Whether you’re a middle market or multinational corporation with an entirely automated infrastructure, cyber security breaches have become an inevitable threat to businesses and individuals worldwide. Cyber security measures have become not an option, but a requirement, in an increasingly digitized corporate environment. “Over the last two or three years, companies in every industry segment and tier have confirmed they have suffered cyber attacks,” Jennifer Archie, a litigation partner of Latham & Watkins specializing in large-scale data breach response, says.
The risks vary from minor annoyance to sizable devastation. Cyber attacks may result in stolen information, loss of funds (the 2016 Verizon Data Breach Investigations Report (DBIR 2016) reported that 89 percent of 2015 data breaches had a financial or espionage motive), email compromisation, malware infection and even widespread power outages, as we observed in the December 2015 BlackEnergy attack against a number of Ukrainian energy companies.
In our continuing evolution in the Information Age, we may have simplified administrative functions, increased internal efficiency, and maximized accessibility on a global scale, however, we have inevitably opened the floodgates to a swarm of hackers, phishers, viruses and other mal-intended intruders. “It is ironic,” Robert Katz, Founder and Executive Director of the Innovation Intelligence Institute reflects. “If we look at all of the technology that creates freedom and independence, it actually creates technological dependence. We hyper-modernized and hyper-connected—we became all digital, all electric, all the time. While this hyper-convergence heightened convenience, it simultaneously heightened vulnerability.”
What happens when a corporation suffers a major breach? Well, that depends on the jurisdiction. “What is illegal in one country is not necessarily illegal in another,” Ira Winkler, President of Secure Mentem, explains. “Some of the data breach laws are requiring the reaction from the companies, mandating reaction by the companies, but they are not necessarily mandating security.”
What does that mean for corporate stakeholders? In the U.S., companies are required to report cyber breaches to their board and corporate shareholders, so in this country, if a corporate database holding our personal information is compromised, we’ll typically hear about it.
The World Law Group published a comprehensive list of mandated corporate response by country in “The Global Guide to Data Breach Notifications.” As the report shows, if you’re invested in an Australian, Greek, or Colombian entity and they suffer a cyber attack, they aren’t legally obligated to notify you or regulators. In China, however, the Consumer Rights Protection Law states that if a disclosure or loss is even suspected, businesses are required to adopt remedial measures.
The only formidable defense against these kind of attacks, whether direct or indirect, requires a holistic approach. Effective cyber security must balance risk management, technological innovation, human capital and tactical governance.
A Game of Cat and Mouse
As the founder and executive director of the Innovation Intelligence Institute, Katz helps “infuse, both internally and externally, innovation into otherwise not innovative organizations.”
“Typically in organizations, they only collaborate internally or with pre-existing stakeholders,” he explains. “To be able to really solve any problems, we have to start looking at things differently and start to reach out to non-traditional stakeholders.” He often uses one key phrase when describing an effective cyber defense: hyper collaboration. “To solve the cyber problem, we tend to really look at it as a technology issue, but it is really much more than that,” he says. “It’s a complete societal issue.”
Increasingly, corporations are turning to third-party, off-site data centers to further encrypt sensitive information. (A persistent phrase in cyber conversation from elementary to federal levels, it’s impossible to avoid mention of “the cloud.”)
“The cloud can definitely be secure and in some cases, it can be more secure than some on-prime environments, but there are several factors that it can depend on,” David Cass, CISO of Cloud & SaaS Operational Services at IBM explains. “Hopefully you have good security practices already and you’re mapping the security practices over. The key to cloud is the concept of shared responsibility between the Cloud Service Provider (CSP) and the customer. Depending on whether you are doing IaaS, PaaS or SaaS, the delineation or who is responsible for what portions of security varies. This is an important conversation to have with your CSP.”
The three most commonly used cloud services fall under three categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). An IaaS model, the most fundamental cloud service, houses basic computing infrastructure off-site; virtual machines allow users to access those off-site infrastructures as they would a physical machine. The PaaS model provides a computing platform for software developers with automatically adjusting capacity to accommodate their hardware/software needs virtually, eliminating the need to purchase and manage layers manually. SaaS cloud services allow users to house and operate software off-site, saving both space and time dedicated to maintenance.
