No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Cyber Risk: The Target That Never Stops Moving

How to Combat an Ever-Changing Threat with Finite Resources

by Jim DeLoach
June 28, 2019
in Featured, Risk
hand swinging target with businesspeople aiming bows and arrows

Protiviti’s Jim DeLoach explains that executive management and the board face the challenge of overseeing and investing finite cyber protection resources in the face of an ever-changing cyber threat landscape. Cyber risk is an ever-moving target.

Cybersecurity is likely to remain center stage as a top risk for a long time to come as companies continue to expand their reliance on digital technologies to transform customer experiences and execute global growth strategies. In a recent global survey[1], some 825 directors and C-level executives ranked cyber risk as the top four risk overall and a “significant impact” risk for all six industry groupings we looked at (financial services; consumer products and services; manufacturing and distribution; technology, media and telecommunications; health care and life sciences; and energy and utilities). For both directors and CEOs, cyber was rated a “significant impact” risk.

Yesterday’s mantra was “it’s not a matter of if, but when an organization is breached.” Today, companies fall into two groups: those that know they have been breached and those that have been breached but don’t know about it. Tomorrow, it’s likely to be something along the following lines: The realities of managing cyber risks are that they are impossible to eliminate, resources are finite, risk profiles are ever-changing and getting close to secure is elusive.

Accordingly, management and boards have to be smart in their approach to cybersecurity so that sufficient resources are available to innovate and remain competitive. For example, finite protection measures should be targeted on the organization’s “crown jewels” and critical systems availability, the ever-changing threat landscape should be understood and preparations must be made for the inevitable incidents. This ground is relatively well-traveled in the literature. Below, we cover topics that underscore the moving target of cyber. These topics cannot be emphasized enough.

Winning Battles Does Not Necessarily Win the War

Unfortunately, state-sponsored attacks are targeting government institutions, industrial facilities, infrastructure and many business organizations in powerful and sophisticated ways. These so-called advanced persistent threats (APTs) require faster detection and more sophisticated response tactics to combat them effectively.

What makes them especially dangerous is that they adapt to the entity’s preventive countermeasures, frequently changing the paths by which they infiltrate a computer or network server to deliver malware payloads that may be altered over time. Stealth is the goal, as an APT may either seek to cover its tracks once its objectives are achieved or lie dormant for an indeterminate period for activation at a later appointed time or in a designated situation. Over the last few years, state-sponsored attacks have emerged from the shadows.

In terms of cybersecurity, most U.S. organizations are operating from a 20th-century playbook, while aggressor nation-states such as China appear to be using a playbook with a very long-term view. This distinction in terms of sophistication and time horizon is sobering, as nation-states have unlimited time and resources to devote to cyber attacks. At a minimum, in the race to keep pace (or, in most cases, catch up) with these threats, organizations need to commit themselves to tapping into the available government intelligence and use it to facilitate their preparedness.

For example, as attacker resources and sophistication have increased over time, regulators and various government agencies in the United States have formed an information sharing and analysis center (ISAC) for multiple industries. An ISAC is a nonprofit organization that provides a central resource for gathering and sharing information on cyber threats to critical infrastructure. With the abundance of information provided, companies should allocate adequate resources to monitor this resource over time and determine the action needed to address new and emerging threats.

Detection Capabilities Need Upgrading

Most companies lack systems that are mature enough to identify the most critical red flags. If management and the board believe that the entity is an APT target based on what it represents, what it does and/or the IP it owns, the organization’s cybersecurity countermeasures need to be upgraded beyond the controls, tools and response mechanisms traditionally used to contain sophisticated attackers and corporate insiders.

Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Accordingly, simulations of likely attack activity should be performed periodically to ensure defenses can detect a breach and respond promptly. Unfortunately, our experience with such simulations is that too often, organizations authorizing the testing fail to detect our test activity.

Contrary to what many executives think, outsourcing to a managed security service provider does not solve the problem, as we often see breakdowns in the processes and coordination between the company and service provider that result in attack activity occurring unnoticed. With these repeated failures of detective controls to identify breach activity in a timely manner, it’s game over when an advanced attacker enters the systems environment.

