The cyber threat landscape continues to evolve. Cybersecurity remains an important boardroom and C-suite topic as the COVID-19 pandemic forces remote work and adoption of new technologies. Protiviti’s Jim DeLoach shares what’s new in cyberspace.
The pandemic has shifted just about everything. Cybersecurity is no exception. First, consider the transition to a remote workforce. The networks of most companies are not set up to accommodate a majority of the workforce connecting remotely. As the volume of remote traffic increases, many employees sign in to a corporate virtual private network (VPN) through insecure routers and personal devices.
Second, cyberattackers are using the COVID-19 crisis as an opportunity to trick unsuspecting employees into clicking on attachments or links to fraudulent websites so they can download malware or access medical or financial records or other personal information.
Finally, outside the safety and security perimeter of the workplace environment, specific controls may be less effective or even unavailable as employees deploy new collaboration or cloud tools.
No doubt, the dynamics of a decentralized workforce has increased the cyber risk. Organizations must find the balance between the need to bolster network capacity to accommodate increased remote traffic and the imperative to secure systems, networks and data. Emphasis should be given to patching and updating remote environments on a frequent basis, just as with on-site environments. Laptops, notebooks, phones and other portable devices need to be updated to function securely on a remote basis. All computing devices should function under a corporate VPN so that data can be sent across shared or public networks as if the devices were directly connected to the private network. This operationalizes the security features of the private network.
However, securing the technical perimeter is not enough; the human perimeter is just as important. Frequent reminders to employees to avoid clicking suspicious links or attachments and to remain vigilant against phishing emails is best practice. Phishing awareness training and phishing tests of compliance with data protection policies are recommended. In addition, it is important to police the use of tools in the remote workplace. Employees should only use sanctioned tools.
As companies move forward in this brave new world, we recommend keeping in mind the following principles:
Changes in Key Vendor Operating Environments Can Create Additional Cyber Risk
The company’s vendors are also being challenged by the pandemic to protect their employees and businesses. As they do so, they may not fully consider the effects their actions have on the organizations they service. The company needs to proactively reach out to all critical vendors to understand how their operations have changed or are changing. It may be necessary to make certain accommodations to relax certain requirements to ensure continuous, secure and reliable services.
Don’t Let Overinvesting in Protection and Detection Lead to Underinvesting in Response and Recovery
Effective cybersecurity begins with protection, followed by detection, identification, response and recovery. Using these five cybersecurity pillars, as defined in the NIST framework,[1] Protiviti sponsored and participated in a global cybersecurity study[2] in which executives were asked to rate their company’s progress across these pillars. The results indicated that most companies score highest on protect and detect and lowest on identify, respond and recover.
As most cybersecurity investments address the protection pillar, it is important to regularly assess and monitor the organization’s ability to identify, detect, respond to and recover from a cyber breach. One recommended and beneficial step is conducting and reviewing the results of scenarios of cyberattacks that might occur. The outcomes can be enlightening when evaluating cybersecurity response and recovery capabilities. In addition, companies should have transparency into the company’s investments across the five NIST domains.
A shift is occurring in the nature and type of attacks companies experience. So-called identities, or certain personal information, have lost value on the black market. Credit monitoring, credit card alerts enabling card information to be frozen or closed instantly and other measures are devaluing this information, which is a good thing. What is on the rise, however, is ransomware and intentional disruption, which shut down a system or organization entirely until a ransom is paid. While protection and detection are crucial parts of a balanced program, attackers often are not detected for long periods, which allows them to inflict more damage. Even all of the top-of-the-line safeguards will not completely prevent hackers from breaking in. Accordingly, companies would be wise to focus more on response and recovery.
Understand the Paradox in Breach Detections Between Cyber “Leaders” and “Beginners”
The aforementioned research differentiates the maturity of cybersecurity capabilities among leaders, intermediates and beginners. Digital maturity is related to cybersecurity maturity, as they often go hand-in-hand. For example, according to the research, nearly 68 percent of digital beginners are also cybersecurity beginners, and only 3 percent are cybersecurity leaders. Unsurprisingly, 46 percent of digital leaders are also cybersecurity leaders and only 6 percent of digital leaders are cybersecurity beginners. However, over half of digital leaders are not cybersecurity leaders, leaving them more vulnerable to cyberattacks because of their higher reliance on digital platforms.
