Everyone is talking about it.
Now is the the time for the CISO to shine as he has the boards ear but what does that mean for his colleagues in the C-suite?
We’re starting a 3 part series of what C level management should know about cybersecurity and the risks that cyber poses on each of them.
This first part of the series focuses on the CEO, and what a CEO should know about the threat landscape.
#1 – Security is no longer a solely technological issue to be operated by IT employees alone.
Times have changed, and security poses different organisational challenges than it did in the past.
“Security is now a business challenge that needs broader solutions ”
— Conner Forrest, TechRepublic
“As threats become more sophisticated, organizations need to foster a culture of cybersecurity awareness from the top down and integrate it throughout their organization.”
— Michael Kaiser, Executive Director, National Cyber Security Alliance
In their biennial ‘Global Economic Crime Survey’ of 2016, PwC calls cybercrime “a boundless threat”.
Not only is it boundless, it’s this year’s second most reported economic crime.
PwC Global Corporate Intelligence Leader Mark Anderson explains the shift in perspective among hackers; what their goals are, and what they’re aspiring to do:
Hackers are now “more ambitious than ever. Their aim goes beyond targeting financial information to include a company’s ‘crown jewels’ – customer data and intellectual property information, the loss of which, can bring down an entire business”, says Anderson.
And it makes perfect sense that if hackers are aiming for a company’s ‘crown jewels’, they’re gonna want to get as close to the top as possible.
#2 – Personal Liability in Cybersecurity
Firing the CEO because of an internal or external security breach may become a trend, and the industry has been moving that way for a while
The President/CEO is responsible for the business, ergo they are responsible for information security. If a company has four bad earnings reports a CEO will likely be out, and so it goes with a security breach as well.
— Tom DeSot, Executive VP and CIO for Digital Defense Inc.
A major attack on his company doesn’t always mean the CEO has to pack up his desk, but it’s unfortunately, quite common. What’s more is that these career injuries can often threaten future job security for these CEOs, as well as serve him with personal lawsuits.
Why would the CEO be the one to blame?
Take the example of the heinous cyber attack on Target in the holiday season of 2014 — simply put:
Target Corp. ousted CEO Gregg Steinhafel following a hacker attack that compromised the personal data of millions of shoppers during the holiday season.
Each painful hacker-caused CEO-exit is unique to its situation, often following up to errors the CEO made beforehand that weren’t security related. Yet when it is correct to blame the CEO, the ill-judgement claim is pretty straightforward:
His main error was to move too slowly in shoring up the chain’s defenses even after being warned that point-of-sale terminals were vulnerable to cyber criminals.
— Boston Globe
Ultimately, it’s the CEO’s decision (and therefore liability) to make sure that his company has a protective cybersecurity plan in place. Otherwise, he’s easily responsible, like in the case of Steinhafel, when the CEO deliberately passes on the opportunity to take proactive action towards cybersecurity.
#3 – The Wrong Perception
PwC’s survey holds organisations themselves responsible for this rise in cybercrime that’s beginning to haunt them.
The C-Suite Execs may not know it yet, but the ability to achieve mission objectives and deliver business functions is increasingly reliant on information systems and the Internet. For businesses of all industries, this growing dependency is resulting in increased cyber risks that could cause severe disruption to a company’s business functions or operational supply chain, impact reputation, or compromise sensitive customer data and intellectual property.
The numbers from PwC’s CEO Survey shows the frightening truth of how seriously your average CEO takes the issue of cybersecurity:
What IT Professionals Say About their CEOs
In the CyberArk Survey of IT Professionals the effectiveness of companies’ internal security programs was measured;
What CEOs Themselves are Saying
KPMG’s “Cyber security: a failure of imagination by CEOs” shows us:
Traditionally, C-suite and board members have viewed cyber security as a tactical problem, not as a strategic issue.
Incident Management After the Breach
Who are the First Responders?
The security/response team acts as the ‘first responder’ for potential cyber crimes, and individuals in the company’s senior management are hardly involved.
What most employees don’t seem to realize is: this response approach makes breaches more feasible, and easier for hackers to achieve.
Second Responders: the CEO himself
After a company gets breached, they owe it to their customers to account for the attack, and confirm what damage has or has not been done.
Possibilities for a Second Response
- When TalkTalk was breached in October 2015, they were criticized by many for ‘mishandling their response to the hack’. They waited a full day to fulfill their full reporting duties: they informed the police on the day of the attack, but didn’t ‘own up’ to the problem until 24 hours later. And, when they did respond they initially said the breach had affected 4 million of their subscribers, a number that turned out to be far lower at the end.
- Soon after being notified of the hack on his company, JD Wetherspoon’s CEO John Hutson confirmed the attack to the public (the following day). Being symptomatic of his customers’ feelings, Hutson wrote an apologetic letter to his customer base;Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.
