In 2017, as in previous years, cybersecurity incidents made the news on a regular basis: Equifax, Verizon, Shadow Brokers, WannaCry, NotPetya, Bad Rabbit, Uber (a covered-up 2016 hack, admitted in 2017)…the list goes on. Already in 2018 we’ve seen the Meltdown/Spectre CPU vulnerabilities and a huge row over the governance and usage of Facebook data. Beneath these headlining cyber-incidents is a continuous background level of activity that is the inevitable result of organisations failing to monitor and protect their networks, and of users neglecting basic security hygiene.
This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.
How should businesses respond to the clear, present and ever-evolving threat of cyber-attack? Completely locking down their IT systems isn’t an option, but neither is complacency. Vulnerabilities will almost inevitably be discovered and exploited, and once security breaches have happened they’re usually expensive and time-consuming to remediate, often resulting in lasting damage to the victim’s reputation and bottom line.
The trick is to work out the attacks you’re most likely to face, guard against them to the best of your ability, and review this process regularly. Where to start? Well, no military commander would charge headlong into battle without a clear strategic picture of the conflict, and the same applies in the cyber theatre. That’s where business risk intelligence (BRI), or cyber threat intelligence (CTI), comes in. Here’s BRI company Flashpoint on the subject, for example:
“Having a robust BRI program puts these threats into context for an organization and its risk management efforts. Cybercrime, fraud, insider threats, physical security, MA security assessments and third-party risk can all be minimized with an adequate handle on intelligence.”
Flashpoint’s high-level summary of the 2017/18 global threat landscape — a matrix of threat actors and key verticals — looks like this:
Threat actors are ranked on a six-point capability scale and a four-point potential impact scale, with Flashpoint’s cast ranging from Tier 2 capability/Negligible potential impact (Jihadi hackers) to Tier 6/Catastrophic (China, Russia and Five Eyes). Cybercriminals — the main adversary of most businesses — are ranked as Tier 4/Severe:
Tier 4 capability
“Attackers are part of a larger and well-resourced syndicate with a moderate-to-high level of technical sophistication. The actors are capable of writing custom tools and malware and can conduct targeted reconnaissance and staging prior to conducting attack campaigns. Tier 4 attackers and above will attempt to make use of publicly available tools prior to deploying more sophisticated and valuable toolkits.”
Severe potential impact
“Cyber attacks at this level have the capacity to disrupt regular business operations and governmental functions severely. Such incidents may result in the temporary outage of critical services and the compromise of sensitive data.”
Looking at the vertical industries targeted by these threat actors, financial services and government/military are the most threatened — bad actors tend to follow the money or the power, after all. Eight out of the nine categories of ‘bad guys’ have these sectors in their sights:
Although businesses need a lot more detail before they can create their cybersecurity policies and deploy specific measures, it’s essential to have a consistent company-wide view of the threat landscape. However, recent research from security provider Centrify and Dow Jones Customer Intelligence suggests that CEOs and their front-line technical officers (CIOs, CTOs and CISOs) often have different perspectives.
Centrify’s report is based on a survey of 800 senior executives in companies with at least 1,500 employees, covering 19 industries in the US and UK. Over 50 percent of the companies represented had over 10,000 employees. The key finding is that CEOs are focused on malware — perhaps influenced by headline-grabbing cyber-attacks — while their technical officers (TOs) cite identity breaches as the biggest threat.
A clear majority (62%) of CEOs pointed to malware as the biggest cybersecurity threat, compared with only 35 percent of TOs. Meanwhile, 68 percent of executives from companies that had at least one serious breach said it would likely have been prevented by either privileged user identity and access management or user identity assurance. By contrast, only eight percent of companies said that anti-malware endpoint security would have prevented the breaches.
“The disconnect between CEOs and TOs is resulting in misaligned priorities and strategies, as well as mis-investments in cybersecurity solutions, which are weakening security,” the report concluded.
So how can companies avoid such misalignments and mis-investments?
Cyber-risk management frameworks
A coherent cybersecurity program requires a template or framework containing all of the important components. Organisations then need to work out which components are most applicable to their particular circumstances, a process that should point them towards the most appropriate security measures.
