[BreachExchange] Securing Your Digital Future: Cyber Trust As Competitive Advantage

[Audrey McNeil]

http://www.digitalistmag.com/digital-economy/digital-
futures/2017/04/20/securing-digital-future-cyber-trust-as-
competitive-advantage-04998170

The accepted wisdom in the cybersecurity field today is that there are two
types of companies in the world: those that know they’ve been hacked, and
those that don’t.

No enterprise is immune from cyber threats, and the list of big, scary data
breaches continues to grow. The vast majority of companies in Europe (92
percent) have been hacked in the last five years, according to a recent
survey by specialty insurer Lloyd’s of London. The average total cost of a
breach is $4 million, according to a 2016 study by the Ponemon Institute.

Yet, categorized as risk to avoid rather than opportunity to pursue,
cybersecurity has never been a terribly sexy topic in the C-suite. It’s an
added expense—and one that slows down efforts to leap ahead
technologically. The significant attention it receives tends to be of the
negative variety when things go horribly wrong. Even as companies have
embarked on their digital transformation efforts, security has remained an
afterthought—tacked on after a big new investment in advanced analytics,
cognitive systems, or Internet of Things (IoT) technology. Very soon,
however, that reactive approach will seem antiquated.

A coming mind shift

Spending on IT security has been increasing in the last two years, even as
overall technology budgets have been decreasing, according to 2016 report
by the SANS Institute. But it’s not just a lift in spending that’s called
for, but also shift in thinking.

In today’s age of rapidly developing transformational technologies, keeping
on top of emerging security and privacy threats is more challenging—and
more critical—than ever before. As companies collaborate with a wider
network of partners and meet new demands for 24/7 operations and greater
transparency with customers, cyber security risks multiply. The scope,
scale, and impact of cyber attacks will grow in concert with increasing
digitization:

4.2 billion records were exposed in more than 4,000 known data breaches in
2016, according to Risk Based Security.

Cyber insurance premiums could increase tenfold to $20 billion annually by
2025, according to Marsh & McLellan.

The cost of data breaches will reach $2.1 trillion globally by 2019—nearly
four times the estimated cost of breaches in 2015, according to Juniper
Research.

Cyber attacks could cost the world up to $90 trillion in net economic
benefit by 2030 if cyber security doesn’t keep pace with growing
interconnectedness, according to a study published by the Atlantic Council
and the Zurich Insurance Group

Cyber risk is expanding beyond the virtual world to the physical one.
Hackers used highly destructive malware to bring down three Ukranian power
distribution companies in 2016, for example, cutting power to 80,000 people.

The expanding universe of Internet of Things devices is particularly
vulnerable to exploitation as companies may not update them after
installation and many devices are not able to receive security update
patches, according to AIG. In fact, an IoT hack took down Amazon, Twitter,
Netflix, and other major sites in October 2016.

Connected devices pose particular concern in healthcare, an industry that
already faces 340 percent more cyberattacks than the average industry and
that fails to monitor 75 percent of hospital network traffic, according to
a report from Raytheon and WebSense Security Labs.

Cyberattacks are one of the top ten global risks of highest concern for the
next decade, right alongside such threats as water and food crises, natural
catastrophes, social instability, and national governance failures,
according to the World Economic Forum.

Just a third of companies today are sufficiently prepared to prevent a
worst-case attack, according to Oliver Wyman and only a quarter currently
treat cyber risk as a significant corporate risk. But as cyber risk expands
and the attacks result not only in financial and reputational damage but
also in physical destruction, danger, or loss of life, trust will become a
competitive advantage. Therefore, those companies and organizations that
want to dominate their markets will approach security as a strategic
investment, proactively embedding cybersecurity strategy into business
strategy.

As companies continue their digital transformations, they need to adopt
more flexible and ubiquitous cyber defense measures to meet the more
extreme threats they will face. Failing to do so risks unanticipated costs,
operational shutdowns, reputational damage, and legal consequences.

A zero-trust approach

Unfortunately, there is no off-the-shelf solution to manage the entirety of
a company’s cyber risk. As companies continue to introduce more digital
innovations, they must continuously adopt and adapt cyber security measures
commensurate with the growing threats they’ll face.

