A C-Suite Must: Cyber Expertise
By Chuck Brooks, Skytop Contributor / November 15th, 2022
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert on Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thomson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity issues. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. He has also been a featured author in technology and cybersecurity blogs & events by IBM, AT&T, Microsoft, Cylance, Xerox, Malwarebytes, General Dynamics Mission Systems, and many others. He recently presented to the G20 on Energy Cybersecurity.
Chuck is on the Faculty of Georgetown University where he teaches in the Graduate Applied Intelligence and Cybersecurity Risk Programs. In government, Chuck was a “plank holder” at The Department of Homeland Security (DHS) serving as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. He has an M.A from the University of Chicago and a B.A. from DePauw University.
Companies Cannot Be Disconnected
In the past year, escalating cyber-attacks on corporations, infrastructure, and organizations have created an environment of uncertainty and, in some cases, panic over the implications of data breaches. In today’s changing digital ecosystem, companies can no longer afford to remain disconnected from the reality of breaches and cyber-threats. There is too much at stake in terms of business operation interruption, decline in productivity, impaired reputation, and there is also a major responsibility to ensure protection of client data and privacy.
The Cyber Threat Environment for Business
In 2021, Cyber-attacks ticked up in both numbers and cost for companies. An Accenture report found that there were on average 270 attacks (unauthorized access of data, applications, services, networks, or devices) per company over the year, an increase of 31% compared with 2020 (State of Cybersecurity Report 2021 | 4th Annual Report | Accenture). The management consulting firm McKinsey estimates that at the current rate of growth, damage from cyberattacks will amount to about $10.5 trillion annually by 2025—a 300% from 2015 levels. A new survey reveals that there is a $2 trillion market opportunity for cybersecurity technology and service providers.New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers | McKinsey
Unprepared and Slow to Act
Despite the trends of greater frequency, sophistication, lethality, and liabilities associated with incursions, industry management has been mostly unprepared and slow to act at becoming more cyber secure. As companies are increasingly under cyber-attack, there is an urgency for the C-Suite to respond with greater focus on protecting assets as we approach the new year.
A succinct summation that explains the reasons for internet vulnerability and the cybersecurity challenges was provided by Joel Brenner, the former counsel to the National Security Agency:
“The Internet was not built for security, yet we have made it the backbone of virtually all private-sector and government operations, as well as communications. Pervasive connectivity has brought dramatic gains in productivity and pleasure but has created equally dramatic vulnerabilities. Huge heists of personal information are common, and cyber-theft of intellectual property and infrastructure penetrations continue at a frightening pace.” Nations everywhere are exploiting the lack of cybersecurity – The Washington Post
Unprotected Hybrid Work Reality
Compounding the volatility of the cyber-threat environment in 2021 and 2022 was the reality that businesses were forced into a remote work or hybrid work reality because of COVID-19. That led to essentially millions of connected offices. It is estimated that nearly half the U.S. labor force is still working from home. Home offices are not as protected as the fortified office sites that have more secure firewalls, routers, and access management run by its security teams. Remote work has created new opportunities for hackers to exploit vulnerable employee devices and networks.
Keeping Up with the Threat is a Challenge
The research firm ThoughtLab studied the security practices and performance of 1,200 companies in 13 industries and the public sector across 16 countries. For its report titled “Cybersecurity Solutions for a Riskier World”, ThoughtLab concluded that “As cyberattacks grow in both number and sophistication, organizations are increasingly under the gun to protect themselves from compromise. Though companies have responded by upping their security budgets and adopting more advanced defenses, keeping up with the threats that will surface over the next few years will be a challenge.
A Rise in Attacks
In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. Over the next two years, the security executives polled by ThoughtLab see a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated. The main causes of these attacks will come from misconfigurations, human error, poor maintenance, and unknown assets.
Keeping Up with Digital Transformation
Furthermore, according to ThoughtLab, 41% of the executives don’t think their security initiatives have kept up with digital transformation. More than a quarter said that new technologies are their biggest security concern. And just under a quarter cited a shortage of skilled workers as their largest cybersecurity challenges. Cybersecurity Solutions for a Riskier World – ThoughtLab (thoughtlabgroup.com)
Ransomware
The current state of cyber-affairs is an especially alarming one because ransomware attacks are growing not only in numbers, but also in the financial and reputational costs to businesses and organizations.