A number of industry-standard frameworks are available to guide organisations’ cybersecurity policies, including AICPA, CIS, COBIT, ENISA, ISO 2700, NIST and — for those that handle payment card transactions — PCI DSS. There are also industry-specific frameworks such as those relating to the protection of healthcare data under the US HIPAA legislation.
Different industries will tend to focus on different framework components, depending on the nature of their business and the particular threat landscape they face. Here’s a summary of how Mandiant sees the security priorities for ten vertical industries:
GCO DP SRM IAM IR TP/VM HEP ADMP NCDCP SAT Aerospace defense
GCO = Governance, Compliance and Organization, DP = Data Protection, SRM = Security Risk Management, IAM = Identity and Access Management, IR = Incident Response, TP/VM = Third-Party/Vendor Management, HEP = Host and Endpoint Protection, ADMP = Application, Database and Mobile Protection, NCDCP = Network, Cloud and Data Center Protection, SAT = Security Awareness and Training
As you might expect given the current state of cybersecurity, the most commonly cited focus areas across these vertical industries are data protection and incident response, closely followed by identity and access management:
Tech Pro Research cybersecurity survey
For this special report, ZDNet’s sister site Tech Pro Research conducted a survey posing the question: ‘Is your company succeeding or failing at cybersecurity?’ Of the 236 respondents, 62 percent were either CxOs or at IT manager/consultant level, 44 percent were located in North America and 18 percent in Europe, and 40 percent worked in businesses with more than 250 employees. Industry sectors represented included IT Technology (15%), Government (12%), Finance/Banking/Insurance (11%) and Business Services/Consulting (10%).
The results suggest that, in this survey sample at least, there’s a long way to go towards the ideal where companies have a clear picture of the threat landscape, translating that into a structured policy from which confidence-inspiring cybersecurity measures emerge. Here’s a couple of key charts:
Given that 61 percent of respondents’ companies lack a regularly reviewed and updated security policy, it’s no surprise that only 15 percent are ‘very confident’ in the security measures that are currently in place.
For more detail on the Tech Pro Research survey, see [xxx]
The cost of cybercrime
In recent years cybersecurity has risen ever higher up the corporate agenda for the very good reason that incidents and breaches result in significant costs — money or intellectual property stolen, valuable data compromised, business disruption, impaired brand reputation, reduced revenue and/or lowered share price.
As a result, the jobs of C-suite occupants are now at stake, and there have been a number of sword-fallings following high-profile cyber incidents — notably Equifax’s Richard Smith in September last year. More importantly, the need for cyber-risk assessment and coherent cybersecurity policies is now well established in many companies (if not all, as the Tech Pro Research survey referenced above indicates).
Accenture’s 2017 Cost of Cyber Crime Study examined two cost streams: the internal costs of dealing with a cyber incident (detection, investigation, containment, recovery and final response); and the costs relating to the external consequences of an attack (information loss or theft, business disruption, equipment damage, revenue loss). Costs were estimated using interview data gathered from 2,182 participants across 254 organisations, with research concluding in August 2017. Financial services (16%) was the leading sector in the sample population, followed by industrial/manufacturing (12%) and services (11%).
Headline findings were an average annualised cost of cybersecurity of $11.7 million per company (a 22.7% year-on-year increase) and an average of 130 security breaches per company per year (a 27.4% increase). Information loss was the biggest cost component, forming 43 percent of the total (up from 35% in 2015).
Among the many useful findings in Accenture’s report are figures for the deployment level of nine ‘enabling security technologies’ and the cost savings that companies can expect to make when fully implementing them. Here are the two metrics plotted against one another:
The two most cost-effective technologies, ‘security intelligence systems’ and ‘advanced identity and access governance’, are widely deployed (in 67% and 63% of companies respectively). However, the third and fourth placed technologies — ‘automation, orchestration and machine learning’ and ‘extensive use of cyber analytics and user behavior analytics’ — are under-deployed (28% and 32% respectively) given the cost savings they can deliver. Clearly, companies would do well to increase their investment in these more innovative security technologies.
