[BreachExchange] Why you should be prioritising cyber security risk management

Wed Jun 8 20:13:01 EDT 2016

http://www.information-age.com/technology/security/123461570/why-you-should-be-prioritising-cyber-security-risk-management

The threat of cybercrime continues to evolve and grow, as criminals adapt
to new security measures and take advantage of changes to our online
behaviour. The only constant appears to be our vulnerability: whatever new
steps are taken, by companies or individuals, the criminals always seem to
be one step ahead.

The problem is that it isn’t an even contest. Hacking and online fraud is
hugely profitable for organised crime, encouraging constant innovation and
change in attacks. A notable recent development has been the packaging of
sophisticated malware tools into kits that require few specialist skills to
use.

Now, criminals at the top of the chain can simply licence their tools in
return for a cut of the proceeds. With hacked personal data now cheap and
plentiful in online marketplaces, cybercriminals have proliferated.

The nature of the Internet means that this crime knows no borders: criminal
activity can be focused on the easiest and richest pickings, and the
perpetrators can be spread across the globe.

Crime-fighting agencies have been overwhelmed by the volume of activity,
and stymied by the fact that so much of it originates from multiple
overseas jurisdictions.

In 2015, 25% of large firms and around 15% of smaller ones reported network
penetration by unauthorised outsiders, while 90% of large firms experienced
a security breach of some sort (the median number of breaches was 14).

These relate only to detected incidents; the real numbers are probably much
higher. Many companies are turning to cyber insurance as a means of
mitigating the risks of a breach, but it is often difficult to define
exactly where the blame lies and thus whether a breach is covered.

In any case, insurance does little to arrest the growth of cybercrime, it
simply shifts the costs elsewhere.

The EU’s forthcoming General Data Protection Regulation (GPDR) is unlikely
to do much to reduce cybercrime, either. The GDPR extends responsibility
for protecting personal data to almost any business that holds it, no
matter their size, including hosted service providers.

It may lead to breaches and hacks becoming bigger news, due to increased
notification to the Information Commissioners Office (ICO) and larger fines
to the guilty parties.

Organisations will probably put more resources into security and breach
prevention as a result. However, the increased expenditure will probably
only divert criminal activities towards softer targets.

New technologies and services, like advanced encryption, two-factor
authentication and password managers, will improve the defence against
current threats. However, once their use becomes widespread, cybercriminals
are likely to repeat the patterns of the past and shift their focus to
other, as yet unidentified vulnerabilities. To get ahead of the criminals,
we need to change the way we do things.

Everyone should understand that cybercrime is a threat to all
organisations, whatever their size or type. It will continue to grow and
nothing that the government or the regulators are doing at the moment is
likely to curtail it. Therefore, it is up to business leaders to recognise
the threat and to ensure that their organisation is adequately prepared and
protected.

Unfortunately, according to current reports, only 37% of companies have any
kind of cyber incident response plan, and fewer than 50% of company board
members have ever requested information about their organisation’s
cyber-readiness.

Astonishingly, as of 2015, 32% of organisations had not conducted any form
of security risk assessment at all. This suggests a serious lack of risk
awareness and good governance in far too many firms.

Technology has become integral to most business operations, and almost all
of that technology is networked. This means that cybercriminals can gain
access to sensitive data or intellectual property via almost any part of
the business.

Lost data can be replicated and distributed at will, so a breach can never
be truly resolved, and serious data losses may even threaten business
viability. This makes cybercrime a serious strategic risk, and plans for
prevention and mitigation deserve the highest priority. However, many
business leaders are content to leave cyber security to the IT department,
in the belief that technology can fix the problem.

This is a dereliction of their duty to shareholders, and reflects a
fundamental misunderstanding of the threat, which is primarily linked to
user behaviour.

The process of risk management should be the same as for any other threat.
The first step is to understand what makes the organisation an attractive
target to cybercriminals, and where the main vulnerabilities lie.

Tackle these by breaking them down into appropriate tasks and
responsibilities, assign those to the right people, and ensure that each
has visibility at a senior level. Monitor all actions taken, and once the
appropriate measures are in place, ensure they are tested continuously and
audited regularly.

Ultimately, the aim should be to embed cyber security into all business
processes. This won’t stop your company from becoming a target, but it will
allow you to withstand the attack with minimal loss.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160608/0c0d9844/attachment.html>