Protiviti’s Jim DeLoach explains that executive management and the board face the challenge of overseeing and investing finite cyber protection resources in the face of an ever-changing cyber threat landscape. Cyber risk is an ever-moving target.
Cybersecurity is likely to remain center stage as a top risk for a long time to come as companies continue to expand their reliance on digital technologies to transform customer experiences and execute global growth strategies. In a recent global survey[1], some 825 directors and C-level executives ranked cyber risk as the top four risk overall and a “significant impact” risk for all six industry groupings we looked at (financial services; consumer products and services; manufacturing and distribution; technology, media and telecommunications; health care and life sciences; and energy and utilities). For both directors and CEOs, cyber was rated a “significant impact” risk.
Yesterday’s mantra was “it’s not a matter of if, but when an organization is breached.” Today, companies fall into two groups: those that know they have been breached and those that have been breached but don’t know about it. Tomorrow, it’s likely to be something along the following lines: The realities of managing cyber risks are that they are impossible to eliminate, resources are finite, risk profiles are ever-changing and getting close to secure is elusive.
Accordingly, management and boards have to be smart in their approach to cybersecurity so that sufficient resources are available to innovate and remain competitive. For example, finite protection measures should be targeted on the organization’s “crown jewels” and critical systems availability, the ever-changing threat landscape should be understood and preparations must be made for the inevitable incidents. This ground is relatively well-traveled in the literature. Below, we cover topics that underscore the moving target of cyber. These topics cannot be emphasized enough.
Winning Battles Does Not Necessarily Win the War
Unfortunately, state-sponsored attacks are targeting government institutions, industrial facilities, infrastructure and many business organizations in powerful and sophisticated ways. These so-called advanced persistent threats (APTs) require faster detection and more sophisticated response tactics to combat them effectively.
What makes them especially dangerous is that they adapt to the entity’s preventive countermeasures, frequently changing the paths by which they infiltrate a computer or network server to deliver malware payloads that may be altered over time. Stealth is the goal, as an APT may either seek to cover its tracks once its objectives are achieved or lie dormant for an indeterminate period for activation at a later appointed time or in a designated situation. Over the last few years, state-sponsored attacks have emerged from the shadows.
In terms of cybersecurity, most U.S. organizations are operating from a 20th-century playbook, while aggressor nation-states such as China appear to be using a playbook with a very long-term view. This distinction in terms of sophistication and time horizon is sobering, as nation-states have unlimited time and resources to devote to cyber attacks. At a minimum, in the race to keep pace (or, in most cases, catch up) with these threats, organizations need to commit themselves to tapping into the available government intelligence and use it to facilitate their preparedness.
For example, as attacker resources and sophistication have increased over time, regulators and various government agencies in the United States have formed an information sharing and analysis center (ISAC) for multiple industries. An ISAC is a nonprofit organization that provides a central resource for gathering and sharing information on cyber threats to critical infrastructure. With the abundance of information provided, companies should allocate adequate resources to monitor this resource over time and determine the action needed to address new and emerging threats.
Detection Capabilities Need Upgrading
Most companies lack systems that are mature enough to identify the most critical red flags. If management and the board believe that the entity is an APT target based on what it represents, what it does and/or the IP it owns, the organization’s cybersecurity countermeasures need to be upgraded beyond the controls, tools and response mechanisms traditionally used to contain sophisticated attackers and corporate insiders.
Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Accordingly, simulations of likely attack activity should be performed periodically to ensure defenses can detect a breach and respond promptly. Unfortunately, our experience with such simulations is that too often, organizations authorizing the testing fail to detect our test activity.
Contrary to what many executives think, outsourcing to a managed security service provider does not solve the problem, as we often see breakdowns in the processes and coordination between the company and service provider that result in attack activity occurring unnoticed. With these repeated failures of detective controls to identify breach activity in a timely manner, it’s game over when an advanced attacker enters the systems environment.
