Business leaders, IT, and information security need to find ways to communicate and manage information risk, so that businesses can operate successfully, safely and securely in cyberspace, says Dr Adrian Davis, CISSP, managing director, EMEA, (ISC)².
The recent WannaCry and Petya cyber-attacks affecting organi-sations around the world, have highlighted some very important facts about our dependence on the Internet and IT, and organisations’ ability to deal with such incidents.
Essential services, including utilities and healthcare were interrupted, alongside the operations of major organisations. The attacks were not the result of sophisticated targeting, but rather aimed at any organisation that could be penetrated.
Further, these were companies that had cyber security defences in place. Their preparations, however, did not stand up to the test of a real-world cyber-attack or reflect the impact that occurred. Many victims reported taking weeks to recover.
Overlooked by boards
To date, senior management and their boards have yet to appreciate the impact of cyber risk as it can be very hard to quantify from a financial perspective, and even when such quantification occurs, the impact is typically seen to be one or more orders of magnitude less than better known risks such as failed product launches, physical damage to assets and product recalls.
Part of the reason is that the information assets within systems are intangible and it is difficult to relate a value to them, as you would with a physical product. Another part is that we have not yet fully understood the damage that the loss or alteration of information can have over the longer-term to a business. As a result, information and cyber risk can be overlooked by businesses as being not of material significance or worthy of senior management attention.
Cyber security breaches continue to proliferate, however, because information and cyber risk remains poorly understood outside of the information security profession. The commitment and ability to robustly quantify the risks, therefore, remains limited. There is a misguided view that it is a technology problem to be managed by the information security and IT functions.
Cyber-attacks, however, cannot solely be the responsibility of the chief information security officer and his team. The organisation and its leaders too must work with their security resources to actively gauge their IT dependence, and the risks they face within the context of their business requirements.
This goes beyond the resources of the information security professionals and the small pockets of deeply technical experts that can analyse the threats. Organisations need to apply their business acumen to the assessment and adopt a more holistic understanding of both the nature of the cyber risk that their organisation may face and the potential impact to guide the necessary treatments.
Securing the cyber world
On average, organisations suffer over 100 targeted cyber-attacks a year. One in three of these attacks – an average of 2-3 every month – are successful. The lessons being learned is that they do not only affect IT systems, but also are contributory factors, and even enhance the likelihood of business or physical risk.
Breaches can lead to physical damage, loss of revenue, intellectual property (IP) and customer data, as well as reputational damage and loss of consumer trust. Recent high-profile examples include Tesco Bank customers who were defrauded of $3.38mn, Chrysler which was forced to recall 1.4 million hackable cars, and a German steel manufacturer which sustained significant physical damage after a breach overloaded production systems and destroyed the blast furnace.
In all these cases, customer service, reputation and operations were severely disrupted, while the organisations have been subjected to regulatory and media scrutiny. Such broad and varied concerns call for a fundamental realignment in the way business risks are managed and prioritised.
The risks must be recognised as anything that contributes to undermining, interrupting or stopping a business’ operations. Unless we can engender a wider understanding of this type of risk, businesses will continue to build, buy or use their IT without adequate consideration for security, thereby setting themselves up for something to go wrong. As a non-profit professional association with over 125,000 certified cyber, information, software and infrastructure security professionals, we work tirelessly with our members to raise awareness of what occurs on the front-lines of cybersecurity practice and ensure a safer and more secure cyber world.
Knowing your cyber risk
(ISC)2 has documented some of this experience within a whitepaper entitled ‘What Every Business Leader Should Know About Cyber Risk’, sharing its and my own perspective on five fundamental areas that will help businesses take back control on cyber risk and be better prepared for the unknown.
It offers a guide to motivate the conversations needed to ensure cyber risks can be better understood and managed, covering the need to: (i) accept cyber risk is a business risk; (ii) align cyber spend to your risk; (iii) create a culture that prevents vulnerability; (iv) get control of data; and (v) ensure security and privacy are ‘baked in’ to processes.
Embracing such a holistic understanding of cyber risk will lead to robust investment in recognising and preventing vulnerability, defending against the inevitable attacks and having the necessary redundancy to keep going when they occur.
It is time to acknowledge that all businesses, their customers and their employees rely on the information, systems and software that underpin the products, services and processes now driving our economy.
In the current landscape, we must anticipate interruption from cyber-attacks and develop the ability to keep the lights on, customers served and essential activities going. This is a business concern, not just the domain of the technical experts.