Currently, ransomware, mostly via phishing activities, is the top threat to both the public and private sectors. Ransomware allows hackers to hold computers and even entire networks hostage for electronic cash payments. In the recent case of Colonial Pipeline, a ransomware attack disrupted energy supplies across the east coast of the United States.
Ransomware is not a new threat (it has been around for at least 15 years) but it has become a trending one largely because criminal hackers can get paid in cryptocurrencies that are difficult to trace. And many operate in countries with tacit government approval of their hacking activities that makes criminal hackers more difficult to be found and prosecuted. According to the Treasury Department’s Financial Crimes Enforcement Network, in 2021, U.S. banks and financial institutions reported a record surge in ransomware payments with almost 1,500 filings valued at a total of nearly $1.2 billion. The total represented a 188% increase from 2020. US ransomware payments surge to $1.2B in 2021. US ransomware payments surge to $1.2B in 2021: Treasury | Cybersecurity Dive
The inter-connectivity of digital commerce and expanding attack surfaces have enhanced the utility of ransomware as a cyber weapon of choice for bad actors. Like bank robbers, cybercriminals go where the money is accessible. And it is now easier for them to reap benefits from extortion.
The Internet of Things
The Internet of Things (IoT) broadly refers to devices and equipment that are readable, recognizable, locatable, addressable, and/or controllable via the internet. The growth of the Internet of Things has completely changed the dynamics and the size of the expanding cyber-attack surface. Because of a lack of cybersecurity on IoT devices, hackers have a multitude of options to breach cyber-defense and exfiltrate data. “By 2025, it is expected that there will be more than 30 billion IoT connections, almost 4 IoT devices per person on average and that also amounts to trillions of sensors connecting and interacting on these devices. State of the IoT 2020: 12 billion IoT connections (iot-analytics.com)
IoT malware has increased by 77% year to date, even exceeding as much as 12 million detections between January and June 2022. 2022 Cyber Threat Report Details Growing Trends | TechRepublic
Having visibility and being able to protect the connected devices of IoT is quite a challenge for business. The United States Government Accountability Office issued an assessment of the status and security issues surrounding the Internet of Things. The GAO identified the following type of attacks as primary threats to IoT: Denial of Service, Malware, Passive Wiretapping, Structured Query Language Injection, Wardriving, and Zero-day exploits. Internet of Things: Status and implications of an increasingly connected world | U.S. GAO
Software Supply Chain
Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk is critical for cybersecurity. Supply chain cyber-attacks can be perpetrated from nation-state adversaries, espionage operators, criminals, or hacktivists. Their goals are to breach contractors, systems, companies, and suppliers via the weakest links in the chain. This is often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks. According to a recent survey by Anchore, more than three in five companies were targeted by software supply chain attacks in 2021. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.
Ensuring that the supply chain is not breached including the design, manufacturing, production, distribution, installation, operation, and maintenance elements is a challenge to all companies.
Of special concern is third party risk. Conducting vulnerability assessments and filling operational gaps with cybersecurity tools are avenues being employed to ensure integrity.
Moving To The Cloud
Many companies are rapidly transitioning into a cloud and hybrid cloud world and computing is certainly moving closer to the edge. It is important to work closely with your cloud provider, know what data you need to protect and encrypt, and have an incident response plan in case you get breached. Clouds are not inherently risky, but companies need to recognize they have to evaluate provider policies and capabilities to protect their vital data. The use of the cloud and hybrid clouds enables implementation of dynamic policies, faster encryption, drives down costs, and provides more transparency for access control (reducing insider threats). When viewed from a security administrator perspective, optimized security in the cloud mitigates the risk of hackers getting key access to data.
Emerging Technologies
The advent of emerging and fused technologies 5G, IoT (and Industrial IoT) will pose significant operational and regulatory challenges to industry. Companies and institutions will look to automation and orchestration technologies such as machine learning, deep learning, artificial intelligence, and other analytic tools to mitigate gaps on ubiquitous platforms.