Directors Should Clarify Expectations with Management
Assertions such as “don’t worry, we’re taking care of that” tend to stifle the dialogue, leaving senior executives and directors nowhere to go. For boards, directors should:
- Ask the right questions – It is important to ask the right questions on situational awareness, strategy and operations, insider threats, incident response and other related topics. An appendix included in the 2017 NACD publication on cyber risk oversight suggests relevant questions.[2]
- Consider changing board composition – If the board could benefit from more IT and security expertise, there may be a need for a technology expert, whether a director on the board or an objective third party advising the board.
- Establish a separate cybersecurity or technology committee of the board – This is always an option, depending on the severity of the threat landscape and the role of technology in executing the company’s business strategy.
Although directors have limited time to get into the details, they should set clear expectations of executive management with respect to cyber incidents that can affect the company’s reputation and standing with customers.
Cybersecurity Reporting and Metrics Warrant Improvement
The severity of the Equifax and other breaches raises the question as to whether boards and management are probing deeply enough to determine what it is they don’t know. Given that cyber reports often offer only high-level information, what reporting and metrics should the board and management request with regard to cybersecurity? Following are some suggestions, with commentary:
METRIC | COMMENTARY |
The number of system vulnerabilities | Management should identify high-risk system vulnerabilities and report changes over time. Is the board satisfied with how management identifies, quantifies and prioritizes vulnerabilities? |
The length of time required to implement patches | Regarding the elapsed time for patching identified high-risk system vulnerabilities, 60 to 90 days is not unusual, with 30 days typically being the “gold standard,” and even that is too long in some instances. |
The length of time it takes to detect a breach | With respect to the elapsed time between the initiation of an attack and its ultimate discovery, the average length of time to detect is six months – a considerable amount of time given the risks.[3] |
The length of time it takes to respond to a breach | Is the board satisfied with the elapsed time between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact? |
The length of time it takes to remediate audit findings | With respect to third-party or in-house audit recommendations to improve cybersecurity, the board should monitor remediation of high-risk audit findings, including the time it takes to get it done. |
Percentage of breaches perpetrated through third parties | On average, 50 percent of breaches occur at an organization’s vendors rather than the organization itself – a staggering statistic that warrants attention. And, as should be well understood, organizations may outsource the process, but they do not outsource the risk. |
Number of violations of security protocols | Management should measure violations of security policies and procedures across the organization, particularly in the human perimeter, and report trends in violations over time to indicate whether progress is being made in improving cybersecurity. |
While not exhaustive, the above metrics inform the board’s and senior management’s cyber risk oversight. Directors and executives get what they measure and monitor. It is not unusual for exceptions to decline when metrics get attention at the top with a focused dashboard. To that end, the 2017 NACD publication on cyber risk oversight includes examples of cyber risk reporting metrics and dashboards.[4]
All that said, dashboard reporting is not a panacea. Management and directors may need to dig below the numbers to determine what they don’t know. For example, if there is a metric around the volume of data the organization is managing and protecting, deeper questions could be addressed regarding whether that data is encrypted or unencrypted. To illustrate, a health insurance plan provider exposed unencrypted data because its data was only encrypted in transit rather than at rest – one reason it ended up having almost 80 million records accessed by unauthorized parties.
Independent Cybersecurity Assessments May Be Worthwhile
As innovative IT transformation initiatives grow the organization’s digital footprint constantly, they outpace security protections that companies have in place, producing a sobering reality: Security and privacy internal control structures that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future, and perhaps even sooner than many may realize.
Even more sobering, what management represented to the board as effective a year ago may be inadequate today. That is why organizations may want to consider obtaining an external view of their overall cybersecurity current state using an established framework[5] so they can identify and prioritize opportunities for improvement in pursuing their desired state. If such reviews identify areas of weakness requiring immediate remediation, the board should satisfy itself that management addresses those areas promptly.
Attention to “Blocking and Tackling” Issues Needed
“Blocking and tackling” issues warranting attention should not be ignored. Following are eight such matters:
- Build the organization to address cyber threats. Some organizations may need to consider rearchitecting themselves in terms of technology and security, meaning they need to change how they do things. The question executive management and the board need to ask is, “how quickly are we able to get an issue resolved?” Operating unit management assertions that a cybersecurity solution will disrupt existing operations and, thus, will take time to implement are a red flag.
