Q&A: Improving cyber security – advice for companies
August 2014 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
FW moderates a discussion on improving cyber security between Mike Gillespie at Advent IM, Marcus Klische at BlackBerry, Elliot Lewis at Dell, Ron Raether at Faruki Ireland & Cox, Alex Krutov at Navigation Advisors, and David Prince at Schillings.
FW: How would you summarise today’s cyber crime environment? What new risks have emerged in the past 12-18 months?
Gillespie: In many ways it is hard to characterise something that constantly evolves but I would say that we still make things a bit too easy for cyber criminals. The attack surface is growing every day but the control measures to keep the threats and associated risks in check are not keeping pace with this growth. Poor security hygiene and practice and little or no training by businesses make them low hanging fruit for many casual attacks. Humans continue to be the weakness in most security incidents and the area with the least spend. The tendency to consider IT security as the primary protective measure in information or cybersecurity, is another way we have made ourselves easy prey. New technology is frequently rolled out with little or no security consideration. Consistent failures, however, are notable in this area: patching, password management, anti-malware and poor configuration and change control are always in the top 10 failures, and these are IT areas. So a combination of these factors with human error, determined criminals and hacker groups using increasingly sophisticated yet easy to use and available tools, create what looks like a perfect storm.
Klische: More and more, cyber crime is becoming a high-tech crime. There are two different groups of cyber crime attacks. One is creating an IT-mirror of a traditional crime, such as mafia, drugs and money laundering. This group tries to get its hands on as much money as possible by infecting consumers’ equipment with malicious code to steal credit card information, bank account details, digital IDs, and so on. The other group comprises government based or supported organisations. They have huge budgets, excellent infrastructure and a lot of experts. The criminal organisations do not need as much high-tech on their own – they need a couple of programmers and money to buy zero-day-attacks and unpublished exploits. In recent years, attackers have also used smartphones to conduct their attacks. The closed ecosystem, the ‘always-online’ culture and the weakness of secure open source hardware present many open doors for targeted attacks.
Lewis: As opposed to years past, cyber crime has become far more pervasive in its nature due to new exploitation opportunities. This, in part, is due to new paradigms in how software development has evolved in recent years, which now has ISVs concentrating on small, quickly produced ‘apps’ vs. large, generational ‘applications’. With accelerated development timelines, hackers have more opportunities to take advantage of hacking mobile apps, unmanaged personal devices, mobile OSes, and subsequently unprecedented access to data and the apps and environments handling that data.
Raether: The battle is invisible to most, and the basic components remain the same. The threats continue to cycle through, although constantly evolving as the bad guys seek to take advantage of the latest technology and trends. We see this in the context of ‘consumerisation of information technology’ and the ‘internet of things’. Consumerisation, the absence of the line between work and personal time, results in policies like ‘Bring Your Own Device’. As mobile devices and mobile applications explode in number and ease of access, employees present a threat to their company networks, often unwittingly. In sum, the area to defend is expanded, stretching resources and requiring users to be more responsible for security. This development permits cyber criminals to exploit these new technologies using old tactics. In some cases, these technologies can be subject to unique ‘zero day’ attacks, where no defence currently exists, at least not one in wide release. One consequence is the need to involve all employees in the solution, increasing visibility into the importance of sound cyber security.
Krutov: The cyber crime environment has been very challenging and is expected to become even more difficult in the near future. The battlefield of today doesn’t look like the battlefield of yesterday. Growing interconnectedness and reliance on ICT systems have led to an increase in vulnerabilities and in significantly more severe consequences of a potential breach. New automated hacking tools are quite sophisticated and yet allow even novice hackers to perpetrate dangerous attacks. It has become very easy to obtain these tools. The insider threat remains a critical cyber risk component with no simple solutions. Advanced Persistent Threats (APTs) are here to stay. The growth of the mobile world is increasingly attracting cyber criminals. And, as always, there are many opportunistic attacks of various kinds.
Prince: In recent months we have continued to witness numerous high level international security breaches that have impacted several industries, including financial, retail, national infrastructure and Internet Service Providers (ISPs). The cyber crime environment continues to grow in resource, skill and capability, which is demonstrated by recent high-profile and targeted cyber breaches. The number of cyber breaches that result in cyber criminals subsequently demanding money in return for stolen intellectual property and other private information is also on the increase. Organisations have long acknowledged the threat posed by cyber criminals. However, over the last 12-18 months we have seen an increase in organisations beginning to significantly invest in information security in order to better mitigate the risk of data loss within the business. Whilst we have seen a substantial growth in technological safeguards, we have also witnessed substantial investment in organisations looking to ‘secure people’, through ever inventive and creative awareness training campaigns.
FW: What trends are you seeing in terms of security breaches within specific sectors? Are there any particularly vulnerable high-target industries?