Automation, combined with artificial and machine intelligence, is an emerging and future cybersecurity pathway. Artificial intelligence (AI) is really going to be a big catalyst for cybersecurity. It will enable real-time threat detection and real-time analysis. Companies will be able to monitor what is in their system, and who may be doing things that are anomalies.
While AI and ML can be important tools for cyber-defense, they can also be a double-edged sword. While they can be used to rapidly identify threat anomalies and enhance cyber defense capabilities, they can also be used by threat actors. Adversarial nations and hackers are already using AI and MI as tools to find and exploit vulnerabilities in threat detection models. They do this through a variety of methods. Their preferred ways are often via automated phishing attacks that mimic humans, and with malware that self-modifies itself to fool or even subvert cyber-defense systems and programs.
Cyber criminals are already using AI and ML tools to attack and explore victims’ networks. Small businesses, organizations, and especially healthcare institutions who cannot afford significant investments in defensive emerging cybersecurity tech such as AI are the most vulnerable.
Geopolitical Threats
Another factor to consider is the geopolitical threat of state sponsored cyber-attacks. The Russian invasion of Ukraine has put companies allied with Ukraine on edge of potential attacks.
In a study by the Cybersecurity firm Venafi, over 1,100 security decision makers (SDMs) globally found that 66% of organizations have changed their cybersecurity strategy as a direct response to the conflict between Russia and Ukraine, while nearly two-thirds (64%) suspect their organization has been either directly targeted or impacted by a nation-state cyber attack. The (Nation) State of Cyber: 64% of Businesses Suspect They’ve Been Targeted or Impacted by Nation-state Attacks (yahoo.com)
The Department of Homeland Security’s CISA organization issued a warning and established a campaign called Shields Up to increase awareness among corporations to the threat of state sponsored cyber-attacks. “ Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents.” Shields Up | CISA
Russia is not the only threat to industry as North Korea, Iran, and China are regularly involved in nefarious cyber-activities against the West. CISA offers excellent advice for companies on how to better protect against growing geopolitical threats:
Recommended actions include:
Reduce the likelihood of a damaging cyber intrusion
Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance. Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
Take steps to quickly detect a potential intrusion
Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
Confirm that the organization’s entire network is protected by antivirus/anti-malware software and that signatures in these tools are updated.
If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Ensure that the organization is prepared to respond if an intrusion occurs
Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
Assure availability of key personnel; identify means to provide surge support for responding to an incident.
Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
Maximize the organization’s resilience to a destructive cyber incident
Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted. Shields Up | CISA
Needed New Corporate Mindset and Cybersecurity Expertise
Cybersecurity at the leadership level requires effective communication with the board and management team. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks.
A recent Gartner survey found that eighty-eight percent of Boards of Directors (BoDs) view cybersecurity as a business risk, as opposed to a technology risk, according to a new survey, and that only 12% of BoDs have a dedicated board-level cybersecurity committee.
“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said Paul Proctor, distinguished research vice president at Gartner. “The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve.” Gartner Survey Finds 88% of Boards of Directors View Cybersecurity as a Business Risk
Cybersecurity Subject Matter Experts
Keeping up with cybersecurity threats is often daunting and requires a special effort. Cybersecurity Subject Matter Experts (SMEs) can assist in vulnerability assessments, recommend best in breed cybersecurity technologies and vendors. In IT terms this may include operational components of encryption, biometrics, smarter analytics, and automated network security, informed risk management software, cyber certifications and training, network monitoring, and incorporating NextGen layered hardware/software technologies for the enterprise network, payload, and endpoint security. It is best if the plan is calibrated by outside SMEs for specific cybersecurity requirements.
Cybersecurity SMEs can also be utilized for compliance, (GDPR expertise), and a whole host of other issues related to policy and industry specializations. Whether it be bolstering the internal IT security team of a law firm, or recommending potential technological solutions and protocols, SMEs can augment efforts. In addition, there are managed service providers (MSPs) who can also offer holistic cybersecurity services depending upon budgets and needs.
Simulation and Penetration Testing and Validation
One area that is critical for preparedness is simulation and penetration testing. Testing is a key starting point for everyone operating on the new digital landscape, and especially businesses who are most at risk from increasingly sophisticated hackers. The testing and validation testing process is all about finding issues before they get to production and contaminate networks and devices. But it needs to be continual, as threats morph and new code is often added to platforms. While new code is a threat, many applications and programs may already be operating on legacy systems that include flaws and access points that can lead to breaches. Therefore, legacy code needs to be reviewed for patches along with any new code as part of a vulnerability and validation testing.