- Deal with the resourcing question. It is well-established that organizations must target finite resources appropriately on the data and information systems assets that matter. But is the effort sufficiently resourced? Management often is not proactive enough in the cyber space if the organization has not had a serious breach or security issue. Many companies simply don’t know what they don’t know. In these instances, it is tough for management to make resources a priority when it comes to cybersecurity. Unfortunately, the resources get allocated when the severe breach occurs – often at the cost of reputation impairment.
- Cyber insurance can reduce risk. Cyber insurance coverage transfers the financial risk associated with a variety of cyber incidents, including data breaches, business interruption and network damage. It can be especially important to the board if the company’s D&O liability policy doesn’t cover these issues. If a company takes out a cybersecurity policy, the insurer may require it to follow certain guidelines and provide evidence through a cybersecurity assessment, as discussed earlier. If the company hasn’t benchmarked itself against an appropriate framework, directors should inquire as to why, as such assessments may reduce the cost of cyber insurance.
- Inquire about multifactor authentication. Every organization should have this computer access control in place.
- Raise phishing awareness. The key is not how many phishing emails the organization receives (a metric that may be presented in the dashboard report), but rather how many company personnel clicked on them and what the organization does about it. For example, an appropriate response might be that all people who click on a phishing email must go through training. Strengthening the human perimeter is an imperative.
- Implement security segmentation. Organizations should segment data so that bad actors who get into their system and/or network cannot access everything. Segmentation is vital to protecting critical data and crown jewels if access controls are compromised.
- Refresh incident response and recovery plans continuously. A shortcoming for many companies involves breach incidents and business continuity plans. Often, business continuity plans are out of date. The board and management should periodically focus on the adequacy of the incident response and business continuity plans and monitor the follow-up to such discussions.
- Elevate high-risk patches as a priority. The patch process may be a “silo” issue in some companies. Management needs to ensure the necessary steps are taken to address these matters more quickly and more aggressively, particularly on customer-facing web sites.
Coupled with the matters raised previously, addressing the above matters will help directors and executives gain more confidence that cybersecurity is under control.
Questions for Senior Executives and Boards of Directors
Senior executives and their boards may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:
- Is the company a possible nation-state target based on what it represents, what it does or the value of its IP? If so:
- Does the company have the advanced detection and response capabilities it needs?
- Are simulations of likely attack activity (given the increasing sophistication of likely threat actors) performed periodically to ensure defenses can detect a breach and respond promptly?
- Do we assess cybersecurity maturity against a suitable framework in view of the company’s threat environment and follow up on areas in need of improvement?
- Does the board define its expectations for management in the cyber space and establish clear accountabilities for results? If the organization has a risk appetite statement, are the board’s expectations for cybersecurity incorporated therein? Does management in turn drive those expectations throughout the organization to key functions and units?
- Are we satisfied with the reporting and metrics used to monitor cyber matters? Do the metrics used provide supporting key performance indicators as to how the top priority cyber risks are being managed? Do they address areas that inform the board’s oversight, including the example metrics and the “blocking and tackling” issues noted above?
- Are we satisfied that there is an effective response and recovery plan to ensure that critical systems can be put back online with minimum impact to the business? Is the plan evaluated through tabletop exercises, tested periodically and adjusted as necessary?
- Is sufficient budget available to support innovation? If not, is the spend on operational risk proportionate and focused on protecting what’s important (the “crown jewels”) and in line with the current cyber threat landscape and the kinds of attacks that are most likely to occur?
[1] Executive Perspectives on Top Risks for 2019, Protiviti and North Carolina State University’s ERM Initiative, December 2018, available at www.protiviti.com/toprisks.
[2] See Appendix A, NACD Director’s Handbook Series on Cyber-Risk Oversight, 2017, available for purchase at www.nacdonline.org/Store/ProductDetail.cfm?ItemNumber=10687.
[3] See “How Long Does It Take to Implement a Patch?” Issue 97 of Board Perspectives: Risk Oversight, Protiviti, November 2017, at https://www.protiviti.com/US-en/insights/bpro97.
[4] See Appendices E and F, NACD Director’s Handbook Series on Cyber-Risk Oversight.
[5] An example would be the National Institute of Standards and Technology (NIST) Cybersecurity Framework.