[BreachExchange] Who should be responsible for cybersecurity?

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 17 10:55:13 EST 2018


The news today is flush with salacious stories of cyber-security breaches,
data held hostage in brazen ransomware attacks, and compromised records and
consumer information. So too has the fallout become increasingly familiar:
broken trust, ruined brands, class-action lawsuits, and prolonged periods
of finger pointing.

In September 2017, news broke that consumer credit reporting agency Equifax
had suffered a catastrophic breach the preceding May. Hackers gained access
to the personal data of nearly 150 million American citizens – roughly two
thirds of the country’s population – including full names, Social Security
numbers, addresses, and dates of birth. The swiftly unfolding scandal sent
the company’s stock plummeting 33%, a market value loss of approximately
ten billion dollars. Currently, three Equifax C-Suite managers are under
federal investigation for allegedly dumping stock prior to disclosing the

The digital sphere has always been rife with pathogens. Elk Cloner ravaged
Apple IIs by way of contaminated floppy disks in 1981, and Brain infected
IBM PCs in 1986. Initially little more than nuisances concocted to spread
chaos and frustration, today malware is a primary tool of lucrative (if
fragmented and decentralized) criminal enterprises whose foremost goal is
financial gain through extortion and embarrassment.

The high-profile nature of certain attacks – Equifax, Anthem, Home Depot,
Yahoo, Sony, and Uber, to name a few – obscures the fact that while the
form, scale, and intent of attacks tend to vary, the threat looms over
organizations of every stripe and size – private, public, and
not-for-profit alike – in every corner of the globe. Colleges and
universities have fallen prey to costly ransomware attacks, havoc has been
wreaked on banks in Italy, Canada, and Bangladesh, and Russian hackers
hijacked the 2016 federal election through a simple phishing scam. Such
attacks are alarmingly easy to design and deploy. Phishing, for example,
requires only a single distracted click on a link in an email or text. Once
the automated malware has gained a toehold, systems and networks can be
crippled in a matter of minutes.

Standing vulnerabilities are being exacerbated by the growing centrality of
digital media in our day-to-day lives. The proliferation of devices means a
multiplication of exploitable entry points, as does data stored across
networked, hardware and cloud-based platforms. The more sprawling the
company or organization, the more exposed it may be, necessitating
cyber-security strategies that cover partners, manufacturers, and
suppliers. Not only are new dangers always emerging, but they can occur
because of easy to make mistakes such as forgetting to update your OS, or
through portals as unlikely as an IOT enabled fish tank.

The crisis is as widespread as it is confounding to combat. Perpetrators
not only employ an ever-expanding suite of tools and tactics, and target
bounties ranging from consumer data to proprietary assets, but they are
driven by mercurial motives. Some hackers espouse anti-corporatist
ideologies, some are astutely transactional, and others still – Anonymous
for example – are first and foremost retaliatory. Add to these slippery
intentions a lack of territorial affiliation, and one can see how
present-day cyber-foes are diabolically tricky to identify, much less
apprehend and prosecute.

All indications are that cyber-crime is in its infancy, a phenomenon that
will only intensify. CNBC recently reported that in the first half of 2017,
the number of attacks spiked 164% compared to the same period in 2016,
entailing 918 disclosed data breaches resulting in nearly two billion
compromised records. The report suggests that this increase is partly
attributable to new regulations pertaining to corporate transparency,
including the EU’s GDPR and the UK’s Data Protection Bill. This legislation
coincides with the establishment of government agencies tasked with
policing these fraught digital landscapes, such as the Cyber Threat
Intelligence Integration Center in the U.S.

Yet the urgency with which governments are working to enforce transparency
and security stands in stark contrast to the reluctance demonstrated by
businesses to recognize and react to so significant a threat. One need only
look at the typical IT budget to recognize how little the gravity of the
crisis has sunk in. Even though companies across all sectors rank
cyber-security as their most pressing issue, and despite an upward trend in
spending, the typical cyber-security budget is profoundly underfunded.
According to Steve Vintz of the Harvard Business Review, “IT budgets are
typically 3-7% of a company’s revenue, and security budgets are typically
5% of IT spend.” In other words, the average company allocates just over 1%
of revenue safeguarding against potentially catastrophic attacks.

This lopsided spending reflects, perhaps, a longstanding disinterest
exhibited by financial stewards toward IT issues. It’s the number crunches
versus the nerds, the former obsessed with spending and bottom lines, the
latter always on the lookout for shiny new toys to tinker with. The VP
Finance or CFO, therefore, assumes the attitude of a parent reining in an
indulgent child, rather than a collaborator working toward mutual goals.
Fissures such as these have the unfortunate effect of relegating
cyber-security to the IT silo, with the CFO punting the ball to (often
already overtaxed) technical divisions and managers, then washing their
hands of further responsibility.

C-suite abdication reveals a central but oft-overlooked error, one baked
into the term “cyber-security” itself: though traditionally tucked away
under the IT umbrella as a security concern, many if not most of the
consequences of cyber-attacks are monetary, with severe and long-lasting
financial implications. Though difficult to tally, a 2017 study by Centrify
and the Ponemon Institute pegged the average cost of a data breach at $4
million, the average stock price drop at 5%, and the average revenue
decline at $3.4 million. And this is to say little of the embarrassment of
suffering an attack – looking weak and ill prepared, the erosion of
consumer trust and confidence, and a tarnished reputation and brand – much
less lawsuits. Target paid $18.5 million after a cyber-attack put the data
of sixty million of its customers in peril, and Anthem was slapped with a
$115 million penalty. Fortune magazine writer Jeff Roberts predicts that
Equifax will pay out approximately a billion dollars to settle suits
resulting from its attack.

Moving forward, a chief concern must be not only how CFOs can participate
in the design and implementation of cost-effective cyber-security systems
and protocols, but more importantly how they can take the lead in fostering
company-wide cultures of cyber-awareness, vigilance, and preparedness.
Clearly cybersecurity is everybody’s problem. High time this truth was
recognized starting with the executive suite on down.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180117/a2b2931c/attachment.html>

More information about the BreachExchange mailing list