NTT Com Security’s Risk:Value 2016 report reveals only 45 per cent of UK business has any kind of insurance to cover the financial impact of data loss or a security breach. However, 37 per cent admitted that poor security could invalidate that cover. Which begs the question why are so many organisations unprepared for a serious cyber attack, given a quarter are expecting one to hit them in the next 90 days?
That the threat-scape has evolved from hackers looking for notoriety into a well-organised, and highly profitable, criminal enterprise is beyond debate. Yet many organisations still perceive cyber security as a technology issue rather than a business matter. “This asymmetrical nature is why cyber security must have input at a strategic business level,” says Greg Sim, chief executive at Glasswall Solutions.
“Risk mitigation should be integrated into core business processes, as opposed to being an afterthought in which only the bare minimum of managing, and not solving, the impact of a breach is done.”
There’s even an argument to be made that attackers should be seen not solely as criminal adversaries, but as competitors in the market. “Business leaders must understand cyber criminals’ business models, strengths, weaknesses, opportunities and threats just as they would their competitors in the marketplace,” says Tim Grieveson, chief cyber and security strategist, for Europe, the Middle East and Africa, with Hewlett Packard Enterprise.
Many organisations still perceive cyber security as a technology issue rather than a business matter
With some organisations still not having cracked who “owns” security, be it the chief technology officer, the chief information officer or even the chief executive, it’s hardly surprising business is often so unprepared for attack.
Who’s to blame?
“When ownership, responsibility and accountability are confused,” says Adrian Crawley, regional director for Northern Europe, the Middle East and Africa at Radware. “It dilutes the effectiveness of the strategy and in most cases undermines the budget needed to put in place the right processes, policies, people, partners and technology.”
Which is why we end up with situations such as a case recounted by Kroll’s global investigations and disputes practice managing director Ben Hamilton, where a large energy company was in the middle of an attack. “The company was not able to protect its key processes or quarantine the hackers who were still in the system,” says Mr Hamilton, “because it did not know what data or processes were being managed on what servers.”
As Richard Horne, cyber security partner at PwC and a former cyber security director with Barclays, says: “A unique feature of cyber-related crises, as opposed to physical ones, is the often total lack of facts in the first 72 hours, such as answers to seemingly obvious questions like what data has been taken or what systems are affected?”
But it’s not just at the business end of things that such confusion exists; the complexities of cyber have led to a confused insurance marketplace as well. While some insurance brokers are undoubtedly making sure they are well educated with cyber risks, that’s not always the case.
“I think the insurance sector is shying away from cyber because it’s very complicated and we don’t fully understand what the exposures are or how the insurance policies can respond,” says Tim Ryan, executive chairman at UNA Alliance, which is owned equally by 11 of the UK’s largest regional insurance brokers. Mr Ryan says his organisation has seen evidence of people being sold cyber policies that have no bearing on what their risk is. “This, in turn, is a risk in itself,” he adds.
When designing cyber cover, insurers must take into account not only a business’s liability to its customers, but also potential impacts on the business itself, while the client’s customers may find their finances, intellectual property or reputation under threat due to a leak of personal details or commercially sensitive information.
Ben Rose, insurance director at Digital Risks, says: “The business itself also has to consider issues such as website downtime, loss of sales and long-term reputational damage.” The cumulative cost of all these issues can make cyber insurance particularly complex and expensive.
The insurance industry needs collectively to set premiums that truly reflect the risk, but how do you put a price on a breach? The challenge is to achieve an objective measurement of the true costs incurred. “This is where, by working with the information security industry, they can gain a better understanding, so that insurers can more accurately calculate a risk profile and what the potential impact cost would be for different events,” says Kirill Slavin, managing director at Kaspersky Lab.
Paul Simpson, principal consultant with Verizon RISK, reveals that his organisation’s research points to a high percentage of all security incidents being traced back to just nine basic attack patterns. These are miscellaneous errors (such as sending an e-mail to the wrong person), crimeware (malware aimed at gaining control of systems), insider misuse, physical theft or loss, web-app attacks, denial of service, cyber espionage, point-of-sale intrusions and payment card skimmers.
“These vary from industry to industry, with each industry having three specific attack patterns connected to it,” Mr Simpson says. What this means is that businesses can effectively shape their security strategies to combat these specific threat patterns. He gives the example of 88 per cent of attacks in the financial services sector following a denial-of-service, web-app attack or crimeware pattern.
Good things also often come in threes, such as a three-step crisis management strategy as Ryan Kalember, senior vice president of cyber security strategy at Proofpoint, explains. “A critical first step is an organised programme to compare actual risk to critical information assets against senior management’s level of tolerance for the risk of losses due to cyber,” he says.
“Next, the security team needs to create an incident response and remediation plan to ensure they have the proper procedures in place to prepare for a cyber incident, such as a data breach, ransomware infection or a denial-of-service attack.”
And finally, a coalition of key internal stakeholders needs to create a crisis communications plan. Usually headed up by corporate communications, this team includes cyber security, IT, customer support, web, legal and an executive sponsor.
“This team should develop a list of worst-case scenarios and outline which response processes an organisation will follow, and how the organisation will handle crisis communications with media, customers, employees and partners,” Mr Kalember concludes.
Scott McVicar, general manager at BAE Systems for Europe, the Middle East and Africa, outlines five top measures for mitigating cyber risk
01. Understand the risk
Understand where your business is and make sure your cyber security strategy is taking all movements into account. Review and update it constantly as your business changes and don’t be caught out by the evolution of attackers.
02. Have the right security controls
The perimeter is gone and the security controls of yesterday won’t work. You need the security controls of today, protecting all the end-points with integrated, configured and patched security controls. Once the defensive controls are in place, continually monitor for a breach in the defences.
03. Balance business and risk
Businesses need to have the courage to make the right decision that balances security risk against commercial return, and does the right thing by the business and customers in the long term. Take those difficult decisions on what systems and services are protected, and at what level.
04. Build a defensive culture
Security needs to be ingrained into the company culture. It isn’t a checklist, but something which should be ever-present. Security by design involves everybody making sure they are working securely, whatever role in the company they have.
05. Prepare a response
What makes the difference between a full-blown crisis and a problem to be tackled is the plan you have in place to respond and repair. There needs to be a thorough, rehearsed response plan known to clients and employees. With the right planning, there’s absolutely no need to make a bad situation worse.