Klische: Trends in security breaches depend on the attacked target. Critical infrastructure components, the ‘internet of things’, are more or less unprotected. Nobody expected that an M2M communication would be a valuable target. However, from the political view of governments, such attacks could have a large impact for other countries. In addition, the ‘internet of things’ can be used as a bridge to get other systems infected. Criminal groups may have an interest in using the ‘internet of things’ to extract money from consumers or steal actual or cyber goods and money. In one example, the container harbour system was attacked and the attackers marked all containers with illegal content as ‘customs cleared’. Another example is the ATM attack that uses a USB stick to change the ATM software to pay out all money, without any logging data.
Lewis: One of the goals of cyber crime practitioners is to get access to financial gains via indirect obfuscated methods so that they can make money while maintaining anonymity. For instance, a ‘first tier’ hacker will steal identity and credit card information, but not to utilise that information themselves, Instead, they will sell it to ‘second tier’ exploiters of that information. What does this mean in terms of high-target industries? A shift of focus has occurred – anywhere that en masse individualised money transactions are taking place is an excellent target. We have seen financial services, retail, restaurant chains and public services take centre stage for cyber crime rather than hackers targeting enterprise intellectual property and data. The ‘app’ vs. ‘application’ movement has affected hacking. For instance, the easiest way for a hacker to get to interesting, protected data is to compromise privileged identities rather than directly hack the system. One of the quickest avenues to compromise identity is to target unsecured personal endpoint devices.
Raether: The ‘mother lode’ targets are still very much in vogue. By mother lode targets, I mean companies that house the information for several, if not hundreds, of clients or those that have high value information such as payment card data. Indeed, professional cyber criminals and sponsors of international espionage are seeking a one-stop shop for their effort, especially as they expect their method of attack to be quickly remedied by information security efforts. Of course, there will still be crimes of opportunity, such as stolen laptops and employees that abscond with data. Likewise, we will see an increase in theft of company trade secrets. In the end, all companies are potential targets emphasising the importance of cyber security for all organisations.
Krutov: There are a number of industries seen by cyber criminals as high-value targets even though they tend to be ahead of others in cybersecurity. There is a growing segmentation, with specific industries or companies being targets of particular types of cyber criminals. Companies likely to have valuable intellectual property, including defence contractors, are a natural target of organised cyber criminals backed by foreign governments and competitors. Right now they appear to be intensifying their attacks. Some government agencies are also a natural target of hackers backed or directly employed by foreign governments. Companies likely to have large volumes of financial information on their customers are a natural target of the financially motivated cyber criminals that may act individually or in small groups. In this category, retailers such as Target Corp. and even more so banks are examples of the industries being targeted.
Prince: Any business, irrespective of size or sector, will at some point be the subject of a data breach. The cyber criminal ecosystem is fast-moving and focuses on the value of information and the damage that could be caused if private information became public or otherwise misused. There are a number of motives driving the cyber criminal ecosystem, ranging from monetary return, to political and sociological hacktivism. A primary target for a cyber criminal will always be an organisation or individual who holds highly sought after information, but who doesn’t have adequate safeguards in place to protect their data. Based on experience, those in the firing line at present include utilities providers and wealth management firms.
Gillespie: It goes without saying that anyone can become a target of an attacker and sometimes breach does not come from an outright attack but from poor security culture leading to loss of data rather than outright theft. The other factor to bear in mind is that sometimes a supply chain might be the weak point. A supplier to a much larger partner may be the point of security failure either by action or omission of action. They may also represent a much easier route in, if an attacker is seeking to target a larger organisation. The Target breach is a good example. Login credentials were stolen from a third party supplier to Target – an HVAC contractor. Assurance is clearly required throughout the supply chain. Of course, not all data breaches come from malicious activity. Sometimes it is carelessness or lack of governance. An example of this might be a recent data breach involving radiology patients’ data. The patients are clearly NHS patients but the breach came from an NHS supplier, not from the NHS itself. In this case there was evidence of sloppy security practices, such as password sharing and patient data being stored on unencrypted devices.
FW: In your opinion, can expensive technical solutions guarantee cyber security protection? How can effective risk assessments and an understanding of how to counter threats reduce costs?
Lewis: In recent events we have seen that non-correlated security solutions can lead to a false sense of security, which hackers will exploit. Technology solutions need to be implemented within a well-defined framework for the business/tech model in question, thus deriving the proper intelligence from the security solutions and then allowing the company to act on that intelligence. Companies should implement a security framework to move past the ‘reactive mode’ of producing extraordinary amounts of raw, unverified, uncorrelated information. Companies cannot act upon that information with speed or without context and understanding. A successful security framework will protect from the inside out and outside in, along all lines of the perimeter, taking the feeds of security solutions and cross correlate them to produce verified, actionable intelligence. This leads to faster reaction time, cleaner solution management and proactive protection.
