Cybersecurity – a top priority for Enterprises

Introduction:

Cybersecurity has become a crucial part of an organisation’s infrastructure. Hackers or cyber criminals can manipulate the systems with well-co-ordinated plans and can misuse the intellectual property of the businesses thereby leading to disruption. With the growing sophistication of cyber-attacks investing in an optimal security system is the need of the hour.

Common cybercrimes include a wide variety such as phishing, hacking stored communications, identity theft, malicious code, criminal copyright infringement and many others. Vulnerability such as Heartbleed bug exploited the unprotected servers and let users track the information. This was just one instance where organisations who were unprepared for cyber breach suffered information loss and manipulation. With the intense growth of attacks firms are now trying to get a realistic cost-per-breach figure. In the US cyber insurance market is witnessing a steady growth from $1 billion to $2.5 billion over the past two years.cs1

Even though by now businesses understand the importance of the said concept there are few challenges to cyber security. The existing complexity of the systems and the entire cyber environment makes implementation a challenge. However, the top companies offering security solutions are Symantec, Intel and IBM. Apart from these there are several start-ups and mid-size companies who are exclusively offering advisory, consulting and managed security services.

The exponential growth of smart phones and cellular networks has pushed the mobile security market. To add to this is the data collection and utilisation by the Big-Data. Even though it has its own set of applications it still increases the vulnerability and exposes the systems to more threats.

Areas of concerns:

The exponential growth of cyber-attacks has created several grey areas that needs to be addressed on immediate terms. As published in a report by PWC the number of security risks globally is increasing faster than the smartphone users and the global GDP put together. This gives us idea about how vulnerable the organisations are and how they are constantly exposed to the risk of being hacked. The cyber security incidents are growing at 48% CAGR since 2013 which hints at the importance and the major role of cybersecurity.

Data protection and privacy: The digitalised world connected with most of our activities such as shopping, banking makes it way for the hackers to misuse the personal information. Stealing of information available online and using it without the knowledge of the user is a common cyber threat that still has loopholes to be looked into. The data is out in the open especially if the retailers don’t have dependable security systems installed. Identity theft is posing a bigger nuisance triggered by the availability of the details on social media and related forums.

Ransomware: As predicted by McAfee Labs this is another cyber threat for 2016. It is a kind of malware that restricts access once it infects the system. It is expected to get more sophisticated in terms of its operations and will target higher once done. The target will be cloud data storage solutions where once the endpoint is infected the stored data can be encrypted.

Internet of things: Even though it is a well-accepted fact that IoT is exploding it also indicates the attached fact that there is enormous customer data that can be easily exploited. The IoT growth also presents unique security threats at various stages such as the device itself, application, network and software. Given the fact that IoT is integrating in almost every sector the amount of risk also is equally expanding.

Third Party Cybersecurity Due Diligence: Outsourced activities such as payroll, IT, accounting services the vulnerability to data manipulation is high. The hackers generally traverse from a company’s network to the vendors and vice-versa. Either ways there can be data breach scenarios. The companies must work together and build a secure system which is tough to penetrate.

Compliance and cybersecurity:

These terms are usually inter-changed and misinterpreted. Ensuring that the company has data compliance has nothing to do with cybersecurity. In a recent report published by Dell it states that 40% do not believe that their IT solutions fully equip them to prevent security breaches. It was also reported that respondents experience an average of three barriers that prevent better security measures being implemented. So the organisation needs to zoom its policies to have a good cybersecurity to protect the critical business information.

CyberSecurity – A board level issue for many organizations

Cybersecurity is emerging as a top priority issue for many organizations and boards. Company directors are now becoming proactive in assessing risks especially due to threats emerging from cybersecurity.  This does not limit to IT, but directors are becoming more pre-emptive in evaluating cybersecurity risk exposure as an enterprise-wide risk management issue and not limiting it to an IT concern. Earlier cybersecurity was considered as an Informational Security risk, but the impact covers the entire enterprise.

Robert Mueller, ex director of FBI, emphasised that cyber threats will eventually equal or eclipse the terrorist threat. “There are only two types of companies—those that have been hacked and those that will be,” Mueller said, adding that boards should ask themselves what type of company are they and what are they doing about it.

The boards should decide whether they have been victims or whether they are vulnerable.  The boards have been found wanting in terms of cybersecurity oversight by a Carnegie Mellon University CyLab report.  Some of these short comings are such as reviewing cybersecurity budgets, cybersecurity program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.

The impact of risks not only affect the regular operations of the company, but also can have wider impact such as brand reputation etc. A primary responsibility of the board is to provide risk oversight. As discussed in the August 2013 Audit Committee Brief, the audit committee is often delegated the task of overseeing the risk programs and policies, including cybersecurity. The trend has been for other committees to be delegated the task of overseeing risks associated with their areas of expertise.

Many organizations call for board meetings specifically focusing on CIOs, CTOs and other stakeholder to discuss details of cyber-risks.  

Many boards hear from the chief information officer, chief technology officer, or others who are tasked with monitoring the cyber risk. In addition, some company boards are engaging third-party specialists to speak with them about the risk, how to mitigate it, and signs that may signal a breach. The full board take the necessary actions to stay informed on management’s risk practices so it can effectively oversee cybersecurity.

Some of the questions that are

  • Who is the custodian in the board who understands information technology and understands cyber risks?
  • Does the risk and audit team cover cyber risk?
  • Does the company insurance policy cover cyber risks as well?
  • How is branding, especially on Internet and social media handled?
  • Does the organization’s extended supply chain (service providers, suppliers etc.,) have suitable mechanisms to handle cyber risks?
  • What are the steps to create awareness of cyber threats within the company?

These are some of the questions the board needs to setup for starters.

cs2About NIST and introduction of Cyber Security Framework

National Institute of Standards and Technology (NIST) works with industry to develop and apply technology, measurements, and standards.  The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.

To better address these risks, the President of the US issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013, which established that “It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.

NIST has released a framework on Cyber Security  which will help companies to address the cyber security initiatives within their own environment. This is just a framework and not a solution paper.

NIST Cybersecurity framework helps organizations to:

  • Describe their current cybersecurity posture;
  • Describe their target state for cybersecurity;
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • Assess progress toward the target state;
  • Communicate among internal and external stakeholders about cybersecurity risk.

We will cover NIST framework in detail in the next blog.