Abstract sparkly lines.

The Principles of Good Cyber Risk Management

By Ankur Sheth, Alex Dunstan-Lee

April 15, 2019

In the world of cyber risk, we are dealing with unprecedented events. Apart from headline grabbing attacks such as the global malware incident that impacted Mondelēz’s business and the Russian military-run global cyber-attack, NotPetya, we are now seeing an epidemic of cyber attacks. Concern has shifted from dealing with data being stolen and sold on the dark Web to handling serious ransomware and destructive attacks, where attackers are looking for immediate monetary output. This is the new threat. Malware such as TrickBot can infect an entire corporate network allowing hackers to surreptitiously gain access to systems, embed nefarious files and clean themselves, leaving no trace. The source of the attack is not, however, dealt with — allowing hackers time to monitor what is valuable to an organisation and prepare a more sinister attack. At a later date, entire networks are encrypted, and companies are brought to their knees, unable to access email, payment systems, and operational systems. Everything goes down, including email, calendars, Skype and VOIP, leaving a company unable to operate or communicate.

What remains is a ransom note demanding payment, usually in cryptocurrency, to regain keys to unlock the systems. These attacks can cost companies from $100,000 to over $1 million and specialist services are required to negotiate with the hackers.

We have seen companies with their entire information technology infrastructure brought down over multiple countries leaving them completely crippled. Added to that, companies face fines for data breaches, breached contracts with their customers due to an inability to perform services, the consequences of being unable to pay invoices, and of course their overall reputation is damaged.

Why Are Companies Getting It Wrong?

It has become much harder to protect a company’s digital assets because the digital landscape is shifting rapidly under our feet, catching many mature businesses off guard. Businesses need to determine which components of their business rely on technology and digital assets, exactly where those assets are (being less tangible than hard assets like real estate or cash), and how to protect them and the data flowing through them. Often new systems are deployed, and the data being processed is not fully understood, classified or safeguarded appropriately.

The old “protecting the centre” model of the last decade is no longer enough to keep companies secure. The old model involved protecting your network and protecting a company at its perimeter. Now with data being commonly housed in cloud applications with third parties and mobile devices, a new approach is needed. Many companies now have legacy systems that cannot simply be replaced given the associated cost. These systems are not “safe by design” like some of the newer systems, and many lack even basic security mechanisms and still rely on non- complex passwords, which an attacker can easily overcome.

Protection methodologies have also gone out of date, including the “air gapping” of environments designed to isolate systems from each other and protect sensitive data. The old “people and process” security model has evolved, and we now rely on “people, process, and technology.” Before the technology boom, security was a manual process — people had to monitor systems or processes looking for threats. Technology is now able to help automate threat monitoring.

What Does Good Security Today Look Like?

Firstly, it’s important to note that “good” is not a static state and what is needed for security should be dynamic and agile. Second, one can never totally eradicate risk, but can only reduce it to a level that any particular organization finds to be commercially acceptable.

“Good” is no longer having the highest walls or the deepest moats to stop the bad guys getting into a company’s systems. In a controlled environment “good” means:

  • Having increased visibility of potential threats which will tell you how and where to protect your systems;
  • Understanding how current threats could impact your organization and its information;
  • Understanding your key business processes and data;
  • Knowing how your data is regulated in each region and appreciating other risks relating to your business data, such as commercial risk
  • Understanding where your business is underpinned by technology;
  • Understanding the degree of control you exercise over that technology, for example is it a legacy system with out of date security or is it controlled by a third party;
  • Understanding the skill of your workforce is and the effectiveness of your governance structure; and
  • Quantifying the cost spent on cybersecurity versus the value that protected technology brings to the business.

Technically this means having visibility of the people and processes in your business that interact with your technology and data so that you can identify risks. It also means having visibility of attacks through advanced threat detection and containment technology. You also need to be aware of times of heightened risk when the threat of cyber attack may be higher, for example, when a patent is being granted or when an M&A deal is announced.

How Do You Develop Controls That Respond to Your Business Environment?

What is needed now are dynamic controls — controls that respond to your business environment or to the threats around you. A major utility company with an aggressive business strategy to develop software-based service offerings may find that its security posture is not dynamic and almost entirely built around a physical security strategy (protecting physical assets) — and therefore ineffective.

