Mitigating the risk of cyber crime - advice for companies
April 2012 | TALKINGPOINT | RISK MANAGEMENT
FW moderates an online discussion focusing on the risks associated with cyber crime between Mark Camillo at Chartis, Kelly Frey Sr. at Dickinson Wright PLLC and Grady Summers at Mandiant.
FW: How serious is the threat of cyber crime to today’s businesses? What types of cyber crime seem to be prevalent?
Camillo: The opportunity for large gains is fuelling the criminal underground, while ‘hacktivists’ looking to advance their political agendas see penetrating networks as a great way to draw attention to their cause with the added upside of humiliating their targets. The bad guys use numerous tactics to get information: hacking, stealing, paying for insider information, social engineering and malicious software – it’s an extensive list. All businesses are at risk as a typical organisation has at least one type of targeted data such as credit card numbers, bank account information, social security numbers, medical information, and so on. This information has value on the street where it can be sold on the black market, and this demand for sensitive information has created an expensive problem for businesses when factoring in the bad PR, loss of business and direct costs, such as notifying individuals affected by a breach when cyber criminals strike.
Frey: Cyber crime has become an integral operating issue for all businesses. At the most sophisticated level, we have begun to see both government-sponsored and organised crime attempts at cyber-espionage, focused on obtaining proprietary information ranging from top secret intellectual property to a company’s strategic direction information that can be used for economic market manipulation. The same level of attacks have also been used to obtain less strategic digital information assets, but assets that could be used to embarrass or otherwise interfere with normal operations – for example, email system attacks that result in extortion threats. However, cyber crime is not always sophisticated, nor it is always focused on large companies or strategically critical information. In the US a number of relatively unsophisticated attacks have been directed at retail merchants’ point of sale (POS) systems – with cybercriminals actually replacing physical card-swipe devices in order to skim credit and debit card information from consumers.
Summers: To say that cyber crime is an epidemic would not be accurate, because this would imply that smart organisations could avoid being compromised through good information security hygiene or responsible investment. The scope of compromise we see daily would surprise most observers, and the amount of data stolen on a daily basis is truly alarming. Victim companies, in some cases, have lost all intellectual property related to the design of certain high-tech components and others have had tens of millions of dollars stolen from their accounts in a matter of days. The public won’t read the details of these cases because disclosure is not required, but it is a serious problem. We see intellectual property theft most commonly now, even exceeding the rate of financially motivated theft.
FW: Can you outline any recent, high profile events that demonstrate the risks in this area?
Frey: Recent attacks by the hacktivist groups Anonymous and Lulzsec against government and corporate sites have received widespread attention. However, these attacks seem to be motivated as much by national pride and displays of technological expertise as any profit or malfeasance motive. The FBI is currently anticipating countermeasures focused on terrorists, organised crime rings, and state-sponsored cyber-espionage. The recent use of the Stuxnet worm attack on Iran’s nuclear capabilities illustrates the offensive nature of such attacks – as well as the unintended consequence of such focused attacks spreading beyond their intended targets to industrial and country-wide infra-structure machinery. On a more rudimentary level, an Eastern European cyber-criminal was recently able to gain access to personally identifiable information and consumer financial transactions originating in the US when a software company that services several hospitality companies simply forgot to change the default password in the software the company used to diagnose and patch their systems. The result was that the hacker needed to obtain only one password in order to access all of the merchants using the software maintenance services of the company.
Summers: One event that comes to mind was a recent case of economic espionage that we investigated. The company was relatively small – which is becoming increasingly common as these attackers move downmarket – and they made a unique electric component that goes into a type of green energy product. The attackers had maintained a close to year-long presence in that company and had literally stolen every engineering diagram, every piece of test data, even the marketing materials for this product. Years of investment in proprietary research was negated, and a foreign competitor now has all the information they need to create the same product. This case is especially interesting because this is not the type of company we historically saw as targets for intellectual property theft. They were a relatively small company and they only make a component of a larger, very hot technology. Not coincidentally, the company that makes the other component for that technology was similarly compromised two weeks later.
Camillo: High profile events such as Sony, RSA and Citibank make the national news, but smaller breaches across a wide range of industries occur daily with severe financial implications. Lawsuits arising from a breach are costly to defend, even if groundless, and class action suits are on the rise. Within days of the Sony breach, class action suits were filed and there are now over 50 class actions on that breach alone. In addition to lawsuits, businesses face the potential for actions brought by federal and state regulators, including the Federal Trade Commission and state attorneys general. Defence expenses and legal liability are difficult to predict, but the costs to deal with a breach can add up quickly and include computer forensic investigations, legal consultation, public relation expenses, notification costs, credit monitoring services, call centre services and victim reimbursement insurance. The sum of these costs can impose a significant financial burden on even a well capitalised company.
