Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), in a recent New York Times op-ed, called on Congress to pass bipartisan cybersecurity legislation after two failed attempts. Likening the pending danger of cyberattacks to a looming Pearl Harbor, the senators maintain that absent mandatory cybersecurity requirements, “the day on which those cyberweapons strike will be another ‘date that will live in infamy,’ because we knew it was coming and didn’t come together to stop it.”
The senators are correct. Cybercrimes — against government facilities, public utilities and private enterprises — are on the rise at an alarming rate and represent a significant strategic threat to the security of the nation, its economy and the welfare of its businesses.
According to the just-released 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study, significant cybersecurity threats against U.S. government systems alone rose more than 680 percent between 2006 and 2011. This past year smartphones became the preferred target for cybercriminals and the security firm Kaspersky Lab identified more than 35,000 malicious programs in 2012, six times more than the year earlier.
Mounting threats like these are why federal standards and regulations are ever more likely, despite the fact that the proposed bill backed by Sens. Lieberman and Collins died at the end of the last congressional session. Nevertheless, though legislation may be a matter of time, in its absence companies should transform how they think about cybersecurity.
The Growth of Cybercrime
Over the past 10 years, the criminal cyberworld has experienced a large shift from an individual, independent focus to a virtual, coordinated, collaborative model that thrives on innovation and data sharing. A malware ecosystem has emerged that supports this wave of cybercrime. Any potential hacker has an available network of resources from which to choose, and many have specialties.
The cost of fraud tools available to cybercriminals continues to fall. For example, Information Week reported that one package, SpyEyeTrojan, is now available free or at a fraction of its original $10,000 price tag. Groups engaging in cybercrime include a variety of nation-states, organized crime, individual hackers, corporate spies, foreign government agencies and others. And they have been successful.
The personal information of 94 million Americans has been exposed to potential identity theft through data breaches at government agencies since 2009. In 2011 alone, an estimated 71 million people in the United States were victims of cyberattacks costing them about $21 billion in damages, reports CNET.com.
Though many companies have made considerable strides to address cybersecurity issues in a strategic fashion, many others still do not have an adequate strategy or plan. Consider these responses as detailed in the recently released 2013 Deloitte Touche Tohmatsu Limited (DTTL) Technology, Media and Telecommunications Global Security Study:
• Less than half of survey respondents reported having a response plan in place to address a security breach and only 30 percent believe third-party suppliers are shouldering enough responsibility for cybersecurity.
• Nearly three-quarters (74 percent) of the 121 executives surveyed rate security breaches at third-party suppliers among the top three threats followed by denial of service attacks and employee errors and omissions.
• Other major threats identified by respondents include advanced persistent threats (64 percent) and hacktivism (63 percent), new to this survey, which combines social or political activism with hacking.
• While more than half of those surveyed gather general intelligence information, only 39 percent gather information about targeted attacks specific to their organization, industry, brand or customers.
The risks of cyberattacks may deliver a serious blow to a company’s brand and reputation, along with potentially significant consequences. Typically, they include:
• Increased cybersecurity protection costs for people, processes and technologies to increase information security in the organization;
• Lost revenues from unauthorized use of proprietary information or the failure to retain or attract customers;
• Litigation or pending litigation arising from a cyberattack; and
• Reputational damage and remediation costs that adversely affect customer and investor confidence.
The DTTL Technology, Media and Telecommunications Global Security Survey reported that the median annualized cybercrime-related cost for a company is $5.9 million.
So what does this mean for the C-suite, boards and financial executives and what do they need to do about it? First, the executives can become knowledgeable about what cyberattacks and cybersecurity are, as well as:
• Evolving cybercrime trends and regulations;
• Things to look for relative to cyberinsurance;
• The role of the C-suite and board in advancing cybersecurity;
• How to assess a specific company’s risk; and
• Action steps worth considering.
What are Cyberattacks and Cybersecurity?
Defined as attacks directed at a specific person or organization rather than at random victims, targeted cyberattacks are considered especially dangerous because they often spearhead advanced persistent threats (APTs) — insidious, long-term electronic “campaigns” that may be extremely difficult to uncover and address.
