A successful cyber-attack can impact shareholder value, tarnish the brand and reputation, expose the company to litigation, result in loss of competitive advantage, reveal regulatory or legal non-compliance, and result in steep financial consequences in billions of dollars.
Businesses across sectors and geographies are dependent on an ever-increasing array of IT systems and technologies that enable them. Added to that is the need to be interconnected with suppliers, vendors, customers and business partners. The proliferation of and the dependency on technology combined with the interconnected nature of business, has resulted in increased potential for cybersecurity risks.
In the current business scenario, cyber-attacks represent a business risk and not just an IT problem. The cyber threats are increasing in frequency, sophistication and severity; they have evolved from unsophisticated attackers looking for technical vulnerabilities “for fun” to state-sponsored attacks that are targeting specific industries, sectors, companies and individuals (e.g., executives) because of who they are, what they do, or the value of their intellectual property.
Cybersecurity threats typically evolve with unparalleled speed, complexity and impact with new, more complex cyber risks emerging every day.
Evolution of cybersecurity threats
The media often focuses on cyber-attacks relating to the theft of credit card data or the theft of personally identifiable information (PII). The executives of companies that do not process or maintain customer credit card data or PII do not fully understand the severity of cybersecurity threats to their intellectual property and proprietary information.
Intellectual property include – product designs, source code, pending patents, formulations, manufacturing process instructions and procedures, research and development results and analysis, exploration data, scientific papers
Proprietary information include – customer lists, pricing, cost and sales information, pre-released financial results, merger and acquisition information, third-party contracts, strategy and product roadmaps, bid plans.
Cyber-attacks – Everyone is Vulnerable
Given the mission critical nature of data in nearly every aspect of modern enterprise — and the astonishing growth in the cyber criminals who seek to undermine it — organizations across all sectors are facing not just an escalating risk, but the near-certainty that they will suffer an information security breach.
Journey of cybersecurity maturity – Activate, Adapt, Anticipate
EY’s 17th Global Information Security Survey results are concerning. Companies lack agility, budget and skills to mitigate known vulnerabilities and successfully prepare for and address cybersecurity. Around 42% do not have a Security Operations Control (SOC) and 25% do not have vulnerability identification capability.
Every organization needs a robust foundation of cybersecurity. Organisations will only develop a risk strategy of the future if they understand how to anticipate cybercrime. They must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cybercriminals into more formidable adversaries.
Foundational activities – Organizations to “Activate”:
- Security assessment and roadmap – Conduct a current state maturity assessment, target state definition, gap analysis and design of implementation roadmap.
- Review and update security polices, procedures and supporting standards – Implement an information security management systems.
- SOC – Develop monitoring of known cases and incident response procedures. It is imperative to know how SOC stays up to date with the latest threats and how long SOC would take to initiate an investigation on a discovered or alerted incident.
- Design and implement cybersecurity controls – Assess the effectiveness of data loss prevention processes and Identity Access Management. Harden the security of IT assets, such as servers and firewalls, network components and databases.
- Test business continuity plans and incident response procedures – Instigate regular penetration testing of the network perimeter, ingress points and software applications; and identify exploitable weaknesses.
Dynamic approach – Organizations to “Adapt”:
- Improve SOC – SOCs are overly focused on technology. Although the features of technology are important (what can be measured and monitored), the starting point should be the business (what needs to be measured and monitored).
- Develop security incident management – Develop security incident management framework focusing on processes related to identifying and reacting to the incidents and forming incident response teams including leadership.
- Establish accountability – Embed the desired behaviours into employee contract (as well as contractors) – especially for those with access to critical information – and include it in their performance evaluations. Breaches of information security protocols (even if there were no significant consequences) should be taken seriously.
- Build a community – Build a community and assess the impact of cyber attack on the business partners, suppliers, vendors. This can help reveal the leading practices.
Proactive approach – Organizations to “Anticipate”:
- Take a cyber economic approach – Understand the organization’s most vital cyber assets and their value to cyber criminals, then re-evaluate plans to invest in security. Threats are now rising in the application landscape. Traditionally organizations protected the network and the exposed systems. Organizations now need to protect all systems – at application level – throughout the whole network, including the content used in the application.
- Design and implement a cybersecurity countermeasure framework – Establish a strong governance program to continuously drive and sustain improvements.
- Use forensic data analytics and cyber threat intelligence – Use latest technical tools to analyse where the likely threats are coming from and when, increasing your ability to combat them. Based on cyber threat intelligence, identify potential hacks and take measures before any damage is done.
- Conduct cyber incident exercises – Once a breach is detected, then having thorough knowledge of your critical assets and associated ramifications will allow the organization to set in motion the appropriate handling mechanisms. Atleast once a year, the organization should rehearse its crisis response mechanisms through complex cyber attack scenarios.
Areas of focus for cybersecurity
Process – Asset management, awareness, business continuity management, data protection, privacy, software security, third party management
Technology- Architecture, host security, identity and access management, incident management, network security, security monitoring, threat and vulnerability management
What are some of the leading practices?
- Progress from protecting the security perimeter to protecting their data with the understanding that some attackers will inevitably penetrate perimeter defences.
- Create dynamic capabilities to manage information security so that they can react quickly in a rapidly evolving environment.
- Actively involve senior business leaders across functions in making security trade-offs.
- Create information security strategies and processes based on a much higher degree of transparency into critical assets, attackers, security capabilities, business risks and options for defense.
Aligning security strategy to business performance
The key to being at the forefront of cyber security is to understand that the solution to the problem is 80% non-technical and can be managed with good governance. The cyber security efforts need to be championed by executives at the highest level of the organization. It is imperative to identify IT security risks in conjunction with the business objectives in terms of new markets, products etc. Companies need to take inventory of their intellectual property and understand what to protect the most. They need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions.
Identify the real risks
- Develop a security strategy focused on business drivers and protecting high value data.
- Define the organizations’ overall risk appetite and how information risk fits.
- Identify the most important information and applications, where they reside and who has or needs access.
- Assess the threat landscape and develop predictive models highlighting your real exposures.
Protect what matters most
- Assume breaches will occur – improve processes that plan, protect, detect and respond.
- Balance fundamentals with emerging threat management.
- Establish and rationalize access controls models for applications and information.
Optimize for business performance
- Make security everyone’s responsibility
- Align all aspects of security (information, privacy, physical and business continuity) with the business.
- Spend wisely in controls and technology – invest more in people and processes.
- Consider selectively outsourcing operational security program areas.
Sustain an enterprise program
- Get governance right – make security a board level priority.
- Allow good security to drive compliance, and vice versa.
- Measure leading indicators to catch problems while they are still small.
- Accept manageable risks that improve performance.