FW: In your opinion, are companies and their boards paying enough attention to the threat of cyber crime and the importance of data security?
Summers: Many company directors are starting to pay attention to these issues, and the level of interest they have and the questions they are asking are fantastic. It can be popular for cyber security professionals to complain “we need more high-level support to effect change.” This can grow tiresome. Dozens of directors I’ve talked with are completely willing to support more focus on cyber security, but they’re not always getting the full picture from management. It’s unfortunate, but understandable—cyber risk has traditionally not required disclosure like other forms of risk; and as such is not always raised as a top item by management. Since many board members are not conversant in information security, they don’t necessarily know how to ask the right questions. Thus, there is a chasm that exists. We have to start closing it before companies have an adequate understanding of cyber risk. The good news is that this is starting to change.
Camillo: Cyber security risk is starting to shift from an IT issue to a boardroom priority. The SEC recently issued disclosure guidance on cybersecurity risks outlining example risk factors the board should report publically. These included a summary of the company’s operations which may result in material cyber-security risks, and the potential costs and consequences including damages from cyber incidents that may remain undetected. The guidance also recommended reporting a description of the company’s outsourcing functions and associated material cyber-security risks, and how the company addresses those risks, along with a description of relevant insurance coverage. Despite the SEC guidance, 58 percent of respondents in a recent Carnegie Mellon survey said their boards are not reviewing their companies' insurance coverage for cyber-related risks. This shows there is still a long way to go, and boards need to be more involved in protecting their organisation’s balance sheet from cyber incidents.
Frey: Data security and privacy has become a top priority in the US. Recent initiatives to transition healthcare records to digital format have resulted in a number of legislative mandates that have set a minimal level of care required of digital healthcare systems. The financial services industry has also initiated a series of corrective measures to assure the integrity of systems they use for processing transactions. The current gap, however, appears to be in the more mundane aspects of corporate IT – for example, email. Reliance by corporate America upon routine email access has created a point of attack not only for gathering information, but for disruption of corporate operations by cybercriminals. Malware embedded as links within emails, downloads from sites that cannot assure the safety of digital files, and the simple process of relaying jokes, YouTube videos and other ‘people-centric’ content all lend themselves to an environment where corporations can create excellent policies and procedures, implemented with the most current technology, only to be overwhelmed by the basic human trait of sharing digital content.
FW: How should companies handle the process of identifying and prioritising technology risks across their organisation?
Camillo: Companies need to make sure that their risk assessment framework is broad and appropriately identifies all technology risks. If a framework such as ISO 27799 is used, it’s also important to realise that about half of the questions are IT related, but the other half – vendor management, human resource hiring practices, decisions on what information to retain, and so on, fall outside of IT and all stakeholders must be in the room, not just IT representatives and risk managers. Additionally, it’s important to evaluate external events as the media is full of current examples of IT related vulnerabilities being exploited by cyber criminals.
Frey: Identifying threats requires not only continuous upgrades in software designed for cyber-vigilance, but also routine monitoring of both inbound and outbound traffic on corporate networks. Most threats seem to be detected on the inbound side, by systems such as virus protection software. Outbound detection is more network-unique, and requires the type of ‘exception processing’ and ‘fraud detection’ attitude adopted by financial services companies with respect to unusual activity on credit cards – that is, monitoring a network and setting a baseline of normative activity and then automatically implementing reduced service or shutdown procedures when network traffic or transactions occur outside of this norm. Prioritising responses to digital risks involves a risk/cost benefit analysis. Risks that effect operations or brand identity will almost always need to take top priority.
Summers: First, it starts at the board level. Boards need to reach across the chasm by asking the right questions, and expect that management will meet them halfway by having thoughtful processes for assessing cyber risk. To do this, boards must either add the necessary talent to the board, or consult with outside advisors that can help. No board would try to exercise oversight over audit without a director who understands audit, and they must approach cyber risk in the same way. Second, looking at management, cyber risk assessment must be a part of your enterprise risk assessment process. Given the prevalence of cyber intrusions that we talked about earlier, I’d question any enterprise risk assessment that didn’t have cyber risk as part of the discussion alongside more traditional credit, portfolio, emerging market risks, and so on.
FW: What practical steps can companies take to mitigate and combat potential cyber crime? Is it sometimes difficult for companies to even identify that a data breach has occurred?