In a global economy, security can only be as good as the regulations,
compliance, and enforcement in the countries where an organization
operates—and those vary wildly around the world. What’s more, even when a
company’s leaders take a more proactive approach to investing in cyber
security protection and response, its partners and suppliers may not.
Nearly 80 percent of companies fail to assess their customers and suppliers
for cyber risk, according to a survey by Marsh & McLellan. And hackers
certainly will be proactive about finding the weakest link in a value
chain. Meanwhile, as enterprises adopt a growing legion of
internet-connected devices and sensors, cyber security risk will be
distributed even more widely.

Organizations must evolve from the attitude that perimeter security,
achievable by firewalls or anti-virus protection, is enough. As
interconnectivity and interdependency increases so too will the adoption of
zero-trust networks. The zero-trust approach questions the assumption that
a company can be made safe and sound within the confines of its own
“secure” corporate network. Instead, a zero-trust approach places controls
around data assets themselves and creates increased visibility into how
they are used across a digital business ecosystem.

A new approach for a networked world

But, as SAP CEO Bill McDermott wrote to customers in 2016, “Information
security is a journey without a destination. The security threat in the
enterprise is relentless and multiplying, and the attackers are getting
more sophisticated.” A zero-trust network is not enough. When the question
is not if, but when, a significant breach will occur, how a company manages
this inevitability becomes critical.

The key is to develop a robust approach to measuring, controlling, and
responding to cyber risk. We recommend a three-pronged strategy to manage
the threats in the expanding enterprise ecosystem:

Prevent. This aspect of cyber security strategy remains as important as
ever, and companies must evolve their preventative strategies, from their
security policies and educational approaches to the actual access controls
they put in place.

Detect. In an evolving cyber threat environment, there is no foolproof
prevention approach. Selecting and deploying appropriate intrusion
detection systems for the timely detection and notification of compromises
is critical.

React. Detection is useless without a response. Companies that approach
cyber security as a competitive advantage will put incident response plans
in place in much the same way they would plan for recovery from a natural
disaster.

Building trust, not walls

The Great Wall of China may have succeeded as an exercise in power or a
feat of construction. But as a security strategy, it was a failure.
Similarly a cyber security strategy focused on building strong enough
borders around the company will fail. It’s impossible to keep all the bad
guys out.

As more of a company’s data and its business processes become distributed,
it’s cyber security strategy must become much more far-reaching. The good
news is that even as digital technologies increase cyber security risk,
they can also help mitigate it. Many cloud providers for example, are
taking a more robust approach to security strategy that their customers
might. New technologies like machine learning and big data analytics can
strengthen security protections. Of course, the hackers can—and will—take
advantage of these powerful technological advancements as well. Cyber risk
experts will tell you the dark web is teeming with attack tools that enable
hackers to take advantage of outdated security approaches and corporate
vulnerabilities. They’ve been quick to take advantage of new automation
tools in order to carry out more sophisticated and layered attacks on
corporate and state assets.

Companies who embrace trust and security as competitive advantages will
build security into their digital ecosystems at each layer:

Secure Products: Incorporating security into all applications, ensuring the
protection of content and transactions.

Secure Operations: Investing in hardened systems, security patch
management, security monitoring, end-to-end incident handling, and a
comprehensive cloud operations security framework.

Secure Company: Creating a security-educated and aware workforce,
end-to-end physical security of assets, and a comprehensive business
continuity framework.


Forward-looking companies will follow these principles not only within
their own organizations but expect them from their network of partners,
supplier, and customers. The hackers of today and the future aren’t working
alone and neither should the companies they’re targeting.

The risk of full-blown cyber catastrophes is real. The WEF has warned that
large-scale cyber attacks could cause significant economic damage,
geopolitical tensions, or widespread loss of trust in the Internet.

A report from the Atlantic Council and Zurich Insurance Group found as soon
as 2018, there could be damage from massive cyber attacks equivalent to 1.5
percent of global GDP that is “certain to drastically increase risks and
drag down net profits for companies that are most exposed to
cyber-attacks..” The worst case scenario could result in a state of
perpetual cyber crime and cyber warfare, increasingly vulnerable critical
infrastructure, and losses of $90 trillion globally, according to the
report.

A collaborative network approach will be critical to combatting such a
persistent global threat with implications not just for corporate and
personal data, but strategy, supply chains, products, and physical
operations. Trust will be the most important currency in the digital
future—one that companies will have to earn and work diligently to keep.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170421/ca98fbf5/attachment.html>