Raether: Expensive technical solutions can be one effective layer of an overall ‘security in depth’ approach. However, good old fashioned, and less expensive, administrative safeguards can go a long way, too. We need only look at the recent attack on Target to make the point. The reality is that there is no silver bullet for comprehensive information security and companies must seek to implement layered security solutions, or ‘security in depth’. To be sure, there are technical solutions that, properly implemented and managed, can do amazing things to safeguard information. However, in the end, they are only as good as the people implementing and managing them. This is where the importance of other layers in the security solution come into play, specifically the administrative safeguards of risk management, policies, procedures, contracting and auditing, to name a few. It seems over simplistic, but companies cannot possibly protect against emerging risks unless they are constantly assessing the risk. Likewise, unless they know what data they have in use – which changes as companies grow – and where that data is in use, how can they possibly implement safeguards for that information? The process never stops.
Krutov: The goal is not to completely eliminate cyber risk – as that is unrealistic – but to reduce it to acceptable levels. There is always a tradeoff between the cost of cybersecurity measures and the benefits of risk reduction they bring. It goes without saying that these cybersecurity measures should not be limited to technical solutions. The tradeoff sometimes extends to making decisions on whether to pursue business initiatives and projects that may be attractive but at the same time increase the overall risk levels. Risk assessment can identify threats. Understanding the threats allows enterprises to better identify potential ways to counter them. Finally, having a good analytical framework permits making the best choices of the cyber risk management measures to implement. This analysis could permit proper prioritisation and lead to more intelligent spending. Often, it enables greater risk reduction at a lower cost.
Prince: The term ‘guarantee’ is rarely afforded when managing cyber risk. All organisations, at some point, will suffer data loss, whether it stems from a sophisticated cyber attack or a bad leaver stealing private information. Technology, whilst a critical component to any cybersecurity initiative, can only be effective if it falls within a proper set of business processes and policies aimed at protecting information. Often overlooked is the fact that human weaknesses can be a greater cause of vulnerability than the IT system itself. That is why any successful security initiative must include a strong people defence. Risk management is a key cornerstone to an effective cybersecurity program, as it provides ongoing risk assessments that business leaders can use to measure, communicate and manage information risk. By presenting these findings in a way that they can be understood by the business as a whole, as opposed to just the IT team, organisations that take a risk-based approach to security will be better positioned when it comes to deciding how best to allocate budget and resource to preventing a cyber attack.
Gillespie: Nothing is going to guarantee cyber security protection and relying on a technical solution in isolation is folly. Technical solutions offer part of an overarching approach to security. No system is 100 percent secure 100 percent of the time. Understanding risk means that you have gone through a consistent and reproducible process of assessing the value of your information assets in terms of confidentiality, integrity and availability, the latter two often getting forgotten. But let’s not forget that not every cyber attack involves theft of data, some, like ransomware, affect availability and others may well corrupt or modify information affecting its integrity, including understanding the potential impact if either of these properties is compromised. Then we need to understand where the threat is coming from, who are the potential threat sources – those individuals or groups who will ultimately seek to benefit from the compromise – and what is the likely MO of those threat sources – do they typically attack C, I or A? Finally, we need to determine our risk appetite levels so we know how much or how little risk we are prepared to accept based on a clear understanding of the potential for reward.
Klische: Budgets are always helpful to counter attacks, but more important is the design and development of systems, modules and communication protocols. IT security starts with simple things. One ATM attack was made possible because the PC in the ATM was allowed to boot from the USB port – simply disabling that feature in the BIOS would prevent such an attack. One problem here is the cost for the software user. Does anybody want to pay millions for container logistics control software, for example, when the software development is more expensive than the secure architecture? And who has the authority to certify such infrastructure software as critical, protected and safe?
FW: What steps can companies take to reduce or mitigate data breaches and cyber intrusion?
Raether: Companies have placed too much emphasis on perimeter security, ignoring other elements of sound data security. Breaches occur in several steps; intrusion is just the first. Attention needs to be given to intrusion detection as well as egression controls. Proper data segmentation is also important. Thus, when an attack hits one part of the network, the vector can proceed throughout the entire network, because there are no segments, or walls, to keep the threat to one part of the network. Therefore, all data is at risk and the damage can be exceptional. By segmenting networks, similar to the way user access controls are likewise limited based on role and purpose, companies can minimise resulting harm from a breach when it comes.
Krutov: First of all, it is important to take a step back and to analyse where the real risk is. This involves proper identification of the vulnerabilities and careful analysis of the assets that need to be protected most. Priorities established this way then lead to specific decisions on the best ways to manage the risk. The shift from exclusive focus on perimeter protection to limiting any damage by a potential intruder should continue. Finally, training may be the easiest way to achieve quick improvements in preventing and mitigating data breaches and cyber intrusions. Proper risk governance and forward-looking technical approaches are essential, as part of a comprehensive cyber risk management program.
Prince: First and foremost, organisations need to realise that they will be a target and that cyber attacks can happen at any time and are never convenient. Instead of front-loading business investment on protecting the network, organisations should give serious consideration to starting their response to a breach before it actually happens. Regular health checks are a great way to regularly assess the threats facing your business and thus mitigate the risk. This type of exercise is not annual, but rather an assessment that is frequently performed to test the adequacy of your controls and your ability to respond to vulnerabilities that expose the business to cyber attack. When it comes to technology, it is important that these platforms are coupled with business processes that can alert you to identified risks in a manner that you and the business can understand and manage. Quite often, technology is implemented without the underpinning processes which can lead to inefficiencies that, quite conversely, increase the likelihood of cyber attacks and data loss events going unnoticed.