IBM’s 2017 Cost of Data Breach Study collected direct and indirect cost information using interview data gathered from over 1,900 participants across 419 organisations, with research concluding in March 2017. Financial services (15%) and industrial companies (15%) were the leading sectors in the sample population, followed by services (14%).
Headline findings were an average total cost per data breach of $3.62 million (down from $4m in 2016) with an average cost of $141 per lost or stolen record (down from $158 in 2016). The average number of records per data breach was 24,089 (up 1.8% from 2016), while the estimated probability that an organisation will have a ‘material’ data breach in the next 24 months was 27.7 percent (up 2.1% from 2016).
Among the many useful findings in IBM’s report is an analysis of the factors that influence the per capita cost of a data breach. For example, a fully functional incident response team reduced the cost by $19.3 on average, while at the other end of the scale third-party involvement increased the cost by $16.9:
Cybersecurity incidents and breaches can seriously damage a company (just look at Facebook’s recent share price trajectory), making it imperative that security risk management is integral to corporate governance.
Detailed analysis of the threat landscape for a company’s particular business sector should lead to the adoption of an appropriate framework within which to develop a security policy, which in turn should suggest the best combination of security measures to deploy. Policies must be revisited and updated as the threat landscape evolves.
As well as covering the basics, companies need to consider deploying advanced security technologies such as AI, machine learning and analytics, in order to give themselves the best chance against the ‘bad guys’.
Cybersecurity trends in 2017/18
Numerous reports and surveys are published every year, analysing the state of the cybersecurity arms race and allowing interested parties to keep up to date with the changing threat landscape. The table below lists some of the most influential ones, summarising the key content areas and recommendations:
Report Key subject areas findings Recommendations, best practices predictions Cisco 2018 Annual Cybersecurity Report
Adversaries are taking malware to unprecedented levels of sophistication and impact.
Adversaries are becoming more adept at evasion — and weaponizing cloud services and other technology used for legitimate purposes.
Adversaries are exploiting undefended gaps in security, many of which stem from the expanding Internet of Things (IoT) and use of cloud services.
Defenders will find that making strategic security improvements and adhering to common best practices can reduce exposure to emerging risks, slow attackers’ progress, and provide more visibility into the threat landscape.
Defenders should also consider adopting advanced security technologies that include machine learning and artificial intelligence capabilities. With malware hiding its communication inside of encrypted web traffic, and rogue insiders sending sensitive data through corporate cloud systems, security teams need effective tools to prevent or detect the use of encryption for concealing malicious activity.
Cyber interdependence drives global risk.
High preparedness does not necessarily mean low risk.
Resilience: The cyber-shock absorber businesses need.
Leaders must assume greater responsibility for building cyber resilience.
Organizations must dig deeper to uncover risks.
C-suites must lead the charge — and boards must be engaged.
Pursue resilience as a path to rewards — not merely to avoid risk.
Purposefully collaborate and leverage lessons learned.
Focus more on risks involving data manipulation and destruction.
The challenge for CEOs is going beyond awareness to action.
Committing to risk management in digital transformation is existential.
Beyond confidentiality, privacy expectations focus on data use.
Advanced authentication technology will be a trust builder.
Even industry titans must boost board involvement.
More companies should consider hiring a chief privacy officer.
Lagging businesses in Europe and the Middle East have more work to do.
The balkanization of the internet will change how companies do business.
Consumers will vote for responsible innovation and data use with their wallets.
The C-suite must own management of digital risk. Engage your board.
Prioritize data-use governance. View GDPR as an opportunity. Consider the risks of regulation abroad in a strategic context. Champion responsible innovation.
Verizon 2017 Data Breach Investigations Report
Prioritize data-use governance.
View GDPR as an opportunity.
Consider the risks of regulation abroad in a strategic context.
Champion responsible innovation.(3) The future of cybersecurity (Coming April 2018)
Are you Gambling with your Future?
No one thinks it’s going to be them. Until it is.
Organizations think they’ve got the basics covered.
People are also still failing to set strong passwords.