This “digital paradox” in business results in digital leaders reporting more cyberattacks than beginners. There are several reasons: Digital leaders likely are better at monitoring cyber activity and have stronger detection measures. Thus, they are more aware of attacks and breaches than other organizations that may be experiencing similar levels of attacks but not be aware of them. In addition, digital leaders are more likely to have an expanded attack surface, as they are leveraging the internet of things, mobile platforms and other technologies for various purposes where security is generally immature.
The good news for digital leaders is that advanced technologies, such as (but not limited to) artificial intelligence, machine learning and natural language processing, promise to enhance an organization’s cybersecurity capabilities. However, the bad news is that hackers and bad actors are leveraging these same technologies as well. To minimize risks, companies should build cybersecurity into each step along their digital transformation process.
Mind the Enemy Within
A consistent and persistent threat remains user error. In the Cybersecurity Imperative study, most respondents expressed concerns about untrained company insiders and how easily they can be foiled. Human error is a significant challenge – think about inadvertent or mistaken password disclosure, personal identifiable information being saved to a thumb drive and the ever-increasing sophistication of social engineering to obtain the data needed to breach a target’s systems. In addition, there also is the specific threat of attacks made by internal people – especially disgruntled employees angry at the organization for whatever reason. Exposure to attacks by nation-states and sophisticated external attackers is compounded in that these groups often exploit untrained insiders.
According to the aforementioned research, nearly all firms (87 percent) see untrained general staff as the greatest cyber risk to their business because they may provide a conduit for outside attackers. Accordingly, companies need to turn up the volume on their inquiries of cyber management and business units as to what is being done about insider risk, including exposure to third parties.
Know How Much: Quantify Cyber Risk to Put a Value on the Crown Jewels
It is well-established that organizations must understand the data and information they need to prioritize when allocating protection assets (e.g., the traditional mantra of “know your crown jewels”). But it has also been well-documented that not all data is created equal. So, questions arise: Do we understand the unfavorable business outcome that would result from the loss of certain data? Can the organization quantify that risk? Quantification can help significantly in understanding the different types of data and system assets the organization maintains and, most important, what needs to be prioritized most highly for the purposes of cybersecurity.
For example, the FAIR methodology[3] can assist with this analysis, as it uses risk quantification software to analyze risk using techniques such as Monte Carlo simulation. In addition, data loss prevention software enables identifying where sensitive data is stored and transmitted, including the volume of that data, and detecting possible security breaches. Quantitative analysis is then required to put a business value to that data. The software continues to be refined and eventually may offer better control over data and its security.
Conducting a quantitative risk analysis forces IT and security teams to set risk appetite thresholds, which enhances cybersecurity communications with executive management and the board. Qualitative risk maps, numerical rating scales and other similar tools may be useful in fostering risk awareness and prioritization, but risk management, including risk-based decisions, is enhanced if risk is quantified in financial terms.
Increase the Confidence of Executive Management and the Board Through Effective Reporting
If cyber risk is measured quantitatively and risk thresholds are established, metrics can be provided on a periodic basis to depict the health of the security program. Such metrics might include, among others, how many incidents (e.g., breaches, protocol violations and near misses) are detected every quarter, how many high-risk third parties have not been assessed or have outstanding issues, the number of patches exceeding agreed-upon patch time frames, the length of time it takes to respond to a breach and the length of time it takes to remediate audit findings. These metrics can be useful as a barometer for changes that signal a need to dig deeper. Management can then determine the budgets appropriate to secure the organization from cyberattacks and breaches.
Metrics can be presented through a focused dashboard addressing the organization’s major cyber threats and highest-risk third parties, as well as how well they are being managed. The aforementioned research indicates that organizations that perform quantitative risk analysis excel in all cybersecurity categories – time to detect incidents, number of incidents, time to patch, etc. One publication on cyber risk oversight includes examples of cyber risk reporting metrics and dashboards useful for boards that could also be of value to senior management.[4]
Organizations have four independent resources they can use to enhance their understanding and assessment of the effectiveness of cybersecurity measures and overall health of IT security: PCI data security standard compliance assessments (to the extent applicable), ISO 27001 certifications, internal audit cyber assessments and the use of outside consultants to evaluate specific areas and provide independent assessments and analysis. Consultants may include “White Hat” hackers and penetration testers who are hired to attack the organization, report on the company’s vulnerabilities and make recommendations to address them. These reports offer executive team and board members an opportunity to ask pointed questions.