Gillespie: A sensible, layered, holistic approach is required. It is vital to provide appropriate and targeted education and awareness training for anyone who has access to organisational information assets. Use that education to drive personal responsibility. Bring all the security disciplines in ‘out of the cold’ and get them harmonised. Put information and the need to exploit and share information at the heart of the security strategy. Using a clear understanding of threat and risk to drive that strategy and influence the adoption and implementation of both technical and non-technical protective security controls. Use well established best practice and integrate standards such as Cyber Essentials and ISO27001 fully into the culture of the organisation, not simply using them as a tick-box exercise or as a veneer of credibility. A comprehensive understanding of the practical application of the Data Protection Act to ensure that information is obtained, used, retained and ultimately disposed of in a safe, secure and compliant manner. Use well thought through, properly documented and thoroughly tested Incident Response Plans which are realistic and usable and not simply designed to be created and then left on a shelf.
Klische: Awareness is key. Development requires an understanding of secure architecture and communication. Management need to support training and costs to develop secure products and solutions. Customers need to understand security needs as a mandatory requirement for productivity. Open communication also helps, as we learn from others. If a company is attacked, it is useful to share the information with other companies to prevent the same attacks on other targets. Further, many executives understand the need for security when it comes to products, development, machines and employees. However, when it comes to their personal business habits, they do not want to accept this. Many security officers understand that password restrictions and other security mechanisms, or the selection of mobile devices, are valid for anybody – except the executives themselves. They do not want long passwords or specific devices. But executives are valuable targets. Their mobile devices, laptops and user accounts guarantee access to the most valuable data of the company or government. Executives should be the model of security.
Lewis: Understand your business from a hacker’s point of view. Understand what hackers consider to be profitable targets, and how hackers will make money from your data when committing cyber intrusion. Establish an intelligence framework that will focus on protecting these primary targets and assets. The framework should focus on four facets: What are the potential targets that a hacker will want to go after? What mitigations do I have to protect those targets? How effective are these mitigations over time as my technology base evolves to grow the business? How can I reduce the probability of intrusion as close to zero as possible while allowing the business to operate and grow? Then, allow the framework to answer these questions: How does a given mitigation make the security framework more effective? Is it providing me better actionable, verified intelligence that is cross-correlating the current solutions I have in place? Is this mitigation reducing analysis time, reducing attack surface models and reducing probability of attack on my assets? Or is it just producing more raw and unverified data that can be a distraction?
FW: The average company faces thousands of security alerts daily, although the vast majority are not linked to a cyber attack. How challenging is it for IT departments to identify and respond to actual or potential threats?
Krutov: In the case of Target Corp.’s data breach, the warning signs were reportedly there, and FireEye and possibly other cybersecurity software detected the malware prior to the exfiltration of data. However, no action had been taken until the law enforcement authorities informed Target of the breach. Regardless of whether Target’s IT personnel were at fault and the state of risk governance at the company, the events as reported are a sign of how challenging it is to recognise the real signals among the many false positives. In addressing this challenge, key steps would include: knowing your biggest risks and being able to properly prioritise them; better training in the use of cybersecurity tools, and improved communication about cyber risks; monitoring the evolving threats and vulnerabilities and making sure proper cybersecurity measures are in place to address them; and making very clear how important this particular function is, along with closely monitoring performance.
Prince: To respond effectively to a legitimate security event, organisations need to understand their most critical assets in relation to value, operations, reputation and regulation. Once this inventory of critical assets has been validated by the business, the security operations team can put in place dedicated monitoring systems which will allow for easy visibility of security related events relating to business critical assets. Once this process has matured, organisations can then begin to grow the number of assets they wish to monitor. However organisations cannot protect everything in the same way, which is why it is critical they identify what actually matters to the organisation. This is a process that must be reviewed regularly to ensure complete coverage of business critical assets. Furthermore, organisations must also become better at understanding how business critical applications are being used. For example, when it comes to protecting an organisation from cyber attack, technical controls need to be reinforced by a strong people defence. That is why security awareness training and associated policies are imperative.
Gillespie: It is increasingly challenging for IT departments to manage this absolutely vital threat mitigation area. Largely because the development of a proportionate, appropriate and cost effective protective monitoring strategy is left to the IT department. Instead, protective monitoring should be granular and risk driven. In reality, what this would look like is appropriate monitoring in place depending upon the value of the information asset and the type of threat it would be under. There may be varying types of information with a variety of threats all on the same network, so placing protective monitoring in a ‘one size fits all’ position is simply not going to work. Also, the actual reporting needs to be appropriate to the threat: constant alerts about very low level threats are inappropriate and unhelpful and will become irritating and therefore easy to ignore or potentially even disable. On the other hand, real-time alerting might be entirely appropriate, depending on the risk, so it is vital that the staff resource is available to police these alerts, report what happens and action them in line with the strategy. It is also absolutely critical that the strategy drives the technical procurement so that we end up with a tool that is fit for purpose and that can be appropriately maintained. Ideally this technology should be capable of adapting and evolving to meet future strategic directions.
