Research firm Forrester’s “Global Business Technographics Security Survey, 2016” found that 49 percent of decision-makers interviewed had experienced at least one cyber breach during the past 12 months. Of these respondents, 55 percent had suffered an internal incident involving an employee or a third-party business partner.
The survey also ranked top external cyber attack methods: software vulnerabilities, user interaction (phishing, malicious link, or email attachment) and use of stolen credentials (logins, encryption keys). These statistics – and countless others – demonstrate the need for businesses and consumers to address the fundamentals of cybersecurity.
Without an effective combination of people, processes and governance implemented alongside technology solutions, organizations are at an increased risk of sustaining significant financial damage. Other areas of the business – such as brand, human resources, operations and regulatory compliance, among others – could also take a hit.
While leading companies operate more mature cyber risk programs, organizations that lag behind often subscribe to a number of commonly held “myths” about where to focus their security efforts. These myths prevent the accurate assessment of risk and exposures and hamper the implementation of proactive measures that can protect critical assets and successfully manage a breach when it occurs.
Rocco Grillo, global leader of Cyber Resilience Services at Stroz Friedberg, an Aon company, outlines five common cyber myths that he regularly sees while working with companies of all sizes across sectors. Indeed, adopting any of these perspectives can contribute to poor cyber risk management practices.
Myth 1: Cyber Is Merely an IT issue
The information technology (IT) department works full-time to implement, update, and maintain technology for the company. However, the same department is often expected to manage the risks associated with that technology as well. As cyber threats continue to increase, IT departments can easily become overwhelmed. The responsibility for managing cyber risk should lie principally with information security practitioners, regardless of whether the organization has a full-time chief information security officer (CISO).
Reality: Cyber Preparedness Starts at the Top and Affects the Entire Organization
Taking a comprehensive view of how cyber risk affects the business across various functions is the responsibility of the entire organization—with the C-suite playing an important role. Executives, inclusive of the board of directors, must be familiar with the specific risk issues that affect their organization’s security posture, especially regarding its most critical assets, or “crown jewels,” and then ensure the right departments are involved in devising a comprehensive strategy. This way, security is not only aligned with IT but also tied to the business and the executive leadership team.
Many companies conduct cyber-threat “tabletop” exercises to simulate specific scenarios that would play out in a real-life cyber attack or breach – and are increasingly involving the executive team and board of directors. More mature companies with effective governance and risk management processes believe it is imperative to include these senior business executives in these situations. In fact, these exercises are most successful when concentrated on scenarios involving a company’s crown jewels, which enables them to prioritize their efforts toward their most critical assets.
Setting the tone at the top helps create buy-in at the highest levels to assess the company’s exposure to cyber risk. This perspective also helps teams implement the necessary remediation and proactive cyber security programs to guard against worst-case scenarios in the event of an attack. Further, information security teams will have the backing to enforce better training and awareness programs, policies, and procedures across the organization.
Myth 2: Technology Solutions Are a “Silver Bullet”
While technology is clearly an integral part of effective cyber risk management, investments in technology alone will not fix the problem. If a company focuses its efforts purely on technology designed to detect external threats and perpetrators, it may overlook the impact of human behavior – malicious or otherwise – on cyber security. Research shows that of the businesses that experienced data breaches in 2016, insiders (that is, people with access to the organization’s systems and information) were responsible for 43 percent of data loss. Whether it is simply employee curiosity or carelessness, these blind spots are often the weakest links in a company’s armor. Increasingly, malicious tactics are designed to bypass sophisticated security technologies and exploit simple human error.
Reality: Technology Can Be a Part of the Solution – But It’s Not the Entire Solution
Companies need to not only verify that their technology profile is up to date but also implement and maintain their technology effectively. To minimize “insider risk,” for example, organizations should steer clear of allowing everyone to gain access to the most critical and sensitive information and systems. Any access to the company’s critical assets must be governed by strict processes and procedures based on the principle of granting privileged access.
Prioritizing programs geared to employee awareness, education and training is also an important step to address common, human-related vulnerabilities, such as malicious attachments in emails, phishing and social engineering tactics and weak passwords. Ensuring the entire organization exercises good “cyber hygiene,” such as better password management practices, should be a priority.