Housing infrastructure, platforms and software off-site toes the line between privacy and security. While cloud-based services “make hardware and operational management of technology systems somebody else’s responsibility that specializes in them,” as Cass describes, without proper data encryption, any information or service stored on the cloud may still be at risk without proper security practices already in place.
On the same front, Katz believes artificial intelligence (AI) will provide more resilient protection from cyber threats. In the ongoing game of cat and mouse–while we rush to patch a broken window, hackers are already picking the next lock–we need to begin thinking like the enemy. “The adversaries have the advantage because they have massively parallel computing because they are massively collaborating. So must we,” Katz says. “So that is where AI comes in.”
AI may create a more reliable security system, but you can’t automate a human to set the alarm before leaving for work. In cyber terms, we can’t underestimate the importance of fostering preventive behaviors on an individual level. “We have to have users be more careful about how they use the technology,” Katz continues. “We have to have social scientists talk about how we are able to social engineer and trick people: behavioral scientists, human resource people and technologists as well. So it takes a village.”
Cass agrees: “At the end of the day, you can out-source anything really except for accountability.”
The Achilles Heel
An effective cyber security strategy is a “team effort,” says Guy Filipelli, founder and CEO of RedOwl, a cyber security/risk management company. “It is often a combination of information security, physical security, technology or IT, legal, and potentially risk or HR and then at one point, the leadership of the institution.”
Corporate leaders are responsible for strategizing a cyber security plan, from conceptualization to implementation. Yesteryear’s silos are busted open by the Information Age; because the modern corporation is entirely digitized, employees at every level need to collaborate to avoid becoming the weak link.
The list of human vulnerabilities is endless–insider sabotage, improper shutdown of company computers, common password choice (SplashData’s list of Top 25 Most Commonly Used Passwords for 2015 proves that we all learned nothing in 2014…“123456,” “password,” and “12345678” continue to top the list). The DBIR 2016 found that 13 percent of people tested clicked on a phishing attachment.
Educating the workforce is a good first step, but a learning curve also needs to be considered, says Dan Swanson, President of Dan Swanson & Associates and a 26-year internal audit veteran. “I think there has to be a continual learning strategy for your organization to be truly successful over the long-term,” he says.
That being said, the ongoing war against internal human error is only half of the battle; technological vulnerabilities still account for a significant portion of cyber security risks. On a software level, the Common Vulnerabilities and Exposures (CVE) system compiled by the U.S. Department of Homeland Security, shows that the 10 products with the most vulnerabilities account for 85 percent of successfully exploited traffic. In order of most to least vulnerable, those products are Mac OS X, Linux Kernel, Firefox, Chrome, iPhone OS, Flash Player, Internet Explorer, Debian Linux, Windows XP and Windows Server 2008.
Manning the Barracks: Keeping Cyber Threats at Bay
The NSA hack earlier this year proved that even federal agencies are prone to cyber attacks; not even a government-level organization with security in the name has forged an impenetrable cyber defense.
To best protect a company’s digital infrastructure, an effective cyber management team requires a certain skill set. Barclay Blair, Founder & Executive Director of the Information Governance Initiative, compares the indispensable qualities of influential information leaders to those of emergency workers. “There is a dance of really understanding the long view while trying to fight the fires, which is obviously the same for people who work in traumatic and stressful situations. If they don’t, they don’t last,” he says, adding that they must distinguish between “the threats that are faced by the organization that must be triaged immediately, and separating those things from the things have to be, and should only be addressed, as part of the longer term plan.”
The National Institute of Standards and Technology (NIST) cyber security framework provides tentative guidelines to design effective cyber defenses and reactionary protocol. “Cyber Threat Intelligence also help to determine the effectiveness of an ongoing effort, requiring standards and assessments to be compared with configurations, best practices and most importantly, common sense,” says Ariel Evans, an American-Israeli cyber security expert, formerly the CISO for a major telco company in the United States.
“I do believe that organizations have a right to defend,” Araceli Treu Gomes, a principal subject matter expert in cyber security and intelligence says, adding, “I’m not sure if taking an act of offense constitutes as defense. Furthermore, I don’t think the business side of the industry or the risk-management side of the industry are competent enough to understand the collateral damage that can and will be caused by hacking back.”