People rely on how they’ve always done things.
Build your Defenses Wisely.
Know the Threats you Face.
Use Intelligence, the Crooks do!
Coin mining attacks explode.
Spike in software supply chain attacks.
Ransomware business experiences market correction.
Drop in zero days can’t halt the rise in targeted attacks.
Mobile malware continues to surge.
Mid-tier mature cloud providers will likely see the impact of the Meltdown and Spectre vulnerabilities.
WannaCry and Petya/NotPetya may inspire new generation of self-propagating threats.
IoT attacks will likely diversify as attackers seek new types of devices to add to botnets.
Coinminer activity will likely continue to grow but will increase focus on organizations.
Attacks on critical infrastructure likely to step up in 2018.
With some of the costliest and most disruptive attacks on record, 2017’s high-profile incidents have heightened awareness around the business-critical nature of cyber security.
Many of today’s attacks still leverage well-known vulnerabilities — flaws that have been documented and patched, and can be prevented.
The security landscape is continually changing, as criminals take advantage of new attack surfaces. Attacks targeting mobile devices, Internet of Things, and APIs are all major themes that we expect to see in 2018.
The publication of Spectre and Meltdown, along with the remote code execution vulnerabilities in Oracle’s WebLogic and the GoAhead embedded http server, could lead to a new round of highly damaging, targeted attacks. In addition, with the popularity of cryptocurrencies, there is also a risk that adversaries will leave systems intact only to install crypto mining software on vulnerable systems.
In many cases the safeguards organizations have in place to protect their site from attackers are not tuned to protect APIs, making them tempting targets.
Credential abuse, whether by brute-force guessing or through the use of illegitimately acquired username and password lists, isn’t a problem that will go away soon…If your organization is in one of the high-threat industries, it may be time to re-examine how seriously you take the threat.
Confront your cyber threats.
Understanding the threat landscape.
Fighting back against the threat.
Emergency service: responding to an attack.
Common attacks: Organizations need to be able to prevent these types of attacks through good basic cybersecurity.
Advanced attacks: Organizations need to prevent some of these attacks, but focus on their ability to detect and respond to the more sophisticated and dangerous attacks.
Emerging attacks: Organizations need to understand the emerging threats and how they should impact strategic decision-making, while making focused investment in cybersecurity controls. The SANS 2017 Data Protection Survey
78% report two or more threats occurring in past 12 months.
68% report the same threat occurring multiple times.
12% actually encountered a breach, with 43% of those breaches involving exfiltration of sensitive data through encrypted channels.
Know your data and don’t neglect the obvious.
Secure your access management data and information.
Follow demonstrated best practices.
READ MORE ON CYBERSECURITY
What is GDPR? Everything you need to know about the new general data protection regulations
General Data Protection Regulation, or GDPR, is coming. Here’s what it means, how it’ll impact individuals and businesses.
Cybersecurity report card: Why too many companies are graded ‘could do better’
Lack of budget and the right skills are leaving businesses vulnerable to attack.
Companies still struggle to hire security pros; use in-house training to fill the gaps (TechRepublic)
One-third of organizations report experiencing a security breach, and 68% are not confident that they can protect against an advanced attack.
As IoT attacks increase 600% in one year, businesses need to up their security (TechRepublic)
Internet of Things attacks, cryptocurrency mining, and ransomware dominated the security landscape at the end of 2017, according to Symantec.
Information security policy (Tech Pro Research)
To protect your information assets, you need to define acceptable and unacceptable use of systems and identify responsibilities for employees, IT staff, and supervisors/managers. This policy offers a comprehensive outline for establishing rules and guidelines to secure your company data.
Cybersecurity in 2018: A roundup of predictions (Tech Pro Research)
How will the cybersecurity arms race develop in 2018? Experts have made a multitude of predictions, and we have analysed them.
Flashpoint: Gathering business risk intelligence from the deep and dark web (Tech Pro Research)
What if you could get ahead of the cybersecurity game by listening in on the forums and communication channels where ‘bad actors’ hatch their plans? Flashpoint has the technology and analyst expertise to do just that, as its CEO explains.