Addressing Cyber Attacks
By Mark Connelly, CISO, Boston Consulting Group
Cyber attacks are in the news every day. The frequent headlines and intense media scrutiny have brought the topic to the forefront of public attention. Could this be the worst of times for information security?
Given the reports, it may seem that way. The likes of Sony, Home Depot, JPMorgan Chase, the U.S. State Department and the White House (among many others) have lost millions of records and/or billions of dollars in market capital as a result of these attacks.
Not only are cyber attacks becoming more frequent, but hackers also seem to be one step ahead in the ‘arms race.’ And the financial impact and reputational damage seems to be growing at an ever-increasing rate.
"It’s all about creating value for the business and executing a cultural transformation that embeds security into the fabric of what we do"
As a result of heightened awareness, most corporations have elevated the issue from a technology problem to a Board-level matter, recognizing the potential legal, financial and reputational implications. Those of us who are in the know understand that this is not a battle, but an ongoing war that we fight daily, across multiple channels and addressing threats outside or inside our organizations.
For example, consider these sobering statistics from the 2015 Verizon breach report:
• 90 percent of all incidents in the report indicate patterns of compromise come from people.
• Ten phishing emails yield greater than a 90 percent chance that someone will fall prey to the phishing attempt, providing access for the attackers.
• Employees in communications, legal and customer support are all more likely to click on links in phishing emails.
• 99 percent of exploited vulnerabilities were compromised more than a year AFTER the CVE (Common Vulnerabilities and Exposures) was published.
In addition, the regulatory environment isn’t getting any easier, as data and cyber security laws are changing rapidly.
The worst of times? One could easily come to that conclusion. It’s clear that cyber security professionals need to do more than stay ahead of the conversation… they need to drive the conversation and prompt action and policy change.
The best of times
The good news is CISO/CSOs and our peers can help lead the evolution to a better time. The growing scrutiny and heightened awareness of the issues at stake means companies are devoting more resources to information security, and people are becoming more aware of these impacts everyday.
In addition, with Board of Director-level focus, companies are now seeking digital and cyber security experts to join board discussions to help understand, support and mitigate risks. Organizations that effectively manage this threat and who help clients do the same will stand out from the pack and remain successful.
CISO/CSOs need to lead the charge. We must work in tandem with business leaders, technology partners, peers, law enforcement officials, attorneys and the government. Organizations that succeed will be rewarded for their efforts because effective information security programs will be a market differentiator, and that has value.
We need to work across industry verticals and geographies to better understand threats and engage with experts across a wide spectrum of markets.
This can be a turning point to better times if everyone gets on board to fight the threat. The conversation needs to pivot from a “sky is falling” mentality to an effective and directive position. We need to help move the industry and our customers with a more coordinated and impactful unified voice.
How to fight back and win
Cyber attacks are global and impact all markets and levels throughout the supply chain. No one is immune. CISO/CSOs need to own the message and drive greater impact. For example, you can lead the transformation charge by meeting with chief technology officers, chief procurement officers, chief financial officers and legal professionals to develop a comprehensive approach. Within the security organization of your firm, a few suggestions include:
• Establish an effective program supported by executive management. The plan should address not just technology, but potential compliance, operational and reputational risks. A cultural transformation is needed that makes cyber security a top priority for every organization.
• Execute on the basics. Work in tandem with compliance, enact effective control maturity, and continuously monitor threats. Measurement and demonstrating ROI are critical to driving continued support from senior levels.
• Leverage external vendor relationships and engage with internal partners in IT. While cost-management is important, finding best-in-class partners will limit negative impacts in the long run. We should push vendors to test their products routinely and provide security attestations to those tests as well.
• Help push the Information Security agenda forward. Help enact policies to facilitate greater cooperation and protect our corporate assets. Push the technology community to develop better tools and services to mitigate attacks and limit damage. Join professional networks that push to make a difference like the Information Security Forum, FS-ISAC, or other DHS subgroups, and Security Innovation Network. These groups provide forums for enhanced partnerships and will help pivot us from the worst of times to the best of times.
Driving the conversation forward
CISO/CSOs need to unite and push a common agenda. Building momentum within spheres of influence will drive the conversation forward and lead to constructive change. Companies, shareholders, employees, customers and countries will respond positively, and in doing so, all boats will rise and we will have a stronger risk posture to protect our assets from those who seek to do harm.
At the end of the day, it’s all about creating value for the business and executing a cultural transformation that embeds security into the fabric of what we do, who we are, and what we represent.