For example, APTs may provide sustained access to the financial or other sensitive or confidential data of a target company or its online customers. Typically, APTs target entry into a system through mobile, social and cloud computing environments, which are complicating cyberdefense because they can be more open/venerable networks. The perpetrators of APTs are able to adjust behavior over time to adapt to changes in the environment and thereby get the desired result.
Cybersecurity has various related definitions, but with the changing security market, cybersecurity tends to be used as synonym for information systems security encompassing the range of information security technologies and services, including identity and access management, breach incident response and the protection of information technology infrastructure such as networks, routers, email and Web servers.
Until recently, many organizations had not been taking a broad view of the security landscape. Since cyberthreats can come from multiple vectors, the old standard approach of simply implementing a software package may no longer be sufficient. Security strategies and defenses today require reviewing the entire system and the interdependencies within it.
Moreover, firewalls, intrusion detection systems and anti-virus software may not be a complete solution to the problem. As sole deterrents, these often fall short of disarming many threats, as they deal with technology processes and not the human element behind APTs.
Combined, the increased risks to American companies and government agencies, growing cybercrime and the resulting effects on the citizens are driving the push for changes in regulation.
Federal Standards and Regulation
Over the years when there have been systemic or chronic issues that led to significant, corporate failures, it seems that tighter regulation almost inevitably follows. That has been the case, for example, with most of the U.S. regulations dealing with various state breach notification laws, the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act, the Federal Information Security Management Act, The Dodd-Frank Wall Street Reform and Consumer Protection Act and many others.
With the dramatic increase in the number of breaches and the rapid spread of cybercrime, the pressures for corporate action and further regulation continue to mount. The catalyst for this change has been an environmental one: we used to process all the information on our own computers, in our own building and within our own controlled information ecosystem.
With the arrival of the Internet and the consequent changes in the IT environments, companies and customers now have very limited control over their IT ecosystems. We are now conducting business over the Internet with many third-party suppliers and business partners using cloud, mobile and even BYOD (Bring Your Own Devices). With this new and rapidly evolving ecosystem, cyber “bad guys” have many points of attack and frequently aim for the weakest links — most often an organization’s own people with mobile devices.
There are two consequences to this reality: first, it is becoming ever more difficult to control the corporate IT environment; and second, the road to greater regulation is rapidly taking shape.
At both the state and federal level, legislators are attempting to establish guidelines to strengthen “the security and resiliency of the cyber and communications infrastructure of the United States”— the main objective of the 2011 Cybersecurity Bill endorsed by Sens. Lieberman and Collins. Among many things, the bill focuses on promoting the sharing of cybersecurity information through a public-private partnership that emphasizes regular and meaningful collaboration.
The intent of the legislation was to enable both law enforcement and companies to more easily share the evidence of cybercrime and the electronic fingerprints and techniques of cybercriminals (without any specifics about the company targeted) and thereby enable companies, government agencies and individuals to protect themselves from a similar attack.
Clearly, collective action and information sharing around these sophisticated cyberthreats may advance a level of cybersecurity that is beyond the reach of any single organization.
The Growing Use of Cyberinsurance
Although cyberinsurance may help protect a company’s assets and reputation, it is not a silver bullet. A number of complex issues remain subject to discussion including liability, consumer protection and minimum cybersecurity standards for the purchaser of the insurance, as well as how to determine insurance premiums. Already, some insurers are proactively litigating to invalidate policies because of poor practices on the part of policyholders.
For their part, companies are trying to add cyberinsurance to hedge against the inevitable data breach, address the continued threats and revise their (often siloed) strategies in anticipation of laws that will impact less regulated industries, such as technology, media and telecommunications more significantly than their peers in industries with already tighter regulations, such as banking.
What is covered under a cyberinsurance policy varies depending on the carrier. It frequently includes the cost of forensics that help to identify the breach, its cause and what was lost, in addition to the costs of disclosing what happened, the expenses related to lawsuits, as well as the cost of some of the repairs to the affected systems. Whether or not the cyberinsurance covers potential losses associated with stolen intellectual property is a matter for debate. With all these variables, regulation will likely be necessary to address the basic issues, including matters related to insurance coverage and the basic “safety standards” necessary for companies that are applying for cyberinsurance.