Klische: Knowledge about a cyber attack and the correct identification and classification of the threat is important. But most companies do not have this expertise, and no standards are available. Governments can help by classifying threats and attacks, and putting forward guidelines on the correct process to avoid further attacks.
Lewis: Many of today’s security solutions do not offer cross correlation to produce verified, actionable intelligence. Many only produce raw, uncorrelated, unverified data, leaving the company with the heavy burden of figuring out what is relevant and what is not. Even more problematic, security intelligence is not usually cross-correlated with business intelligence, thus leaving the company to interpret relevance of the security events to their business operations. This leaves the IT department with two in-house choices. First, take on that heavy burden of cross-correlation and derivation of actionable intelligence –something that very few IT departments have the time and resources for. Second, figure it out later, which leaves the company in a reactive security posture. To get to a proactive security posture today, they have two choices: either purchase an intelligence derivation engine and self-engineer all of the disparate security solutions into that engine, or outsource the monitoring and analysis to a third-party security monitoring service that can derive intelligence for them and help them operate in a proactive state.
Raether: It is extremely challenging even for the best prepared IT department. Resources are limited regardless of the company’s size. But this challenge can be reduced by creating a baseline for information management practice by completing an enterprise-wide audit of its information use, to include data mapping and classification. By properly isolating sensitive data, limited resources can be focused on those alerts and anomalies that affect those parts of the system with the most valuable data.
FW: The failure of employees to follow security procedures can expose organisations to significant and costly risks. What steps can companies take to change the organisation’s risk culture, so that employees understand the role they play in keeping system’s safe?
Prince: In many cases, those responsible for day-to-day management of information security find it difficult to articulate the need for safe information handling across the broader business. In an organisation where there are many personalities, this bottom-up approach can be difficult to adopt. Based on experience, organisations most prepared to deal with cybersecurity often have a strong people defence that stems from prior and significant business investment. To positively change the risk culture within an organisation, a creative approach to information security is the only way to effectively engage with employees. In short, a letter from the CEO every quarter reminding them of their responsibilities won’t cut it. Instead, build an understanding of the people who work in your organisation and compile a series of supporting tailored documents that will engage them on their level. Be creative and steer clear of the fear factor relating to a cyber attack or data loss and don’t focus on the doom and gloom of information security.
Gillespie: Employees can and do offer a significant amount of risk to any organisation. It is difficult to accept that your colleagues may pose a security threat but we are not talking insider theft of information here, which is a common misconception. What we are saying is that occasionally there may well be a determined thief, who could be a disaffected member of staff, with an agenda, but actually most security breaches come from poor or no security awareness and simple human error. This is, however, the biggest threat that most organisations face and often the least well recognised and mitigated one. Whether it is an employee losing a mobile device which has data stored on it, or whether an employee clicks on a link in a phishing email, it is still the employee that has enabled the breach, not the technology. We cannot firewall people though, sadly.
Klische: Humans always see security as a roadblock. Unlocking doors, using complex passwords, locking a screen, and so on. Every security process seems to have another security process behind it. Product developers need to minimise the impact of security on the user. If usability is hampered by security, the employee will not support it, and may even bypass security policies. The consumerisation of the IT environment is another challenge for administrators. The more an employee uses her business equipment for personal use, the greater the risk to the company.
Lewis: It is not enough for mitigations to solve a problem for users. The mitigations need to educate the users as they operate in their daily lives. Case in point: if a user goes to a website that they think is ‘OK’, and the mitigation simply blocks that website and doesn’t tell the user why, the user will just find another way to get to the website. Now, if the mitigation actively educated the user on why they should not go there, the user will normally try to do the right thing and not go there anymore. Mitigation without education causes users to repeat ‘bad’ behaviour without understanding they are acting ‘badly’. Active education is one of the best ways to reinforce good behaviour. This should be a primary feature set of any security solution sets being deployed.
Raether: As with any enterprise-wide initiative or cultural effort, a priority for the importance of information security must begin at the top. If a company leadership, and I am talking at the C‑suite level, does not make information security a priority and demand accountability for employees and business units, employees will likely never buy in. Secondly, administrative safeguards must serve to fulfil leadership’s vision, to include clear policies and procedures that explain to employees their information security responsibilities. If a leader’s vision is not reduced to writing, how can she expect others to implement that vision? Next, an effective training and awareness program must bring these policies and procedures to life. Training and awareness programs are so often overlooked, leaving policies and procedures to collect dust. Beyond initial or annual training, a year-round awareness program helps to keep not only the existing policy requirements on the employee’s dashboard, but helps to provide updates on new and emerging threats. Lastly, if possible, information security metrics should be part of management and employee performance evaluations. Gamification of training and security compliance – creating a point system and rewards for supporting sound security – and discipline for failure to achieve metrics, can go a long way to changing company culture as to information security. Information security is everyone’s job. Thus, there is no reason not to include it as part of an employee’s daily performance.