Guarding the Fortress: Reinforcing Cyber Defenses
Now imagine a situation in which the enemy resides within your borders. So is the case of Advanced Persistent Threats (APTs), in which a hacker embeds themselves within a digital infrastructure for extended periods of time to conduct long-term cyber espionage. Serrin Turner, partner of Latham & Watkins and a member of the firm’s Cybersecurity and Data Privacy practice group and formerly the lead cyber crime prosecutor from the U.S. Attorney’s Office in Manhattan, describes how APTs pose an evolving threat.
“Organized crime groups, which in the past have typically focused on theft of credit card data and personal identity information, are increasingly using APT tactics that are traditionally associated with nation-states—burrowing into corporate networks to steal trade secrets or other information that can be quietly monetized through insider trading or other means,” he explains.
Not all APTs are contained by a timeframe, however. “There have been cases where the people you would consider as APT get in and then get out really quickly,” Winkler says. He defines an APT as “a very motivated and skilled attacker who is willing to put relatively unlimited resources towards obtaining their goals. They are adaptive in that they see what protection mechanisms they [their targets] have and then they try to avoid those protections and keep trying until they get around it.”
Establishing a set of digital obstacles for potential APTs is hardly the first step in an effective cyber defense strategy, according to Swanson. “It starts with a team, with a set of policies and standards. Like any large corporate effort, regardless of the industry, you need a capital investment program, a large operating budget that is appropriate to the organization and the risks involved.”
Cyber insurance can potentially contribute to an effective cyber defense strategy. The Insurance Information Institute found that stand-alone cyber insurance policies typically feature crisis management; directors, officers and management liability; business interruption; cyber extortion; and loss/corruption of data.
Statistics show that more and more often, corporations are turning to insurance brokers to fortify their defenses. Major insurance broker Marsh estimates that U.S. cyber insurance was worth over $2 billion in gross written premiums in 2014, with some estimates predicting that figure could potentially triple by 2020.
Still, not all experts believe that cyber insurance is a cost-effective risk reduction strategy. Gomes believes insurance brings up “the darker underbelly of risk management.”
The question, she said, revolves around whether or not insurance companies should be in the business of mandating and dictating controls. “Are we going to start buying cyber insurance the way we do homeowners insurance or like rental car insurance? What is it going to look like?” she asks. “What is your risk management position as you go to acquire it?”
Placing the Defense on the Offense
As cyber criminals evolve to exploit in-place defensive measures, C-Suite executive and director response need to shift from “a reactive to proactive approach,” according to Evans. “It is no longer adequate to speak solely in terms of technological vulnerabilities such as insufficient patching of servers and network specific devices,” Evans says. “Attention is shifting toward protecting the most critical business assets or processes rather than buying groovy cyber technology.”
Awareness programs at not only the individual level, but a governance level, are fundamental to the design of an all-inclusive security strategy, Winkler says. “An awareness program has to be comprehensive and multi-modal. You have to try to impact people by having a ubiquitous program that constantly reinforces good security practices.”
Designing a multi-tiered, full-coverage cyber security program has a set of basic requirements: human awareness at every corporate level, effective technological infrastructure, legal security in case of liability and the educated governance to organize and implement a strategy balancing those factors.
A New Approach
From a management standpoint, the adoption of top-down security approaches is the first step in waging a war on cyber criminals. Recognizing senior-level influence is a relatively new development in cyber security. “We have seen the creation of the Chief Privacy Officer in the last decade, where that previously didn’t exist,” Blair says. The most important and difficult part of innovation within a business, he continues, is “adjusting corporate governance practices around any new or evolving issue.”
The development of new technologies (AI, the cloud, intrusion detection systems, advanced firewalls, etc.) paired with a modern top-down talent approach create an effective dichotomy with which to deter cyber criminals both proactively and reactively.
“We are trying to get ahead of the wave. We have been fighting this war for decades,” Winkler says. “The world is such an interconnected place that the issues emerge on a regular basis. There are emergencies today, but what is more important is the capability that you need to build over the next couple of years. Improving intelligence through continual learning is a key strategy.”
Christopher P. Skroupa is the founder and CEO of Skytop Strategies, a global organizer of conferences.