[BreachExchange] Get Ready Now for the Cyber Attack Risks of Tomorrow

Wed Feb 1 19:54:23 EST 2017

http://losspreventionmedia.com/insider/data-protection/
get-ready-now-for-the-cyber-attack-risks-of-tomorrow/

It has always been important for loss prevention executives to understand
the top risks facing their businesses and to appreciate what keeps their
CEOs up at night, but a report by the World Economic Forum (WEF) shows that
times have changed. Now security risk is the top risk to business. It is
the very thing causing those sleepless nights.

The top risk to doing business in half of the world’s countries is
unemployment/underemployment or energy price shocks. In many other
countries, failure of national governance, fiscal crises, or asset bubbles
are thought to be the primary risk for doing business in the next 10 years.
But in the United States, cyber attack risks pose a greater danger to
future profits than any other risk, according to a survey of 750 experts
and decision-makers among the WEF’s stakeholder community. Moreover, data
theft is the second leading risk in the United States, according to the
WEF’s Global Risks Report 2016.

The United States is among a handful of countries that perceive the risk of
cyber attack as the greatest concern to business, joined by Estonia,
Germany, Japan, Malaysia, the Netherlands, Singapore, and Switzerland. The
constantly evolving nature of cyber attack risks makes them a tough
challenge to address, according to WEF experts. “Businesses trying to match
this speed in their development of prevention and response methods are
sometimes constrained by a poor understanding of the risk, a lack of
technical talent, and inadequate security capabilities.”

What do these experts think is key to addressing today’s top business risk?
Establishing some clarity on exactly who is in charge. “Although CEOs worry
about rising cyber risks, the ownership of and responsibility for the cyber
risk is less clear. Who in the corporation is the actual owner of the
risk?” asks the report. “While there are many ‘C-level’ owners (CISO, CFO,
CEO, CRO, risk management), each of these owners has differing but related
interests and unfortunately often does not integrate risk or effectively
collaborate on its management. Defining clear roles and responsibilities
for cyber risk is crucial.”

So, too, is acknowledging that prevention won’t reach 100 percent. The
sophisticated threats of government-sponsored economic espionage exceed the
defensive capabilities of many commercial enterprises, for example. As a
result, “the emphasis needs to be on streamlining mechanisms for early
detection, response and recovery, to mitigate and better manage the
consequences—limiting the damage, and ensuring business continuity.”

Finally, cooperation needs to play a critical role in mitigating cyber
attack risk in the years ahead. Although businesses can follow standard
industry practices or individually adopt ways to deal with cyber crime,
cooperation with law enforcement is necessary, as is coordination
throughout the value chain, because attacks can be made through supplier
systems.

Uncertainty is the Rule, Resilience is the Lesson

Globally, top risks will likely be very different in a decade than they are
today. For example, water crises—not among the top five today—is expected
to at the very top of business risks ten years from now. Additionally,
“transformative shifts in political and economic power—accelerated by
technological innovation, social fragmentation, and demographic shifts—will
have profound ramifications for the international security order,”
according to the WEF. So how can you prepare?

Focus on resilience because risks are uncertain, says WEF experts. Their
report calls for a “resilience imperative” because of the world’s
“increasing volatility, complexity, and ambiguity.” Although the exact
nature of future emergencies is cloudy, it’s clear that emergencies
affecting operations, like data breach incidents, can arise and dissipate
quickly. Companies that are resilient—and prepared to evacuate company
facilities and bring them back online quickly—will fare best in a world of
volatile risk.

This final point hints at the need to improve procedures for re-occupying
international facilities. Emergency plans, which often focus on evacuation
procedures, sometimes neglect this critical aspect of planning.

Reoccupation considerations should to be at the forefront of planning, said
Michael Blythe, author of Business Continuity Management. A reoccupation
plan should include procedures for sweeping a facility for harmful
materials, assessing damage or loss of materials, and making needed
repairs. To avoid risk to personnel and improve resumption of business,
companies may want to plan for what staff should return and in what order.
Defining occupation safety levels for facilities can also facilitate
business resumption. Example:

Level 1: Only security personnel are permitted at the location.
Level 2: Only security personnel and critical project managers are
permitted at the location.
Level 3: Security personnel, critical managers, and key staff are permitted
at the location.
Level 4: Security personnel, critical managers, key staff, and normal
workforce is permitted at the location.
Level 5: All personnel, including corporate leadership, are permitted at
the location.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170201/0efd83b9/attachment.html>