Krutov: The first part of the solution is establishing, from top to bottom throughout the organisation, clear cyber risk governance policies and controls. The attention of the top management and even the board is essential here. The second part is training, which should be continuous, and making sure that the policies are followed and the controls are effective. It is important to follow up on the security procedure violations that a large company may have many times every day. These essential organisational measures should also have a clear focus on protecting the most valuable data and other assets.
FW: How do most companies evaluate their cyber risk exposure? How do they make decisions on what cyber security measures to implement and whether to buy cyber insurance coverage? What can be done better?
Lewis: Unfortunately, most companies evaluate their risk exposure in a ‘snapshot in time’ method rather than a ‘live picture’ basis. Then, based on that ‘snapshot in time’, they make financial and resource decisions on what cyber security measures to deploy as well as what insurance coverages to obtain. The problem with the ‘snapshot’ method is that businesses are not static in their operations – businesses grow and expand over time. Businesses evolve to meet the market demand and to meet the competition in those markets. As businesses evolve, hackers will actively try to find ways to exploit that evolution. There are static areas of the IT operations as well as elastic operations. Elastic operations are a primary reason why companies are looking to go to the cloud. Companies would be better off adopting a modified methodology – use the ‘snapshot’ as a baseline – and then evaluate mitigation efficacy and daily operations in a ‘live picture’ mode. This will allow companies to understand how effective their mitigation and resource investments are being live and over time, as well as provide realistic frameworks for insurance coverage investments where needed.
Raether: Many companies rely heavily on their internal IT resources, some of which may not have formal security training or certifications and are already burdened with the ongoing basic operations for IT, such as user management, network and data administration and user support. This is not to suggest these resources do not perform an admirable job, but companies do need to consider hiring information security professionals who are not responsible for daily IT operations. It is also important to balance the business needs with sound data security controls. It is easy for business leaders to defer security controls and related costs with the hope that any breach will not occur on their watch. Such decisions need to be balanced with the long term interests of the company. Without these controls, conflicts of interest abound. Cyber insurance should be considered as a way to mitigate the harms from a data breach, but not a substitute for a sound cybersecurity program.
Krutov: Risk evaluation is one of the weakest points. Some companies are spending resources addressing minor deficiencies while the big risks remain unnoticed. In many cases, it is possible to form a probabilistic picture of risk that accounts for potential consequences of cyber breaches and other incidents. Such an analysis allows the risk to be expressed in quantitative terms, such as in dollars, which enables better-informed risk management choices. When done properly, risk modelling permits explicit analysis of the tradeoffs between the risk reduction resulting from various cyber risk management measures and the cost of implementing them. It also lends itself to explicit and logical analysis of whether a cyber insurance policy offered is worth paying the quoted price and whether it covers financial consequences of the relevant cyber risks. As long as the danger of overreliance on such quantitative analysis is fully recognised, this approach can add significant value.
Prince: Many organisations perform information security audits, usually once a year or after a significant business change, to evaluate the level of exposure to cyber threats. Independent third parties typically undertake these, helping to ensure the review is carried out in line with industry best practice, while minimising internal conflicts. After a number of weeks a report is then delivered that provides detailed information on identified vulnerabilities that risk exposing the organisation to a cyber attack. These assessments usually cover associated severity, the potential business impact, likelihood and risk mitigating recommendations. At this point, nominated individuals within the business will review the findings and then devise some guiding costs for remediation. Typically, cyber insurance is implemented to protect the organisation against cyber risk not mitigated by other safeguards. Key to this is the independent audit. However, we believe that regular health checks are just as important as an independent audit. Cyber threats are fast-moving and so in many cases it isn’t appropriate to wait for an annual audit, which can become quite cumbersome. By performing regular health checks, organisations gain much stronger visibility of cyber risks throughout the course of a year, allowing them to better prepare and ultimately placing them in a much stronger position to prevent data loss, compared to independent audits alone.
Gillespie: Not all organisations evaluate their cyber risk and in fact only 38 percent of organisations have their information security policy aligned to their organisational risk appetite, according to the EY GISS 2012. That leaves us with 62 percent of organisations that are basically making it up as they go along. This leaves you with the impression that they may be going into the purchase of a cyber insurance policy unarmed with the facts required to buy the correct cover. If they have decided that cyber security is an issue for IT, as around 63 percent of organisations from the same EY report stated, then you have completely removed security from this transaction. IT is responsible for IT security, not information security – this is a much larger and more complex landscape requiring expert risk assessment. So doing things better would look like taking security out of IT, giving it a presence in the boardroom and aligning it with your organisational risk appetite. Gaining compliance or certification to a standard like ISO27001 can be a useful tool. Choosing to go down this route is a commitment and should never be treated as a tick-box exercise. Having a flexible and fully integrated information security management system can be a boon to a business: an enabler and an opportunity for growth by allowing commercial engagement with businesses that require this standard from supply chain partners as a mark of how serious and capable they are in managing and protecting information of all descriptions.