Frey: Practical steps are perhaps the most effective and least expensive parts of protecting a company from cyber crime. For example, encryption of all portable devices is a simple process that can reduce both data leakage and ‘returns’ to a potential criminal – based upon the amount of effort required to break the encryption versus the return from such effort. NASA recently had a potential breach from failing to take such a simple step, resulting in the loss of the security codes of the International Space Station. From a corporate perspective, one of the most effective means of preventing a cyber-attack is to control/reduce access to corporate devices and the corporate network. One example would be assuring that mobile devices such as smart phones that can store corporate data or access corporate networks be embargoed from transport within regions known for cyber crimes. Similarly, automatically disabling BlueTooth capability on mobile devices in such regions can practically reduce the incidence of attacks.
Summers: It is often difficult to detect that a breach has occurred. In fact, in 94 percent of the incidents we respond to, the company discovered it through notification by a third party. It’s hard to believe, but understandable. Our industry has focused on preventive controls – which inevitably will fail – and not nearly enough on detective controls. We need to shift that. So practically speaking, here are three starting points. First, shift focus toward detective controls and incident response capability instead of solely on preventive security controls. Second, firms should find out whether they are compromised today. Third, IT organisations must go back to the basics. So many companies are spending millions on next-generation firewalls when their last-gen firewalls were never set up right. We’re buying expensive database security products, yet we have not bothered to change the passwords for the database in years. Focusing on the basics of security is cheap and effective – it’s just not sexy.
Camillo: Practical steps include identifying where sensitive data is stored and how it is used; adopting policies that formally communicate how your organisation stores, works with, transmits and destroys sensitive data; making employees an active part of the information security program; and allocating time for reviewing log files. Be in a position to discover breaches when they’re small – before they become big. Many companies, particularly retailers, do not realise there has been a breach until notified by Visa or Mastercard that a spike in fraudulent activity on credit cards has occurred. This becomes an expensive lesson for the retailer to learn with forensic costs, card reissuance and fraudulent usage on the cards often assessed.
FW: One area of cyber crime risk is connected to employees who leave on bad terms. What processes should companies adopt to reduce the threat of a disgruntled staff member compromising the company’s data?
Summers: For insider threats, a primary process to focus on is what most organisations call ‘identity and access management’. This means making sure that, when terminated, workers lose access to applications immediately. Note the term ‘workers’ rather than ‘employees’. Contract workers can be a significant risk here, since their identities are often not managed with the same rigor as employee identities. Secondly, organisations should consider data loss prevention (DLP) technology. While these tools won’t deter targeted cyber crime, they can be very effective in stopping what you might call ‘casual theft’ – when a worker decides to copy company data to a USB drive on their last day in the office, or attempts to email sensitive files to their personal mail account.
Camillo: An employee’s access to the system should be cut before they walk out the door for the last time. The organisation needs to ensure that there are processes in place to notify the appropriate individuals when someone’s access needs to be terminated and that positive confirmation when the access has been cut is delivered back to the requestor. Beyond access, make sure to get all devices and information back from the employee. Does the employee have a laptop? A Smartphone? Do they have keys, alarm codes, access to offsite facilities? Make sure to get it all back. Notify third party providers, vendors and customers where appropriate.
Frey: Digital threats require constant vigilance, not episodic remedies. Most US corporations have implemented policies of routinely monitoring digital employee access and communication throughout the course of employment. When such monitoring detects abnormal traffic, regardless of the status of the employee concerned, remedial action is required. Termination procedures should also be planned to account for digital disclosures. Corporations should assure as part of the exit process the return of all digital devices and the deletion of network pass-codes at the time of exit. Anticipated terminations might also require keystroke monitoring, not only for the evidentiary value in subsequently proving inappropriate employee actions but also in anticipating and preventing the damage such inappropriate actions could have.
FW: What type of insurance is available to cover cyber crime/data breaches?
Camillo: Network security insurance was introduced in 1999 and, over the years, has evolved to provide robust protection from the myriad costs of a data breach. It’s typically offered on a module basis so organisations can elect the right amount of coverage including security and privacy liability covering legal liability damages and defence costs as well as the defence of regulatory actions, fines and penalties (as permissible by law), and PCI-DSS assessments. Network security insurance can cover event/crisis management, providing funds to handle notification and other related costs, and also to restore the insured’s information on their network after a breach. It can also cover network interruption, which addresses the loss of revenue stemming from a security failure and cyber extortion, which is akin to kidnap and ransom coverage, however, the hostage is a network or information. Be sure to work with an experienced insurer with the infrastructure, expertise and commitment to effectively protect your assets and reputation.