Despite all these complexities and the evident benefits of some kind of cyberinsurance, according to a survey by the Chubb Group, 65 percent of public companies do not have cyberinsurance — even though they identify cyberrisk as their number one concern. Nevertheless, 25 percent of those surveyed expect a cyberattack or breach in the coming year, and 71 percent have cyberbreach response plans.
Though one might surmise that high-profile and high-risk companies are at the greatest risk, small to medium-sized businesses are not, by definition, safe. About 72 percent of the 855 data breaches worldwide analyzed by one study last year were at companies with 100 or fewer employees. That’s up from 63 percent of the 761 data breaches it analyzed in 2010, reported Sarah E. Needleman in a Wall Street Journal article, “Cybercriminals Sniff Out Vulnerable Firms.”
Role of the C-suite and Board in Promoting Cybersecurity
The new, more wide-range approach to cybersecurity has taken strategic IT issues in a new direction. Beyond focusing on preventing the catastrophic incident, it now uses a risk-based approach and aims to address a large array of threats — from the single attack to corporate sustained espionage — advanced persistent threats, which focus on stealing proprietary data and information in a sustained way like an espionage mole. It also goes beyond just “defense strategies” to include cyberthreat intelligence, detection, enriched analysis and response.
The C-suite and board should consider taking a more active role in promoting an integrated approach to IT strategy and cybersecurity. Top-level security and privacy practitioners, along with third-party research, confirm that cybersecurity is increasingly becoming a concern not only of IT organizations, but of senior corporate leadership including corporate boards.
Consider these facts:
• According to a Carnegie Mellon University global study, 48 percent of the corporations surveyed have a board-level risk committee responsible for privacy and security risks, up from just 8 percent in 2008. Some 40 percent of the North American respondents say their company’s board deals with computer and information security issues.
• Boards across industries realize that information sharing is key to addressing cyberthreats and vulnerabilities between the public and private sectors — a goal of the proposed and twice-defeated federal legislation supported by Sens. Lieberman and Collins.
Consider, executive management and directors have historically been well-seasoned financial and operations executives. They have relied on these skills to make sound business decisions around financial and operational risk and on industry standard measurements to gauge the health of operational and financial risk. Some of these are balance sheets, cash flow statements and metrics such as same store sales, revenue per person and other metric tools. Unfortunately, there are no standard measurements yet for cybersecurity.
A problem is that most of executive management and directors do not have the experience or expertise to make adequate judgments on how cybersecurity may affect their business and the efforts needed to manage the risks. Moreover, the need for a chief information security officer (CISO), —who is both a business manager and strategist like the chief information officer (CIO) — is not fully appreciated in many companies.
In fact, the business acumen need for a CISO has emerged even more quickly than did that for a CIO, and given the pressures and specifics of cyberissues most CIOs are not able to adequately handle both roles.
Finally, many companies are currently not organized, equipped, staffed or positioned to address broader cybersecurity needs within their IT departments. This is evidenced by the continued growth in cybersecurity breaches. This newer approach begs the C-suite to ask what parts of cybersecurity should they manage versus outsource to specialists.
Another important consideration is the danger that any standards or regulations — either mandated by the government or put in place by the C-suite or board — may be seen as a matter of compliance. And compliance matters frequently do not receive the dynamic and full-fledged attention they merit. They are seen as a necessity — not a strategic asset or benefit.
Cybersecurity is not a compliance issue. It’s a strategic issue. That’s why it merits the proactive and ongoing attention of the board and C-suite.
Assessing Risks
How can the board or C-suite proactively protect the organization’s assets? What do they need to know? What does management need to be asked to ensure they are doing the right thing?
An answer may begin with asking about the corporate ecosystem and understanding its significance to management and stakeholders alike — an increasingly important role for the CIO and CISO.
