When business leaders think about cybersecurity, the most common question they ask themselves is, “Are we prepared to prevent an attack?” Unfortunately, this kind of thinking plays directly into the hands of the attackers. Viewing total prevention as the goal and benchmark for success can lead to an erosion of standards and a potentially false sense of security.
Consider the Carbanak cyber bank heist that began in 2013. It took well over a year for 100 financial institutions to learn—from a third party—that they were victims of a $1 billion cybercrime. During that time, many of the affected companies may have thought they had successfully delivered on the “prevent cyber attack” metric. In reality, it was just a matter of time (a fair amount of it in this case), before they realized they were victims of an attack. Of course, that’s when all of the money was stolen.
It took well over a year for 100 financial institutions to learn—from a third party—that they were victims of a $1 billion cybercrime.
Organizations need to approach cybersecurity with the assumption that they will be attacked at some point. Attacks are on the rise and organizations of all types and sizes are at risk. “Are we prepared to prevent an attack” is no longer the right question to ask. Instead, organizations must play offense, asking a far more complicated set of questions: Will we know it when it happens? How quickly can we identify a breach? Do we have the right protocols in place to compel immediate action?
Cybersecurity is not a passive undertaking. It cannot be achieved with a single tool or technology resource. It requires diligent planning and constant vigilance. Organizations that are best positioned to protect themselves will play both offense and defense—beginning with a thorough assessment of the risks they face.
No One is Safe: Cybersecurity is an Urgent Priority for All Organizations
A 2015 Duke University survey of CFOs found that more than 80 percent of U.S. companies have been successfully hacked. It is worth noting that these are the companies that are aware an attack has occurred. The actual numbers could be higher.
More than 80% of U.S. companies have been successfully hacked
Source: 2015 Duke University/ CFO Magazine Global Business Outlook Survey of CFOs
Cyber attacks are industry agnostic. While cybersecurity is often associated with large defense companies, financial services firms, healthcare providers and retailers, companies in other sectors are in the particularly vulnerable position of believing they are not at risk or the risk is not significant.
Public companies in heavily regulated industries (think financial services or biopharma) may be more attuned to the realities of cybersecurity risk, and regulatory requirements keep the issue front and center. This is not the case for other industries in the supply chain, which may very well have data the criminals want. IndustryWeek, a manufacturing industry trade publication, warns that the manufacturing industry may not be taking the threat seriously enough. Meanwhile, high-profile attacks on power grids internationally have underscored that vulnerability of power and utilities companies in the United States.
Smaller companies may be at even greater risk than larger ones. The risk of cybercrime is often thought to be directly correlated to the size of the organization. The bigger the company, the bigger the risk—or so the myth goes. While it is true that large organizations have been victims of the highest profile attacks, cyber activists and cyber hackers increasingly view smaller businesses as prime targets because they are seen as easier prey than larger, more heavily resourced organizations.
85% of smaller companies (less than 1,000 employees) have been hacked
Source: 2015 Duke University/ CFO Magazine Global Business Outlook Survey of CFOs
In reality, the Duke study found that 85 percent of smaller companies (those with fewer than 1,000 employees) reported having been hacked. This coincides with the fact that smaller companies report being half as likely as larger companies are to implement common controls such as self-hacking, hiring information security talent, or investing in training on data security.
The bottom line is that smaller companies hold special appeal because they are often suppliers to larger companies with access to sensitive information but without the controls their more heavily resourced customers might have in place.
Four Common and Controllable Factors That Increase Cyber Risk
There is little dispute that the situation is a critical one. It does, however, compel a close look at some of the common mistakes even the most sophisticated of companies are making.
While it was once common for a technical manager to take responsibility for information security, it is now the role of a more senior business person who is both technically adept and able to communicate cyber risk to board members and business executives.
- Playing defense is the norm: How are companies informed about what is happening within their virtual walls? The majority learn about breaches from law enforcement agencies or customers. Others learn from third-party sources that exist to publicize breaches. In no way is this soon enough. For example, The Home Depot discovered the exposure of 56 million payment cards the same day an independent cybersecurity expert reported it in his blog, even though the initial breach occurred months earlier.
- The “set it and forget it” mentality is alive and well. There is a sense that cybersecurity comes with a sizable investment in software, hardware and infrastructure. It makes it easy for leaders to simply “check the box” and turn their attention to other parts of the business. However, these out-of-the-box solutions may not consider the unique needs and vulnerabilities that are associated with industry, region, regulatory environment or the specific context an organization is operating in. For example, companies often purchase advanced firewalls and intrusion detection software but fail to properly train their staff to analyze the logs or to put policies in place to require ongoing monitoring.