We’ll leave it to you to decide which of the incident management responses would breed a company better results, and why. One thing is certain though, each company should have a incident response plan that covers the business and media aspects as well. Who speaks when and what they say, may be more valuable than the response of the IRT team
#4 The Relationship between C-Suite and Cybercrime
What are the Risk Types within Businesses
Sensitive, unencrypted, company information that employees store on their phone.
Social media posts between co-workers, business partners and customers can expose company information to lurking online hackers.
Zero-day attacks on mobile devices and networks are the biggest threats for today’s enterprises.
This is the conclusion that CheckPoint came to in their 2015 Annual Security Report. What makes these threats so dominant in the threat landscape is the troubling reality that for companies with at least 2,000 devices on their network, 50% of the devices are likely to be infected.
How and why are the stakes so high?
As part of the continuously growing ‘BYOD’ trend, 43% of employees sync their office emails into their smartphones or tablets so that they can be more available and productive with work-related correspondence.
Although both companies and their employers may be benefiting from the trend, their internal security is being severely endangered as a result.
As soon as an employee’s device or online assets are susceptible to malicious activity, a company’s network and infrastructure take on a high risk-level of their own.
Phishing scams that target companies are a lot more than a concern for the CEO — they’re often targeting the CEO himself. Brian Krebs illustrates these dangers quite transparently:
It’s increasingly common for cyber criminals to forge communications that involve a fake email allegedly from the CEO or other executives which are sent to different employees in the firm that facilitate unauthorised wire transfers.
The FBI reported that between October 2013 and August 2015, more than 7,000 victims in U.S. companies were targeted by these types of phishing scams — amounting to a total of $750 million that was stolen within this time period.
Cyber threats that exist within a company’s infrastructure are of the highest risk caliber among the threat landscape, largely because of the scope of damage that they are capable of.
By nature of their close proximity to a company’s data and high profile assets, insider threats exploit their access to company’s systems, as the magnitude of harm they are capable of is much more severe than other threat types and at times harder to detect.
Crown Jewels are of more relevance to the CEO than to most of his colleagues. An inherently valuable business asset, crown jewels are the springboard of a company’s most key virtues: they drive its cash flows; they determine its competitive advantage in the market, as well as the worth of their shareholder value.
Cyber criminals are not only making mind-blowing strides in their sophistication and tactics, they are as aware as their adversaries of how fruitful access to a company’s crown jewels would be.
Despite often having expensive and mainstream cybersecurity softwares in place, a company can still stand deeply vulnerable of losing dominance over their crown jewels.
The traditional information security model cannot protect companies, and certainly not the CEO alone, from today’s prospering cyber criminals.
These models are compliance-based, perimeter-oriented and reactive, blatantly lacking the proactive, detective and expansive tools that can adequately deter today’s hackers.
The distinct value of the crown jewels’ security can only be matched by the distinct attention of a company’s CEO, wherein he collaborates with all individuals involved with their company’s digital value chain. All information, resources and digital interactions within and surrounding the company must be accounted for in order for the crown jewels’ to be definitively secure.
#5 Being Proactive and as an Organization
At this month’s RSA in San Francisco, Brett Hansen (Executive Director of Dell Security’s Data Security Solutions), shared an insight from the Dell Data Security Report:
“82% of IT and business decision makers have tried to limit employee access to data across their locations”
Actionable Steps for Proactive Collaboration
- Change the focus from asset protection to business mission assurance in order to handle cyber threats.
- Include assets which do not necessarily fall under the scope of traditional IT responsibilities into your cyber defense strategy.
- Translate your cybersecurity perspective from a compartmentalised approach into a contextual consideration of your entire operational environment.
- Executives must relate to cybersecurity as a corporate-wide concern.
- Maintain a proactive, pre-emptive strategy to identifying threat actors and vulnerabilities.
One example for proactive collaboration in a company that aligns the business with its cyber risks and makes cyber a organization wide concern is our ‘Directive 361 for Financial Institutions’:
Compiled by CyberInt for the Israeli Banking Supervisor, this is the first directive of its kind, focusing specifically on the cyber threats targeting the financial industry. It provides a structured yet flexible framework for cyber risk management, while providing banks with the flexibility to implement .and fine-tune their own procedures
This enables banks to dynamically update their defenses based on the changing cyber threat landscape.
Key Criteria for an CEO Cybersecurity Plan
- An action plan that enforces a consistent risk assessment process.
- A comprehensive understanding of what data is leaving your company and why you may be an attack target.
- A delegated board committee to be responsible for cybersecurity.
- An evaluation of whether or not your security team has adequate resources for breach protection.
The CEO’s responsibility for his company’s cybersecurity strategy is only one must-have for the C-Suite Executives who take action towards cybersecurity.
Stay tuned for our next post in the series, which will explain the role of CISOs and the security challenges that they face in different enterprise industries.