Businesses often have on-premise security tools to protect their businesses and then realize they have purchased cloud-based platforms that are entirely unprotected. Big banks in the UK, for example, have invested heavily in security over the years. After the Financial Conduct Authority clarified its stance on the use of public cloud services through the publication of FG 16/5, none of this capability was effective in any of the public cloud offerings they developed. This has given challenger banks a clear advantage.

In other situations, major companies in the energy sector have made exorbitant investments on advanced threat intelligence but have an inability to change their controls to respond to the intelligence gleaned. For one company, the threat increased or decreased week-to-week but the control landscape could not respond or adapt to the changing landscape, rendering the investment ineffective. The result was that the control bore no resemblance to the threat level.

Why Is Agility In Cyber Risk Management So Important?

Agility is crucial when it comes to reducing cyber risk and requires companies to understand their business and model their security strategy on current and future business strategy. Referring again to the big banks and oil and gas companies, many have offshored all their IT and processing centres, but not kept enough internal knowledge or skilled staff to manage third-party suppliers. This means they do not understand their environment and therefore cannot respond quickly to changing threats.

Agility in a control environment also means adapting to security threats. This could be allowing users greater degrees of functionality and freedom through the deployment of advanced threat detection tools instead of locking users down.

We have seen small organizations save themselves from significant impact by pulling the cables on the Internet during an active cyber attack. This approach is now being used in critical infrastructure organizations. By designing red button type processes, they can shut down an entire gas compressor or segment of the control network, for example, if it poses a risk to the entire grid. In the old world, a plant operator would simply not be able to obtain the required executive authority to shut a plant down (given that it would cause millions in damages) within the time required to defend against an active cyber attack. Crisis plans need updating to consider and imbed rapid responses to cyber specific threats.

What Does Best Practice Look Like When It Comes to Cyber Risk Management?

The approach to security that we advocate is risk-based. Risk based in this context means evaluating the business desires and goals, and underpinning and assuring elements that are the most reliant on technology. It also means that the level of investment in security should be linked to the value of the asset being protected within the specific commercial landscape. A company can examine the types of threats it is exposed to and select where to deploy controls that reduce the risk to an acceptable level, but not at an untenable cost to the business. This might involve deployment of some enhanced detection controls, network segregation, and system recovery controls to a manufacturing environment to detect and contain threats and, if needed, rebuild parts of the environment. Contrast this to a full redesign of the factory before it naturally becomes obsolete, bearing in mind a typical 30-year lifecycle of such assets.

Integrating controls and layering defences to make sure they fit into one another is also important. Buying all the latest tools will not protect your business. Coherent security is an end to end integrated system of people, processes and technologies coming together to protect business value.

We often see customers deploy Office 365 because they have been told that it is secure, but then they neglect to deploy multifactor authentication (MFA) and other advanced controls available to protect it, due to the perceived impact it has on users and usability. This is the akin to refusing to wear a seatbelt and then claiming that a car is unsafe. In 2017 and 2018, Ankura dealt with approximately 1,000 data breaches — over half of which were due to business email being compromised, and 90% of which were due to a lack of MFA or other basic Office 365 security controls.

How Do You Weigh Risk and Cost?

Risk-based security is inherently business focused. If IT and security departments are not business focused, they will be viewed as cost centers rather than business partners. When practiced correctly, security should understand and advise the business but not seek to block it.

As such, security also needs to be cost appropriate. A security investment plan should always consider the value at risk and underpin that value with appropriate controls up to a percentage of the value and should never seek to deploy security for security or compliance sake. Being able to articulate the business proposition of security is essential. Failure to do so is currently resulting in an underinvestment in technology evidenced by the significant number of breaches being reported in the media daily.

On the positive side, efficient cybersecurity can be a huge differentiator for example, when used to pursue opportunities in heavily regulated markets. Cybersecurity strategies can be leveraged to de-risk technology during mergers and acquisitions, investments in emerging technology such as the cloud, the Internet of Things and artificial intelligence to give a business the competitive edge.


Attribution

©2019. Published by Cybersecurity Law & Strategy, April 2019. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.