FW: Organisations are now looking to insurers to mitigate the damage caused by cyber-crime and data breaches. How are organisations doing this? And in what ways do you see the appetite for insurance changing over the next 12-24 months?
Lewis: Many insurance carriers derive their coverage packages on worst case scenarios. It can be argued that the insurance premiums may be better spent on proactive security modelling, streamlining and integrating mitigation solutions, and ‘live picture’ intelligence controls. As these newly enhanced security solutions lead to proactive and predictive security intelligence operations, the appetite for insurance coverage that covers the former reactive security postures will lessen. Insurance coverage will remain an attractive option while the IT security solutions keep companies in reactive mode, and the appetite and need for insurance will hopefully drop as the industry shifts to proactive and predictive solutions.
Raether: Cyber insurance has been around for almost 20 years. Interest in the market has increased with high profile events and then waned as denial sets back in. Through that time mature companies have recognised the need for and purchased cyber insurance. Most companies have not, thinking they will not be the victim of an event. As an event will hit every business, often it is with regret that companies realise they should have purchased cyber insurance. Cyber insurance not only provides relief for breach related costs, but also provides access to professionals with breach response experience. Cyber insurance policies today provide a variety of levels of coverage, to include value-add services which include professional services, such as legal support, PR management, and consumer relations and management. When you consider the time and effort a data breach can take, in addition to the normal day-to-day business operations, purchasing such a policy makes good economic sense.
Krutov: The main reasons for the growing interest in and demand for cyber insurance are the increase in the overall level of cyber risk to which enterprises are exposed, the rise in the potential consequences of cyber breaches, and the growing recognition of the true level of cyber risk exposure. In this environment the demand for cyber insurance protection at reasonable prices will continue to grow rapidly. The insurance option is becoming better recognised as one of the ways to manage financial consequences of cyber risk. While never a substitute for improving system resilience and security, purchasing cyber risk insurance is an important risk management tool that should always be considered. The use of improved analytics instead of simplistic cyber risk scores should help insurance companies gain greater confidence in their pricing and help address the growing demand for cyber-risk insurance.
Prince: With the rapid growth trajectory of cyber insurance, organisations are allocating more time to reviewing their ability to transfer risk to an insurance provider. Already, cyber insurance is a multi-billion dollar business and is continuing to rise. Across Europe the adoption of cyber insurance isn’t as mature as in the US, but that is not to say that it will not take off in the coming months and years. Typically, organisations will transfer ‘residual risk’ to an insurance provider. That is, risk that is still present after safeguards have been implemented. As a result, organisations are going to require robust risk management frameworks to identify, measure and manage risk before applying risk mitigating controls. Yet whilst cyber insurance provides a level of business protection and the ability for an organisation to move forward, both financially and operationally, following a cyber attack, alone it isn’t enough to manage the fallout stemming from a breach. In the UK, for example, the Data Protection Act 1998 makes it clear that all organisations must take appropriate technical and organisational measures to protect and secure personal data, which includes having appropriate procedures in place in case of a data security incident. Therefore, when it comes to reputation, unless you as an organisation can show that you’ve taken all necessary steps to protect your systems, not only will you be breaching your legal obligations, but clearly your reputation will also be at risk.
Gillespie: Cyber insurance, business continuity and business interruption insurance is definitely a growth area. However, this does not seem to be a particularly mature market. Cyber insurance policies vary hugely and many exceptions appear, but these exceptions, as well as the language used, vary and are inconsistent across insurers, so overall it is difficult to compare, contrast and then purchase. Purchasing insurance seems to be driven by a vague understanding of the potential risks it might mitigate and not as part of a centralised risk management response mechanism. Some of the greatest damage done in a major breach or attack can be to reputation, and while this may well be covered in many policies, it seems to be a rather slippery thing to calculate or define.
Klische: There is nothing in the world that cannot be covered by insurance – the only question is the cost. Of course, it is easy for a company to cover the risk of cyber attacks with insurance, but what effect does it have? First of all, the insurance company needs to check and approve the security processes, tasks and techniques within the company to classify the risk. Cyber attackers, however, may not necessarily leave a mark on a company’s digital data. Also, insurance does not protect against attacks that go undiscovered. There is a future for insurance coverage in this area, but it is complicated to see the compelling need or value for a company.
FW: Going forward, major cyber threats are only likely to increase. Do you believe cyber risk management will continue to climb the boardroom agenda?
Raether: As a breach can have a material effect, cyber risk management will continue to climb the boardroom agenda. Indeed, many are questioning whether board members need to have a cybersecurity background or at least a technical background. While not all board members need this knowledge, there needs to be individuals with cyber security expertise with a voice in board decisions. Any business dealing with information in large quantities needs leaders with the knowledge necessary to comprehend large data systems, as well as the costs and risks associated with them. Data breaches are being dealt with at the highest levels of an organisation these days. Indeed, CEOs are losing jobs over the issue. It is in everyone’s best interest to have more technical and security expertise around the boardroom table. Further, having executives conversant in technology and information security benefits a company significantly in the fallout following a data breach. Messaging after a breach is critical, and failing to handle it well can add salt to the wound. With more media outlets serving the information security industry – many of the biggest breaches recently have been broken by information security bloggers – and reporters being more technically savvy themselves, it is critical that those talking to the media understand the area better and provide better responses to shepherd their companies through the fallout.
Krutov: Cyber risk will not go away and can be properly addressed only if there are clear cyber risk policies and procedures, adopted at the very top, and if the top management and the board are an integral part of the cyber risk management process. With few exceptions, we are very far from this point, but the movement in this direction is unmistakable. In the case of the data breach at Target Corp., two highly respected proxy advisers to institutional investors called for the ouster of board members. Preceded by the departure of the CEO of Target, this was a wake-up call to the boards and top management at many companies. Boards have the ultimate responsibility for managing cyber risk.
Prince: Cyber risk management will continue to grow because consumers care more about their privacy and data now than they ever did before. This increase in awareness, coupled with upcoming regulatory drivers and business leaders better attuned to the reputational damage that can follow a data loss, means that those at the top table are beginning to dedicate more time to addressing the issue.
Gillespie: In the boardrooms where cyber security is already on the agenda, the issue will very likely climb. However, not all boardrooms have fully embraced a relationship with security yet. What needs to happen is an increase in those organisations that have security represented at C-suite level. According to data from the Ponemon Institute, half of organisations never discuss information security at the top of their tree. This makes it is very hard for a secure culture to cascade through an organisation, as security will be constantly trying to manage upward. It seems odd given the requirements of good governance that such a key area of a business may not be discussed at this level. It would be inconceivable to most businesses to have a board meeting where HR or Finance had no voice or representation, yet security – this vital business function – is spectacularly underrepresented in our boardrooms. If there were any greater incentive for boards to get to grips with cyber risk, then we can revert to the Target example. That particular breach cost the jobs of the CIO and the CEO. It is not an area in which any board of an organisation, large or small, can afford to be complacent, or anything less than fully briefed on.
Klische: Cyber risk management should increase by nature, but will be more likely in two cases. The first is when a company has already been attacked and lost information, data or money, where the total threat is more expensive than the cost of cyber attack prevention. For instance, a bank will not invest $1bn in an anti-criminal solution when the damage it has suffered to date amounts to $250m. The second case is when a country creates a law to force companies to invest in anti-cyber crime solutions.
Lewis: Security technology has clearly evolved to be at the forefront of today’s boardroom agenda. Today, security technology is a primary driver and enabler to allow a company to compete and operate in the world of cloud, mobility and the ‘internet of things’. Without security technology, none of these new business paradigms can be considered or achieved. Security has become a primary enabler of the business – and in order for a business to grow and expand it needs a security framework to allow it to adopt the new business paradigms.
Mike Gillespie is the Managing Director of Advent IM Ltd. He is also Director of Cyber Strategy and Research for The Security Institute. Mr Gillespie is a security professional and CLAS (the CESG Listed Advisor Scheme – CESG is the technical arm of GCHQ) consultant of many years’ standing.
Marcus Klische works at BlackBerry within their Security Group in an advisory role, where he interfaces with security agencies, governmental bodies and strategic enterprise customers. His primary focus is to help them to understand the various BlackBerry security countermeasures and the true extensible nature of the solution. Mr Klische has more than 20 years of experience in the IT industry, and a broad range of IT security, product management and government solutions experience.
Elliot Lewis is the Chief Security Architect of Dell Software Group, has over 23 years of executive management, architecture and development of security networking strategies at Dell, Microsoft, Cisco Systems, Merrill Lynch and other various technology firms. Mr Lewis helps lead the strategy for pan-Dell security products, service and operational strategy and integrated architecture across all divisions of Dell.
Ron Raether is a partner at Faruki Ireland & Cox P.L.L. Mr Raether not only works as a data breach coach and defending companies in class actions and before regulators, but also advises companies in proactively developing data security practices and policies.
Alex Krutov is President of Navigation Advisors. He has significant expertise in modelling complex risks and catastrophic events with a key focus on cybersecurity breaches and other cyber-related failures, in particular in the context of pricing cyber-risk insurance. He is the author of a book on the analysis of insurance risk and its securitisation. He chairs an industry task force on cyber risk.
David Prince is a highly technical, business-focused cybersecurity expert. Specialising in information security governance, risk and compliance, Mr Prince supports clients in enhancing the confidentiality, integrity and availability of their organisational information and improving business efficiency. Highly regarded by his peers as one of the best in his field, Mr Prince is recognised for designing and implementing innovative security programs that promote awareness and mitigate the threats posed by external cyber breaches and internal data losses.
© Financier Worldwide