Calderbank: I expect to see the number of incidents continue to rise along with the financial implication of those incidents. The focus of attack will change to smaller companies due to the weaker security they tend to have, and these smaller companies will be used as a doorway into the larger companies that they supply. From a regulatory standpoint, I don’t see anything changing in the short term.
Larry Clinton is the CEO of ISA, a multi-sector international trade association focused exclusively on cyber security. He has authored and edited numerous articles on a wide range of corporate cyber issues including Enterprise Risk Management, information sharing, best practices for senior executives, supply chain management, combating insider threats and secure use of mobile systems.
Michael Bruemmer is a vice president in Experian’s Data Breach Resolution group. With more than 25 years in the industry, Mr Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call centre and identity protection services.
Emilian Papadopoulos is Good Harbor’s chief of staff, managing the firm’s business operations, and also serves as a director with the firm’s cyber security team. Mr Papadopoulos manages the firm’s business operations and advises corporate executives, investment professionals and government leaders on managing cyber risk. His most recent client companies have been in financial services, the legal sector, and critical infrastructure. He has previously advised government and commercial clients in the Middle East and North America.
Simon Calderbank is a Dip CII qualified professional with over 10 years’ experience working in London and regional insurance markets. Previous to his role at HCC, he worked as senior technology and cyber underwriter at QBE. A frequent speaker at industry and client sponsored events, Mr Calderbank’s breadth of knowledge and underwriting ability ranges from the very small to the multinational risks seen in the London Market.
© Financier Worldwide