The cyber risks that confront businesses seem to be multiplying. Hacktivists have staged attacks that brought down the websites of major banks, companies are fretting about thefts of intellectual property, there are regular reports of breaches that expose the personal data of large numbers of consumers, and the White House is warning about the possibility of attacks targeting critical parts of the U.S. infrastructure.
Cyber criminals are also increasingly sophisticated, able to slip through the security measures organizations employ. And the price tag for cyber events is rising. The Ponemon Institute’s 2013 study of the cost of cyber crime found the average annual cost for organizations was $11.56 million, up 26% from the previous year. According to Ponemon, companies are seeing more successful cyber attacks and it takes them longer to resolve such attacks.
Amid such changes, companies’ traditional approach to IT security is evolving.
“Historically, information security has been perimeter-based,” said Bob Parisi, a senior vice president and technology, network risk and telecommunications specialist at insurance brokerage Marsh. “You dig a moat, fill it with water and alligators, build a wall, put archers on top, put all your valuables inside, and let people in through the gate.
“Mobile devices, especially the very popular concept today [of ‘bring your own device’], sort of exploded that concept, so there’s no longer a perimeter per se,” said Parisi, pictured at left. IT departments are adapting, he said, by making changes ranging from locking down disk drives and USB ports, to monitoring emails to ensure nothing inappropriate is entering or leaving the company’s systems, to utilizing secure gateways or virtual private networks, he said.
Julie Conroy, research director at technology consultancy Aite Group, said companies should adopt a layered approach to information security, as financial institutions have. Rather than relying on a single solution to stop cyber criminals, companies need “a series of Web safety nets,” she said. “If the bad guys slide through one way, the next layer will be successful in highlighting their activities.”
Charles Beard, a principal in PwC’s advisory practice, said about 80 percent of cyber crime events result from shortcomings in companies’ “technology hygiene.” In other words, “the adversary gained access to a system through vulnerabilities that were generally known,” he said.
That’s worrisome because in recent years, companies’ push to cut spending has taken a toll on their IT solutions. Beard uses the term “technical debt”—the extent to which companies have deferred software upgrades or put off replacing legacy IT infrastructure.
“Our concern is that as our clients make these trade-offs around ‘I will just continue to operate systems that I know are beyond end of life, and I won’t retire those systems any longer because I don’t have the budget,’ those decisions need to be bubbled up to a much more senior level so people understand what the trade-offs are,” he said. “If your calculus is ‘Just let me do it the cheapest possible way,’ that may not be sufficient to meet your duty for operating the company.”
Know Your Adversaries
When determining how sophisticated their cybersecurity program needs to be, companies should try to understand what type of adversaries are likely to attack them, Beard said. “Think of traditional retailers who now want to open up healthcare clinics,” he said. “You are bringing a different set of actors to your doorstep. What may have been sufficient [IT security] for a retailer may not be enough for a retailer with a significant healthcare component.”
Similarly, if a company is starting to do business in another country or acquiring a company in a different region, it should consider whether it is likely to encounter cyber criminals interested in accessing the company’s intellectual property or trade secrets, Beard said.
Ed Stroz, co-president of risk management and security consulting firm Stroz Friedberg, suggested that companies think about whether cyber criminals want something the company has, or whether they might make the company a target for their anger.
If it’s the latter, companies are likely to see distributed denial of service attacks of the kind that have crashed banks’ websites. If criminals are more likely to try to steal something, “you now have the challenge of detecting that kind of activity because it doesn’t automatically show itself,” he said.
Effective IT risk management starts at the top, Stroz said, with the company’s board. He argued that the executive who heads IT risk management shouldn’t be the company’s chief information officer: “It puts IT people in a difficult position if the head of IT, who will get in trouble if systems are penetrated, is the same person who tells you whether that condition exists.”
Stroz stressed the importance of having enough information about the company’s systems to execute the risk management policy. “Does the company actually have an accurate map of its own network, a network topography?” said Stroz, pictured at right. “If a picture of the network is not available, it defeats the ability of the risk manager to understand the conversation about how risk manifests itself in the network.”
That map of the network should include the location of the company’s most important data, he said, so that “you can monitor more heavily for aberrations around that access path,” and it should show the cloud services the company uses.
Organizations also need a written plan for responding to a cyber incident. “A lot of companies we walk into, they don’t have a plan, or they’re working on it and trying to make it perfect, which we think is a mistake,” Stroz said. “A good plan that exists today is better than a perfect plan that’s never finished.”
Employees as a Risk Factor
Social networking is a fairly recent phenomenon that contributes to cyber risks. “People tend to overshare information in social media and social networking, such that it is often a fertile ground for criminals looking for data to bootstrap their way into a computer attack—your dog’s name, your mother’s maiden name,” Parisi said.
And while some cyber crimes are the work of company insiders, organizations are also vulnerable to attacks that employees enable inadvertently, by opening the wrong email or visiting a website.
Companies need to educate their employees, “but the lessons and lectures only go so far,” Stroz said. He suggested adding testing to the mix, noting that some companies keep employees on their toes by sending them suspicious emails and seeing if they take the bait.
“We do it,” he said. “We have an outside firm send our people what looks like a legitimate email from someone in the company telling them to do something. If they click on the link, they get a visit from somebody saying, ‘You just did what we’re telling you not to do.’
“You can’t eliminate this risk, but you can reduce it greatly by keeping the points very fresh in their minds,” he added.
Read the December Special Report on Technology.