There are several questions and considerations to focus on:
• Start with the basics. Among the many questions to consider are: Where is my customer data being stored? If that data is lost, what is the impact? Is the information encrypted? Is the data in production and test environments? How do we make sure only people in R&D or like groups have access to secret information? If we are breached, what are the steps we go through? When does the legal department get involved and have we tested this?
• Understand which devices and systems support critical business processes. Any device that has an internal computer and is Internet Protocol (IP) enabled — such as cellphones and handheld devices — should be carefully scrutinized for vulnerabilities. Remember, as Bloomberg reports, humans are the weak link in the effort to secure networks against sophisticated hackers. The ability of hackers to exploit people’s vulnerabilities has improved their odds of success.
In the absence of federal regulations and any existing internal rules or guidelines, how can the C-suite and board begin to analyze and implement a detailed approach to cybersecurity, once grounded in the notion that cybersecurity is a strategic investment to protect company assets?
A useful place to start may be to understand and agree to the company’s risk tolerance. How much is the company willing to risk based on the cost to prevent? The U.S. Securities and Exchange Commission (SEC) October 2011 interpretive guidance in CF Disclosure Guidance Topic No. 2 provides many helpful suggestions. Among other things, the release details recommended disclosure obligations relating to cybersecurity risks and cyberincidents. Though it does not represent a rule, regulation or statement of the SEC, boards may achieve a potential strategic advantage by realizing and addressing several distinct impacts that may arise out of this guidance.
Next Steps: Creating a Roadmap
It is not merely enough to employ the most common security controls and then get back to business. The Internet and Internet-based technologies have matured to the level where they are now an enabler of a key portion of an organization’s bottom line. The ability to secure this capability is an integral function of the business model. Through the development of a cybersecurity roadmap, an organization may grow through the maturity life cycle in a planned and detailed fashion while demonstrating due diligence to its customers and investors.
With a cybersecurity roadmap, an organization has the opportunity to increase its understanding of the factors driving the changes in cybersecurity and to proactively address these changes. The SEC’s reporting guidance is intrinsically tied to many of the basic components of a solid cybersecurity framework and the growing trend is toward increasing focus in this area.
By incorporating this reporting framework now, an organization has the potential to reduce the impact of future and more comprehensive regulatory requirements. By addressing these guidelines proactively, it also provides an opportunity to address one of the more important questions within the cybersecurity field: What don’t we know that we should know?
While discussing the impacts in a theoretical sense helps with the formulation of longer-range strategies, of key concern for many organizations is answering the question, “Where do I go from here armed with this information?”
One approach is to consider creating a roadmap to address not only the SEC reporting guidelines but also one that provides an opportunity to relook at the organization’s cybersecurity methodology.
To help shape the organization’s roadmap, determine whether the following five questions can be answered with an appropriate level of confidence:
1. What don’t we know that we should know? Are the security and business teams incorporating ideas on what could happen?
2. Are we properly resourced (people, processes and technologies) to address current and emerging cybersecurity concerns?
3. Are we looking at the external as well as internal cybersecurity environment?
4. Is the cybersecurity apparatus fully integrated with the business processes?
5. Given that many companies implement only a portion of cybersecurity controls, how extensive is and should the cybersecurity apparatus be? What is the plan to reach all planned systems and processes?
Cybersecurity is a collective assimilation of an organization’s people, processes and technologies that combine to provide mitigations to cybersecurity threats. By looking at the organization’s overall cybersecurity state — not just the technology portion — an organization may be able to develop a much clearer picture of its current status and gain a better understanding of its strengths and gaps.
Naturally, the general approach offered here provides only a broad framework for understanding the cybersecurity issues. Designing an appropriate strategy requires industry and company-specific information, analysis and implementation. But as Sens. Lieberman and Collins have so aptly argued, the time for action is now. For C-suites, boards and financial executives, the realities of cybercrime are such that waiting for federal regulation and legislation is a risk that may carry unnecessary and very costly repercussions.
This article first appeared in the March 2013 issue of Financial Executive magazine.
Kelly Bissell ([email protected]) is a principal and security and privacy specialist who leads Deloitte & Touche LLP’s information & technology risk management and global incident response practices in Atlanta.