Frey: Insurance is merely a process of risk sharing, not absolute risk reduction. From an actuarial perspective most underwriters anticipate the probability of the most likely threats within an industry and the resultant economic impact from such an attack, then fashion a product where such absolute economic damage can be spread across an industry via a policy at a price point that is marketable. So, insurance serves a societal function by risk-sharing across industry participants, but insurance can also assist individual companies in assessment, during the underwriting process in order to obtain coverage and disclose gaps, and continuous monitoring by the insurance companies, alerting their insureds to the most recent attacks or requiring best practices as a pre-condition to insurability.
Summers: I am not an expert in this area, but it seems that insurance for cyber risk is really challenging –the root cause is the lack of mandatory disclosure. Without disclosure, it’s hard to calculate loss across a population, and underwriting such a policy is risky. The cyber insurance policies can be unattractive with high premiums, deductibles that meant you were only covered for major events, and coverage limits that don’t seem to address the once-in-a-decade event – which is exactly what you need to protect against. Compare this to life or auto insurance, where there are decades of actuarial data upon which to draw. While nobody likes paying for insurance, most of us would agree that it adequately addresses the risk in our lives for a fair premium, and I don’t think cyber insurance is able to get there yet, given the lack of reliable breach data.
FW: What trends do you expect to see in cyber crime over the months and years ahead? Do companies need to act now to ensure their survival in a business world that continues to rely so heavily on digital information?
Frey: Historically, we have looked for cybercriminals acting as ‘prides of lions’ – sophisticated predators acting in concert with a clearly defined and easily observable goal to capture prey sufficiently large to account for the effort expended. In the future we will need to look for ‘colonies of insects’ – persistent, almost imperceptible attacks from unexpected sources that gradually insinuate themselves into network activity and opportunistically exploit the weakest point of defence, then overwhelm their prey.
Summers: The bad news is that if you’re not acting now, you are probably already a victim and don’t know it. The good news is that it’s not too late to improve, and we’re only in the early innings of a very long game. We expect to see a few trends over the next few years: first, an increase of persistence in financial attacks. These used to be ‘smash and grab’ attacks where an intruder came in one time and took what they wanted. We’re seeing signs that attackers want to remain on networks of financial companies for months or years at a time. Second, I think we’ll see financial organizations targeted increasingly for transaction and deal data, not just payment card data or customer personal data.
Camillo: We expect to see incidents continue to evolve as criminals use multi-prong attacks to gain access to systems. The increase in ‘hacktivisim’ coupled with state-sponsored activity creates a dangerous environment for businesses reliant on computer networks. To ensure that their organisations are protected, boards of directors need to evaluate what the governance role of the board is in overseeing the company’s information security program; how specifically the board is addressing the SEC Cyber Disclosure guidance; and whether there is cyber coverage in place. The last thing a company wants is to have a data breach and then potential suits alleging that the board were not paying attention to cyber issues despite relentless of cyber issues in the press. Taking action now can help keep a company secure and out of the headlines.
Mark Camillo is vice president in the Professional Liability Division of Chartis. Mr Camillo joined Chartis in 2001 and has held positions of increasing management responsibility in various parts of the organisation including eBusiness Risk Solutions, Affinity Group, A&H, Professional Liability and the Fidelity team. Before Chartis, he worked in sales, marketing and product development for Dun & Bradstreet (D&B) and SITEL Corporation. Mr Camillo can be contacted on +1 (212) 458 1355 or by email: Mark.Camillo@chartisinsurance.com.
Kelly Frey Sr. is a member in the Nashville office of Dickinson Wright PLLC. His practice focuses on the areas of corporate transactions, information technology and corporate compliance. Mr Frey is one of less than 10 attorneys in private practice to have been chosen as a Fellow of the World Technology Network and is listed in Best Lawyers in America for Information Technology and Technology Law. He can be contacted on +1 (615) 620 1730 or by email: firstname.lastname@example.org.
Grady Summers is vice president of Customer Success at Mandiant. He has over a decade of experience solving complex information security problems both as a CISO and consultant to many Fortune 500 companies. Prior to joining Mandiant, he was a partner at Ernst & Young, leading the firm's information security program management practice. Mr Summers holds a master of business administration degree from Columbia University and a bachelor of science in computer systems and political science degree from Grove City College in Pennsylvania. He can be contacted on +1 (703) 683 3141 or by email: email@example.com.
© Financier Worldwide
Kelly Frey Sr.
Dickinson Wright PLLC