Directors Should Clarify Expectations with Management

Assertions such as “don’t worry, we’re taking care of that” tend to stifle the dialogue, leaving senior executives and directors nowhere to go. For boards, directors should:

  • Ask the right questions – It is important to ask the right questions on situational awareness, strategy and operations, insider threats, incident response and other related topics. An appendix included in the 2017 NACD publication on cyber risk oversight suggests relevant questions.[2]
  • Consider changing board composition – If the board could benefit from more IT and security expertise, there may be a need for a technology expert, whether a director on the board or an objective third party advising the board.
  • Establish a separate cybersecurity or technology committee of the board – This is always an option, depending on the severity of the threat landscape and the role of technology in executing the company’s business strategy.

Although directors have limited time to get into the details, they should set clear expectations of executive management with respect to cyber incidents that can affect the company’s reputation and standing with customers.

Cybersecurity Reporting and Metrics Warrant Improvement

The severity of the Equifax and other breaches raises the question as to whether boards and management are probing deeply enough to determine what it is they don’t know. Given that cyber reports often offer only high-level information, what reporting and metrics should the board and management request with regard to cybersecurity? Following are some suggestions, with commentary:

METRIC COMMENTARY
The number of system vulnerabilities Management should identify high-risk system vulnerabilities and report changes over time. Is the board satisfied with how management identifies, quantifies and prioritizes vulnerabilities?
The length of time required to implement patches Regarding the elapsed time for patching identified high-risk system vulnerabilities, 60 to 90 days is not unusual, with 30 days typically being the “gold standard,” and even that is too long in some instances.
The length of time it takes to detect a breach With respect to the elapsed time between the initiation of an attack and its ultimate discovery, the average length of time to detect is six months – a considerable amount of time given the risks.[3]
The length of time it takes to respond to a breach Is the board satisfied with the elapsed time between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact?
The length of time it takes to remediate audit findings With respect to third-party or in-house audit recommendations to improve cybersecurity, the board should monitor remediation of high-risk audit findings, including the time it takes to get it done.
Percentage of breaches perpetrated through third parties On average, 50 percent of breaches occur at an organization’s vendors rather than the organization itself – a staggering statistic that warrants attention. And, as should be well understood, organizations may outsource the process, but they do not outsource the risk.
Number of violations of security protocols Management should measure violations of security policies and procedures across the organization, particularly in the human perimeter, and report trends in violations over time to indicate whether progress is being made in improving cybersecurity.

While not exhaustive, the above metrics inform the board’s and senior management’s cyber risk oversight. Directors and executives get what they measure and monitor. It is not unusual for exceptions to decline when metrics get attention at the top with a focused dashboard. To that end, the 2017 NACD publication on cyber risk oversight includes examples of cyber risk reporting metrics and dashboards.[4]

All that said, dashboard reporting is not a panacea. Management and directors may need to dig below the numbers to determine what they don’t know. For example, if there is a metric around the volume of data the organization is managing and protecting, deeper questions could be addressed regarding whether that data is encrypted or unencrypted. To illustrate, a health insurance plan provider exposed unencrypted data because its data was only encrypted in transit rather than at rest – one reason it ended up having almost 80 million records accessed by unauthorized parties.

Independent Cybersecurity Assessments May Be Worthwhile

As innovative IT transformation initiatives grow the organization’s digital footprint constantly, they outpace security protections that companies have in place, producing a sobering reality: Security and privacy internal control structures that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future, and perhaps even sooner than many may realize.

Even more sobering, what management represented to the board as effective a year ago may be inadequate today. That is why organizations may want to consider obtaining an external view of their overall cybersecurity current state using an established framework[5] so they can identify and prioritize opportunities for improvement in pursuing their desired state. If such reviews identify areas of weakness requiring immediate remediation, the board should satisfy itself that management addresses those areas promptly.

Attention to “Blocking and Tackling” Issues Needed

“Blocking and tackling” issues warranting attention should not be ignored. Following are eight such matters:

