The Achilles Heel: What the Board must know about Cyber Risk

Cyber Risk and the boardroom | what business leaders must know!Companies of all sizes have recognised the tremendous opportunity the Internet presents for conducting business. But great reward also comes with great risk.

Cyber Risk has now emerged as a high-profile problem; so much so, it has been escalated to third position on the corporate boards risk register.

In the 21st century everyone needs to take cyber risk seriously.

Given the large volume of transactions and data available online, it is no surprise that valuable information is the target for increasingly sophisticated cyber attacks. Originating from organised crime, hacktivist groups and, increasingly, nation states, the objectives of these attackers are to make financial gain, carry out espionage, or to cause disruption.
Most companies are unaware that they have already fallen victim to an attack, as they have no means to detect them, and many major high-risk corporations are being breached on a daily basis.
Despite these deep threats and seemingly clear warnings, many companies still believe that their existing measures have this risk covered. Unfortunately, as major recent breaches of large companies and government departments show, this is not the case. Companies tend to regard Cyber Risk as an “IT problem” and miss the wider business strategy, legal and cultural implications that protection from cyber attack requires.
Modern Business Strategies Are Increasing Risk
As companies exploit the internet for competitive advantage, new risks have emerged. Strategies that make use of “Big Data,” mobile, e-Commerce, social media and digital marketing increase the opportunities for hackers to steal information. The consequences include reputation damage, regulatory fines and legal action.
The Board and the risks around cyber dataThe use of internet-based Supervisory, Control and Data Acquisition (SCADA) technology for controlling machinery, opens opportunities for hackers to take control of hardware, with potentially disastrous consequences for infrastructure such as factories, power stations, and transport networks. The well-known STUXNET worm was used to target Siemens-made nuclear centrifuges at an Iranian facility. Worryingly, this highly sophisticated code is now in public circulation and can be modified and re-used by hackers to target other infrastructure.
Widespread use of the Internet for service provision, including banking and e-commerce, exposes a company to the risk of a denial of service attack, where the website is bombarded with traffic to prevent it providing a service to customers -- with consequent loss of business and costs of disruption and clean-up.
The cost of such breaches in 2012 has been between $1.4M to $46M for 56 benchmarked companies per annum, however, some companies have lost intellectual property worth much, much more and the trend is upward.
Cyber Risk is a Corporate Issue
Companies are often ill equipped to deal with cyber risk, as it is a relatively new threat. By evolution, it has been managed by IT – with corporate leaders making the argument that it is the computer systems that are the conduit for the attack. What is rarely recognized, though, is that it is people, not technology, who can be the originators of substantial day-to-day cyber risk. Despite the widespread claims, technology alone does not have the answer to the threat of cyber attack.. IT is one of several disciplines needed to develop a cyber security strategy and programme to provide a robust defence. To illustrate this, Edward Snowden for example had posted several anti-US messages on social media sites before being hired. Human Resources departments should have a process to properly vet future employees, including contractors and, perhaps, should even own the risk of insider threat.
Regulations for loss of Personally Identifiable Information (PII) are becoming more severe, with the EU proposing mandatory breach reporting within 72 hours and fines of 5% of global turnover. Companies will, therefore, need to be able to demonstrate a high level of cyber attack awareness and readiness.
Boards on the Defence: Steps to Take
As cyber risk encroaches on all departments, prevention needs to start from the top. Boards should now consider cyber risk a major threat to their business and proactively manage it with an appropriately funded, dynamic, pan-enterprise, and multi-disciplined program. Board members need to lead by example and consider their own cyber risk profile based on their own behaviours beyond the safety net of the company network, such as with social media.
Appointing a “Chief Information Risk Officer,” who will report to the board with enterprise responsibility for Cyber Risk is a smart place to start. This business leader will need to bring a broad understanding of the business strategy and operations, and act as an agent for change. Centrally, they will need to manage a dedicated team made up of a diverse range of functions, including Risk, Human Resources, Business, Legal and Technology Security. While some of these skills will be sourced from inside the organisation, there will inevitably be a requirement for new skills and outsourced capabilities. It will be critical that they understand the steps, time and resources involved. For example, some activities are best done by an independent provider, such as analysis, review and audit. Other skills like security architecture are not required full time, while others are commodity services, such as penetration testing.
Business Strategy and Cyber Risk Evaluation
Boards need to consider their company’s cyber risk profile based on market sector, business strategy, the information assets they own, and interactions with partners, suppliers and customers. The likely source of threat combined with the objectives of attacker should be analysed using case studies within their industry. Cyber risk must be considered an important part of strategy, for example:
Marketing Strategy
Big Data – How secure is our customer data? Are we working within the privacy regulations?
Social Media – What processes and controls are in place over information that is shared publicly?
Procurement Strategy
Supply Chain - Can secure collaboration act as an enabler and protect vital information assets?
Outsourcing, e.g., to the Cloud - What level of information is safe? Is encryption mandated? Do we have the right contract that protects our interests and apportions liability?
Staying on top of identifying, understanding and risk assessing the ever-changing range of cyber adversaries and their evolving tools and techniques is no small task. This is near impossible without the rigour of threat intelligence data feeds, frameworks and methodologies, which until recently were not widely available or understood.
Effective Threat Intelligence programmes within organisations will collect and consume information about potential adversaries, process it through threat assessment frameworks, and disseminate the resulting risk-rated advisories to both tactical operational security teams, including the board, for longer-term business strategy management.
Ultimately, threat intelligence programmes can change the dynamics of cyber risk management and remediation within an organisation, transforming it from the repetitive and costly “respond, contain and clean up” to “anticipate, detect and prevent.”
Cyber Security Health Check
A health check should be carried out to test the maturity of security policies, processes, awareness, threat / network monitoring and incident response processes. A gap analysis considering the threat profile can then inform a prioritised list of actions, and a plan.
Establish Enterprise-Wide Security Programme With Board Level Sponsorship
Once a board-approved, enterprise-wide security programme is created, a security programme can be established and capabilities (in-house vs. outsourced) can be assessed. This programme may touch many aspects of the “people, process and technology” of the organisation.
All employees need to be trained to recognise and respond to cyber attacks. Regular awareness briefings will reduce incidents and save money. Staff must be trained to treat and handle the information assets appropriately – and systems and processes should be designed to help. The best-trained staff can stop 95% of malicious emails themselves.
Instilling a security culture in the organisation is vital, where the Cold War “need to know” policy should rule supreme over today’s social media “tell everyone everything” approach. Companies need to identify and segregate 1.) “secret” information that they don’t want to share, from 2.) “confidential” information that they need to share to run their business, and 3.) “public” data that can be published on the Internet.
Core business processes may need to change to improve security, particularly those that involve third parties. A change programme will need to be instigated, and may be an opportunity for process improvements and rationalisation. New processes are required to monitor cyber threat and manage cyber breaches.
Business Opportunities from Improved Security
Improved security is not only a cost / risk consideration. Showing that the company handles customer information responsibly could be a good marketing. Boasting good security hygiene frees up staff from fire fighting to focus on strategic objectives.
A strategic view on security will allow a business to adopt new working paradigms such as different geographies, business and operational models. For example, classifying information and managing it appropriately may enable M&A, offshoring lower level information processing.
Defence prime contractors have learned the hard way about protecting themselves, but now their supply chains represent considerable risk. Secure Collaboration becomes a necessity for organisations with big supply chains, and / or many partners, but can also be a key enabler. New opportunities to use demand forecasting, inventory management and asset visibility can reduce costs while collaborative design with partners can shorten the development lifecycle and improve quality.
Boards are long overdue in acting on the emerging issue of Cyber Risk. Those that are successful will jump ahead of the competition by sponsoring a proactive, enterprise-wide cyber security programme. This is now a necessity for businesses of all sizes to protect intellectual property, customer data and levels of service, and could also act as an enabler for business growth.
Alvarez & Marsal