Cyber security is often thought of as an IT issue but is in broader terms a strategic risk management issue that encompasses people, process, technology, policy and intelligence.
There are clear benefits to adopting a risk management approach to cyber security:
1. Strategic benefits: The right cyber security technology will bring a higher visibility on potential risk exposure across the entire organization. Cyber security has become a strategic IT issue. Ultimately a better security posture will bring numerous benefits to organizations including a higher degree of investors and shareholders confidence. Chief information officers should be provided with regular intelligence on which threat actors may be targeting the company, through which methods and for what motivations.
2. Financial benefits: Implementing cyber security protection mechanisms, complying with data protection regulation, an appropriate information security policy, the right controls and processes across organizations and complementary steps such as a cyber security insurance policy will allow companies to ultimately gain financial benefits in the form of reduced potential fines, avoid losses contingent to a cyber attack, and minimize the financial impact in case of data breaches. As an example, infringements of the provisions of the EU global data protection regulation shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Art 83 of the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT). In 2015, 90% of large organizations had experienced a security breach of some sort. £1.46m – £3.14m is the average cost to a large organization and £75k – £311k is the average cost to a small business.
3. Operational benefits: It is critical to protect key information assets. The board, together with other executives and IT professionals, has a responsibility to foster a cyber security and compliance culture across the entire organization. The right cyber security and compliance culture combined with the right set of technologies will allow organizations to reap the natural operational benefits that comes with it, such as more robust processes and policies.
Board members should proactively implement cyber risk as a strategic issue. Cyber security risk management is a subset of operational risk management and the related risk may impact share value, mergers, pricing, reputation, culture, staff, information, process control, branding, technology, finance…. Therefore, companies will have to go through a proper risk assessments to identify their key information assets as well as their main vulnerabilities to cyber attacks. Companies will have to responsibly allocate cyber risk management at every level of the organization and develop appropriate written information security policies supported by regular staff training. In essence, companies need to establish the right governance and policies, ensure that systems and processes are designed to defend against cyber threats by implementing the right security controls, and have the right mechanisms in place to identify when organizations have been compromised and how to respond and investigate when incidents happen.
Companies should understand what is an information security policy and why it is at the core of the risk security strategy. They should know when and how to write an information security policy, and how to implement it in a sustainable way. With the new regulations such as the new EU Directive coming into force in May 2018, companies have a window of opportunity of a bit less than two years to take appropriate steps to comply with the new regulation in order to avoid non-compliance and potential hefty fines. A proper information security strategy will initiate the necessary actions that companies need to implement to reach the adequate level of compliance across their entire organization.
When analyzing the security of a company by doing a risk assessment and identifying vulnerabilities, we are confronted with the fact that the security posture of a company is as good as that of the companies it is “connected” to. In security, we often think in terms of the people, processes and technology framework. And we could add a fourth dimension to that framework: information security policy. And later a fifth dimension in the area of threat intelligence. It is a well-known fact that the weakest link in the security value chain is not the processes nor the technology but the people. And we need information security policies to educate the people and to enhance their level of security awareness and encourage best practices in order to minimize the likelihood of data breaches and the impact in cases of breaches or unauthorized accesses by hackers.
What do we mean when we say that the security posture of a company is as good as that of the supply chain to which it belongs and that the security posture of the supplier/vendors a company is relying on should be measured and assessed?
Let us give a simple example on data integrity: imagine a car manufacturer that orders 10000 pieces of a given piece of equipment to one of its suppliers. The order is made through a computer system and information about orders and quantities is exchanged between the two companies via an open network such as the Internet. Imagine then that a hacker, through unauthorized access to one of the company’s network, manages to distort the integrity of the messages and as a result the company would order not 10000 pieces of equipment but 100000. That would create substantial confusion in billing systems, in the management of the logs, at delivery of the equipment…. In other words, the communication channel between the company and its supplier would be disrupted. The other element that should be taken into account is the legal dimension of such a chain of events to understand who would actually be liable and responsible when such disruption would occur.
Such an attack could be engineered by exploiting vulnerabilities either into the company’s network or into that of its supplier/vendors. Therefore, it is often a good initiative when we take the appropriate steps to identify the vulnerabilities within our network but it is even better when we go a step further to identify the vulnerabilities within the network of our vendors or suppliers.
Some companies can rely on thousands of vendors and suppliers. It is thus of critical importance to reach a higher degree of visibility into third and fourth party risk.
Some advanced risk assessment technologies allow organizations not only to get a security assessment of their own network and related vulnerabilities in the form of a security score (that works like a credit score for security through a set of well defined security dimensions) but also of all of their vendors. This way, organizations can continuously monitor change in their security risk-posture and that of their vendors and took remediation steps to increase in a way the level of cyber resiliency of the supply chain.
However, before buying and implementing such advanced technology, companies should start with outlining the foundation, which is the actual security strategy. An important proportion of companies (of all sizes) lack formal written endpoint security policy and security strategy. They often prioritize in a wrong way. Many organizations focus too much on malware or identifying threat actors targeting them. Before buying technology solutions, companies should understand their enterprise architecture and the inventory of the sensitive data they are trying to protect. In choosing security vendors, they should understand where are the overlaps and where are the gaps in order to ultimately get an adequate return on their security investment.