  1. Build the organization to address cyber threats. Some organizations may need to consider rearchitecting themselves in terms of technology and security, meaning they need to change how they do things. The question executive management and the board need to ask is, “how quickly are we able to get an issue resolved?” Operating unit management assertions that a cybersecurity solution will disrupt existing operations and, thus, will take time to implement are a red flag.
  2. Deal with the resourcing question. It is well-established that organizations must target finite resources appropriately on the data and information systems assets that matter. But is the effort sufficiently resourced? Management often is not proactive enough in the cyber space if the organization has not had a serious breach or security issue. Many companies simply don’t know what they don’t know. In these instances, it is tough for management to make resources a priority when it comes to cybersecurity. Unfortunately, the resources get allocated when the severe breach occurs – often at the cost of reputation impairment.
  3. Cyber insurance can reduce risk. Cyber insurance coverage transfers the financial risk associated with a variety of cyber incidents, including data breaches, business interruption and network damage. It can be especially important to the board if the company’s D&O liability policy doesn’t cover these issues. If a company takes out a cybersecurity policy, the insurer may require it to follow certain guidelines and provide evidence through a cybersecurity assessment, as discussed earlier. If the company hasn’t benchmarked itself against an appropriate framework, directors should inquire as to why, as such assessments may reduce the cost of cyber insurance.
  4. Inquire about multifactor authentication. Every organization should have this computer access control in place.
  5. Raise phishing awareness. The key is not how many phishing emails the organization receives (a metric that may be presented in the dashboard report), but rather how many company personnel clicked on them and what the organization does about it. For example, an appropriate response might be that all people who click on a phishing email must go through training. Strengthening the human perimeter is an imperative.
  6. Implement security segmentation. Organizations should segment data so that bad actors who get into their system and/or network cannot access everything. Segmentation is vital to protecting critical data and crown jewels if access controls are compromised.
  7. Refresh incident response and recovery plans continuously. A shortcoming for many companies involves breach incidents and business continuity plans. Often, business continuity plans are out of date. The board and management should periodically focus on the adequacy of the incident response and business continuity plans and monitor the follow-up to such discussions.
  8. Elevate high-risk patches as a priority. The patch process may be a “silo” issue in some companies. Management needs to ensure the necessary steps are taken to address these matters more quickly and more aggressively, particularly on customer-facing web sites.

Coupled with the matters raised previously, addressing the above matters will help directors and executives gain more confidence that cybersecurity is under control.

Questions for Senior Executives and Boards of Directors

Senior executives and their boards may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:

  • Is the company a possible nation-state target based on what it represents, what it does or the value of its IP? If so:
    • Does the company have the advanced detection and response capabilities it needs?
    • Are simulations of likely attack activity (given the increasing sophistication of likely threat actors) performed periodically to ensure defenses can detect a breach and respond promptly?
    • Do we assess cybersecurity maturity against a suitable framework in view of the company’s threat environment and follow up on areas in need of improvement?
  • Does the board define its expectations for management in the cyber space and establish clear accountabilities for results? If the organization has a risk appetite statement, are the board’s expectations for cybersecurity incorporated therein? Does management in turn drive those expectations throughout the organization to key functions and units?
  • Are we satisfied with the reporting and metrics used to monitor cyber matters? Do the metrics used provide supporting key performance indicators as to how the top priority cyber risks are being managed? Do they address areas that inform the board’s oversight, including the example metrics and the “blocking and tackling” issues noted above?
  • Are we satisfied that there is an effective response and recovery plan to ensure that critical systems can be put back online with minimum impact to the business? Is the plan evaluated through tabletop exercises, tested periodically and adjusted as necessary?
  • Is sufficient budget available to support innovation? If not, is the spend on operational risk proportionate and focused on protecting what’s important (the “crown jewels”) and in line with the current cyber threat landscape and the kinds of attacks that are most likely to occur?

[1] Executive Perspectives on Top Risks for 2019, Protiviti and North Carolina State University’s ERM Initiative, December 2018, available at www.protiviti.com/toprisks.

[2] See Appendix A, NACD Director’s Handbook Series on Cyber-Risk Oversight, 2017, available for purchase at www.nacdonline.org/Store/ProductDetail.cfm?ItemNumber=10687.

[3] See “How Long Does It Take to Implement a Patch?” Issue 97 of Board Perspectives: Risk Oversight, Protiviti, November 2017, at https://www.protiviti.com/US-en/insights/bpro97.

[4] See Appendices E and F, NACD Director’s Handbook Series on Cyber-Risk Oversight.

[5] An example would be the National Institute of Standards and Technology (NIST) Cybersecurity Framework.


Tags: Board of DirectorsCyber Risk
Previous Post

ProcessUnity Updates Intelligent Risk and Compliance Platform with Unparalleled Configurability

Next Post

Automating Multiple Compliance Frameworks: Is It Too Complex?

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

tech fluency_n

Not Your Grandpa’s C-Suite: Improving Tech Fluency at the Top of the Organization

by Jim DeLoach
January 18, 2023

In our hyper-connected world, just about every company is a tech company. As commerce and technology become increasingly intertwined, it’s...

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

Next Post
interlocking cogs in a light bulb on orange background

Automating Multiple Compliance Frameworks: Is It Too Complex?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT