[BreachExchange] CEOs: Are You Prepared For The Real World Ramifications Of Cyber Attacks?

[Audrey McNeil]

https://chiefexecutive.net/ceos-are-you-prepared-for-the-
real-world-ramifications-of-cyber-attacks/

Global cyberattacks like WannaCry and NotPetya have bumped cyber risk
firmly to the top of C-suites’ agendas. Even with this increased attention,
businesses are still grossly underestimating their exposure, particularly
because the attacks happening now are only the tip of the iceberg. The
disruption to businesses’ growth, competitiveness, operations and existence
is already playing out – and will dramatically increase in the near future.
Cyber risk threatens the viability of all organizations; no CEO should be
under an illusion about the implications to their business. Nonetheless, a
huge proportion of executives are not translating this attention into
implementation of the right people, processes and technology to protect
their companies.

Misperceptions

The misperception that cyber risk is predominantly a data breach issue for
large companies continues to exist. Outside industries like retail,
financial services and healthcare, organizations often underestimate the
size of the target on their backs, as they have not traditionally operated
under strict regulations on the use of data, such as protected health
information (PHI) and personally identifiable information (PII). The
responsibility for cyber risk management urgently needs to expand to
organizations across all sectors. The powerful convergence between the
digital and the physical worlds means the damage caused by cyber attacks
now extends far beyond loss of data security and intellectual property.
Tangible and intangible assets, systems as well as processes continue to be
tightly intertwined. As a result, cyber risk will have an even more
dramatic impact on business operations, research and development, supply
chains, manufacturing plants, third-party service providers and customer
relationships.

Bringing critical business functions online is increasing operational risk.
For example, testing exercises for companies in the energy sector have
successfully invaded critical supervisory control and data acquisition
(SCADA) systems that companies wrongly believed to be separate from their
main corporate network environment. SCADA systems and devices control
different processes in various contexts. The energy sector may regulate
electrical flow to turn machines on and off, as well as other aspects of
the exploration, transportation, and production of oil and gas. If a
malicious actor had hacked the corporate network and moved laterally into
the SCADA system before our technical experts discovered the issue, it
would not have been only the company’s valuable data and information that
could have been exposed. Imagine the production disturbance, business
interruption or even physical damage and human injury or loss of life that
could have been inflicted if normal functioning had been altered. There has
been similar success in testing exercises in other sectors, for example,
hacking manufacturing companies and accessing unreleased product designs,
configurations and launch plans. The convergence of the digital and
physical world in many industries, including biomedical devices in
healthcare and connected cars in automotive, increases the threat.

A Clear Disconnect

This disconnect between the seriousness of the risk and the measures in
place also varies by the size of the organization. Executives at smaller
firms are often skeptical over whether they represent such a significant
target for cyber attacks, which can limit their investment in
cybersecurity. However, criminals are not only targeting high value
corporates but launching large-scale attacks to disrupt as many
organizations as possible. For example, the Locky, NotPetya and WannaCry
ransomware attacks hit companies indiscriminately – regardless of size –
exploiting specific vulnerabilities, such as poor patch management. A small
to mid-sized organization might weigh the cost of a ransomware payment at a
few hundred dollars against the cost of a security assessment, remediation
and insurance, and decide to roll the dice. This approach often fails to
acknowledge the very tangible consequences of systems and information being
unavailable, even if there is no risk of physical damage or human injury.
It can be an existential miscalculation, as smaller enterprises in any
sector cannot always afford to withstand the interruption to sales and
operations caused by an attack.

Basic Fundamentals

While the majority of media reporting on cyberattacks is focused on data
breaches, the consequences for revenue, operations and other functions are
very real. Even in smaller or less mature organizations without a fully
staffed security department, there are some basic fundamentals that CEOs
should be asking about and ensuring are implemented:

1. Create a multidisciplinary committee for cyber risk management: The
impact of cyber risk can be felt across every department in a business –
from legal, to compliance, human resources, finance, communications,
operations, information technology and elsewhere. A cyber risk committee is
a relatively low cost organizational change that brings together the
relevant expertise to assess how cyber risk will impact multiple functions,
and how changes in the business – such as an M&A transaction, working with
a new vendor, or implementing new technologies – will alter the security
posture. The General Counsel, due to their apolitical position in the
organization, as well as familiarity with the regulatory environment and
downstream liabilities should chair this multidisciplinary committee and
report out to the CEO and Board with their findings.
2. Conduct a security assessment: The best way to understand the current
state of a company’s security, is to conduct an independent security
assessment. Smaller organizations with less complex systems may consider
SaaS-based solutions, which can be cheaper and allow IT or information
security leaders to input information and receive an instant score on their
security posture. The results of the assessment should then be shared with
the multidisciplinary committee so as to inform where budget is spent to
close gaps, prioritize critical data and assets for protection, and what to
insure.
3. Create a culture of security: Weaponize your employees in the fight
against cyber crime by investing in training and awareness programs. No one
should be exempt from these exercises – including the board and senior
executives. For example, proactively teaching how to spot suspicious
phishing emails as well as implementing better password management
practices. These small security strategies can have an immediate positive
effect.
4. Incident response planning: Incident response planning focuses on
improving the company’s resilience in the face of attacks. Many companies
now have an incident response plan, but it’s important to test the plan
with all stakeholders involved and keep it regularly updated. Planning for
an incident – particularly ransomware – also involves creating regular
back-ups of critical data and systems to reduce downtime, and testing
defenses, all by simulating attacks.
5. Have a tailored cyber insurance policy: Even after taking a number of
proactive steps such as those outlined above, the evolving threat landscape
means that no company can be completely secure. It’s important to ensure
that any cyber insurance policy takes into account the results of a
security assessment, so it covers areas of greatest vulnerability that it
may not be feasible to remediate.

A CEO needs to enlist the entire company in the effort to establish common
metrics around cyber risk, building a culture of security through open
dialogue, planning and testing. It all starts with the CEO.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180622/6c719fa6/attachment.html>