The management team should understand cybersecurity risks in the same way it understands the overall competitive landscape. CEOs typically know or want to know the organization’s top five competitors; however, do they know the organization’s top five cybersecurity adversaries? This knowledge presents a challenge to obtain, as the list of the most dangerous hackers and attackers changes regularly. That said, management would be well-served to keep as close an eye on these threats as it does the company’s competitors. A company’s reputation, established and nurtured for 100 years, can be severely damaged instantly through a high-profile cyberattack and its destructive aftermath.
Take Stock of the Changing Cyber Landscape
It is important to stay in touch with the cyber landscape as it evolves. For example:
- Ransomware has become a critical issue. Organizations can protect against these attacks through regular backup, but they still present significant threats, especially if they result in a system shutdown or an inability to interact with clients and/or customers.
- Today, it is not just about credit card data; rather, the focus should be on any information that might be of value to hackers or third parties (e.g., medical records, intellectual property and customer files). Accordingly, the organization should understand its data as well as the exposure created from having it. Understanding all possible data targets is key.
- One of the biggest cyber risks for an organization involves mobile devices, especially those with software not approved by the organization. As noted earlier, COVID-19 increases this risk.
- Third-party threats loom large and warrant more attention, and, as discussed earlier, COVID-19 also increases that risk.
- The threat of state-sponsored cyberattacks looms large on the cyber landscape. These perpetrators have unlimited resources, and a growing number of their attacks are being directed to specific companies. Threats to the national power grid and other key infrastructure raise serious concerns about how companies would be affected if they were attacked or shut down.
An information sharing and analysis center (ISAC)[5] can be beneficial in obtaining insights regarding computer security threats and is an example of cooperation and two-way sharing of information between the private and public sectors. It is good for the entire industry in which the organization operates and can help reduce the overall industry’s profile as a target. This involves industry information sharing – it helps everyone. While leveraging insights from an ISAC is highly recommended, a challenge for an ISAC is the restraint on sharing due to concerns over disclosing confidential and sensitive information.
Regarding strong cybersecurity measures, some organizations are later to the game than others. But the game has been changing for some time and, with the virtual work environments and deployment of new technologies spawned by the COVID-19 pandemic, it is changing once again. Hackers now pursue far more than financial data. In fact, considering that ransomware is essentially a moneymaking activity for hackers, any organization is a target. If that weren’t enough, nation-states have elevated the sophistication of the threat, necessitating more advanced detection and response capabilities.
The takeaways are crisp and straightforward:
- Be mindful of how changes in vendor operating environments can create additional cyber risk.
- Give more attention to response and recovery measures.
- Align the company’s cybersecurity maturity with its digital maturity.
- Focus on the human perimeter.
- Quantify cyber risk and provide effective reporting to the organization’s leaders to engender confidence in cybersecurity.
- And stay in touch with the evolving cyber landscape.
[1] The NIST Cybersecurity Framework offers computer security guidance for private-sector organizations in the United States to use when assessing and improving their ability to prevent, detect and respond to cyberattacks.
[2] The Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change is a research report from a joint effort of ESI ThoughtLab, WSJ Pro Cybersecurity, Protiviti and a group of prominent organizations to conduct rigorous global research and analysis involving a survey of 1,300 global executives across multiple industries, advisory meetings and interviews with leading experts and practitioners, and analytical tools to benchmark approaches and assess performance impacts.
[3] The Factor Analysis of Information Risk (FAIR) is an international standard quantitative model for understanding, analyzing and quantifying information risk in financial terms. FAIR uses an enterprisewide portfolio approach to analyze and aggregate potential loss events and vulnerabilities based on their likely frequency and magnitude.
[4] See Appendices E and F, ”NACD Director’s Handbook Series on Cyber-Risk Oversight,” 2017.
[5] As attacker resources and sophistication has increased over time, regulators and various government agencies in the United States have formed an information sharing and analysis center (ISAC) for multiple industries. An ISAC is a nonprofit organization that provides a central resource for gathering and sharing information on cyber threats to critical infrastructure.