In addition to penetration testing, companies should employ simulation as a key element of their cybersecurity preparedness. Unfortunately, penetration tests are often prohibitive for small and medium sized businesses and can miss potential exploits. A process called breach and attack simulation (BAS) can effectively lower the barriers to testing and improve the capabilities of vulnerability scans and penetration tests.
By launching simulated attacks across the various security tools that are deployed by an organization, the effectiveness of web application firewalls, email filters, and endpoint security can be tested. Tests can also check if security policies and controls are properly configured, a common way for hackers to breach.
According to Cymulate CEO and cofounder Eyal Wachsman, a leading company in simulation preparedness, “companies are increasing spend on security solutions that protect across the cyber kill chain. However, it’s important to test the set-up and effectiveness of these solutions frequently because things can quickly change in technology. It’s possible for gaps to appear in your defenses unexpectedly and it only takes one opening for hackers to get into your network. Continuous security validation leaves nothing to chance.” https://www.nextbigfuture.com/2020/07/cymulate-looks-to-make-cybersecurity-testing-the-norm-for-organizations.html
From Passivity To Preparedness
The bottom line is that the mindset of the C-Suite and corporate cybersecurity needs to change from passivity to preparedness. In the past decade, the cybersecurity focus and activities by both government and industry have been predominantly reactive to whatever is the latest threat or breach. As a result, containing the threats was difficult because at the outset, defenders were always at least one step behind. That mindset has been changing due to a major series of intrusions and denial of service attacks that exposed a flawed approach to defending data and operating with passive preparedness.
Being proactive is not just procuring technologies and people. It also means adopting a working industry and government framework that would include tactical measures, encryption, authentication, biometrics, analytics, and continuous diagnostics and mitigation, as they may apply to specific circumstances. Other priorities include information sharing, securing the Internet of Things (IoT), protection of critical infrastructures, and expanding workforce training to mitigate the shortage of cybersecurity.
Cyber Resilience After an Intrusion
Cyber resilience after an intrusion is an area that must be further developed in response protocols, training of information security personnel, and deployment of redundant and automated technologies. Remediation is important to continuity, no matter what, because breaches will happen. The incorporation of best practices and the lessons learned from the various and many corporate breaches over the past few years is certainly valuable data for both industry and government in terms of prevention, recovery, and continuity.
A Successful Cyber Threat Consequences Strategy
In a core sense, a successful cyber threat consequences strategy is really about risk mitigation and incident response. A risk management strategy requires stepping up assessing situational awareness, information sharing, and especially resilience planning. It is critical to be aware of the morphing threat landscape and plan contingencies for all potential scenarios.
Security breaches can and will happen, but there are guiding pathways for cybersecurity– vulnerabilities can be lessened, and often mitigated. This can be done via gap analysis and comprehensive planning to better understand the how, why, and where of cyber vulnerabilities.
Plans that are successful most often start from the leadership at the top of companies and organizations, commonly referred to as the C-suite. To carry out plans and rectify potential cybersecurity damage waiting to happen, it is paramount for the C-suite to bring cybersecurity expertise to the Boards of Directors and Advisory Boards.
A successful C-suite cyber threat strategy requires stepping up activities to assess situational awareness, future risk, information sharing, and especially resilience planning. It is imperative for companies to create contingency plans for business continuity, disaster recovery, and incident response plans. It is also important that they create cultures of employee and stakeholder awareness so there is a basic understanding of cyber hygiene and the myriad of digital threats.
Cybersecurity Expertise at a Board Level
Without C-Suite subject matter expertise on policies, best practices, regulations, liability, technologies, and the many other issues associated with cybersecurity, companies will remain largely unprepared. In view of the recent trends of cyber-attacks, the imperative of bringing the best and brightest cybersecurity expertise to board-level roles needs to become a higher priority. As the threats and cost of breaches continue to escalate in the corporate landscape, getting outside help to bolster the C-Suite’s cybersecurity preparedness is a sensible option.