Security technologies are a critical part of any program, but they can be potentially circumvented without the appropriate expertise and processes to implement, run, monitor and maintain them. This effort includes installing relevant antivirus software and regularly updating hardware. With cyber security tools – often seen as a silver bullet in a security program – configuration and maintenance should focus on minimizing false positives on security alerts and ensure the appropriate resources are in place to analyze them.
From IT, to legal, compliance, human resources, business innovation and other departments, it’s critical to create a multidisciplinary team that can assess, manage and respond to risks within different departments and functions. Ultimately, even with the most sophisticated and advanced technology, a culture of security must penetrate the organization.
Myth 3: Regulatory Compliance Equals Security
As seen most recently with the European Union’s General Data Protection Regulation (GDPR), regulators are stepping in to address consumer privacy and data concerns. While compliance with these regulations is necessaryto avoid fines, class action lawsuits and other issues, compliance alone will not address cyber attacks or security compromises. For example, a company may be compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and other regulatory measures or requirements and still experience a breach. Compliance provides a mere snapshot into a company’s security profile at a certain point in time, whereas effective security is a continuous process of improvement.
Reality: Regulatory Compliance is Only the Bare Minimum
While regulators design regulations with effective security in mind, compliance requirements should be viewed as a baseline to support due diligence in cyber security. However, compliance should not be seen as the end goal in cyber security but as an opportunity to improve overall data hygiene on an ongoing basis. Investing in compliance with cyber security regulations is also a chance to create additional security wins. For example, companies can identify – or reclassify –critical assets and prioritize protections against them. Compliance is also a chance to work with key stakeholders across the organization to define the organization’s tolerance toward risk, which helps the security team better navigate cyber security decisions.
Myth 4: Only Industries that House Sensitive Data Are Under Direct Threat
Companies that hold sensitive data, including personally identifiable information (PII), health care data, credit card data and personal health information, are obvious targets for cyber attacks. As such, certain industries, such as financial services or health care, have traditionally been more heavily regulated. However, many industries must protect trade secrets, intellectual property and sensitive data. For example, the convergence of the physical and digital worlds through the Internet of Things (IoT) means companies face risks beyond data breaches. For example, in the manufacturing, oil and gas and automotive sectors, cyber attacks can result in severe business disruption. Far-reaching regulations can also affect sectors such as education.
Reality: Companies of all Sizes Across all Industries Have Vulnerabilities
Gartner predicts that by the end of 2018, there will be twice as many employee-owned devices than company-owned devices used for work. Last year, businesses alone had more than three billion connections with IoT – introducing myriad risks. Aside from the sheer growth of technology and increased entry points for breaches, malicious cyber actors have also shifted their focus. Increasingly, as recent ransomware attacks have demonstrated, attackers are exploiting vulnerabilities with the specific aim of disruption – as well as financial gain. For example, ransomware demanding a few hundred dollars from users is designed to wreak havoc, not necessarily extract the highest payments possible. Every organization – regardless of size or industry – should be thinking about their specific exposures to cyber risk and putting a proactive plan in place to improve their overall resilience.
Myth 5: Companies Can Outsource a Function Along with the Responsibility and Risk
Companies of all sizes outsource regulated processes, such as their handling of payment card industry (PCI) transactions. The rationale is that the process of evaluating and verifying compliance is expensive and does not make economic sense, especially if the company is not handling a vast amount of transactions. When an organization outsources a function in this way, it often has the misperception that the responsibility for compliance is also outsourced to the third party.
Reality: Companies Ultimately Own the Risk
Even when outsourcing transactions and management of any regulated data, a company is still responsible for that data in the event of a cyber attack. In the case of PCI, the company that processed the credit card will be responsible for ensuring proper practices are in place to protect the data collected in the transaction. This ownership is true even if the responsibility for the breach lies with someone in the call center of the third-party that processes all of the company’s credit card transactions. In many cases, that third party may also be outsourcing part or all of a function to a “fourth party.” This scenario is just one example that demonstrates the need for organizations that outsource any functions to implement effective third-party risk due diligence processes to ensure all their vendors are compliant.
Cyber is evolving rapidly, so identifying where the risk lies can be a moving target. That’s why companies must remain vigilant. By separating the myths from the realities, companies can be in a better position to mount an effective defense against cyber threats.