- Ineffective and missing security controls are an all-too-common problem. For instance, the lack of sophisticated malware monitoring tools and processes enabled the Carbanak gang mentioned earlier to evade detection over a long period of time.
- Too many organizations ignore the warning signs: Many organizations don’t pay attention to important indicators of compromise. For example, anti-virus software will occasionally find something and correct. In that case, the software has done its job, but the company should still be asking itself how the breach got there in the first place. Likely the most high-profile example—and certain the most costly—example of ignoring the signs is found in reports that retail giant Target had received adequate warning of the massive 2014 breach to its systems, but the warnings were ignored. It was only after federal investigators alerted the company to the attack that action was taken.
Rethinking Cyber Risk: Cyber Attacks Are a Business Risk (Not an IT Risk)
Cybersecurity was once thought of as an IT risk. It was a problem to be budgeted for and addressed at a functional level. Budgets were allocated accordingly. Today, the stakes are higher than ever with the cost of cyberattacks at an all-time high, according to research by IBM. In 2015, the average cost of a breached record was $217—an 8 percent increase over 2014. Meanwhile, organizations paid a total average cost of $6.5 million in 2015.
$6.5 million: the average total cost as a result of a breach
2015 Cost of Data Breach Study: United States – Ponemon Institute and IBM
Cyber attacks are associated with losses in terms of customers, profits, brand equity and stock price. Consequently, cybersecurity should be seen as a business risk that is prioritized at the C-level and board-level.1 The National Association of Corporate Directors appeared to take a similar point of view when it released its watershed 2014 publication on cyber-risk oversight.2
Should there be any lingering doubt that cybersecurity is now a business risk and board-level concern, one need only consider that it is the C-suite (and occasionally boardroom) seats that have been at risk during the breaches at Target, the USDA and Sony.
Eyes Wide Open: Assessing and Managing Risk to Play Both Offense and Defense
A reported 84 percent of midmarket companies plan to increase data and security spending.3 Given the alarming risk data, this is not a surprise. It is imperative, however, that companies spend wisely.
The “set it and forget it” mentality is no longer adequate. A thorough and objective analysis allows companies to understand their unique areas of vulnerability. From there, an organization can develop an action plan within a realistic timeframe and budget. Like all sound business decisions, it is a matter of calculated risk and prioritization.
- Understand the business context: Examining issues like industry-specific risks, the regulatory environment, governance protocols, internal resources, where an organization fits within a supply chain and management hierarchy are just a few of the factors organizations need to consider when assessing risk.
- Catalog and classify information assets: The types of information an organization handles (e.g., customer and business partner data, intellectual property such as design details and business plans), where the information resides (cloud services, onsite, offsite, through contractors, etc.), and who controls the information must be documented in order to assess risk and areas of vulnerability. An additional step involves classifying information based on their use, location and sensitivity.
Nearly 9 out of 10 midmarket companies plan to increase data and security spending
American Express Survey of Mid-Sized Companies in the United States
- Identify risk factors, evaluate and analyze risk: Once intelligence is gathered, catalogued and classified, risk factors must be identified through careful analysis and interviews with individuals ranging from asset and process owners to information and technology executives. From there, cybersecurity experts can determine the likelihood and impact of each risk factor to prioritize.
Mitigating Cyber Risk is Imperative
Today we see clear signs that companies are awakening to the need for a proactive approach to cyber risk. The Chief Information Security Officer (CISO) role has emerged in recent years in many organizations to oversee companies’ efforts to assess and manage cyber risk. While it was once common for a technical manager to take responsibility for information security, it is now the role of a more senior business person who is both technically adept and able to communicate cyber risk to board members and business executives. Chief Financial Officers (CFOs) and Chief Audit Executives (CAEs) are often tapped to provide regular feedback to Audit Committees and Boards on business risks, including cybersecurity.
While the evolution in talent is a positive development, it is also important to remember that the data and confidential information of millions of people cannot be the responsibility of one person. The creative contributions of a company’s employees or the sensitive IP of business partners cannot be protected solely by a piece of software or hardware.
Now is the time to redefine the view of success. Rather than trying to prevent every possible attack, focus efforts on systems to detect and manage issues with laser-sharp accuracy and lightning-fast speed. Every organization is different and benchmarks for success will be unique to each organization. However, well-balanced organizations do have one thing in common: they excel on both offense and defense.
For more information on this topic, or to learn how Baker Tilly cybersecurity and IT risk specialists can help, contact our team.
- For more insights on what audit committees and boards need to know, see: http://bakertilly.com/insights/cyber-risk-what-audit-committees-and-boards-need-to-know-now