Kelly Bagla, Bagla Law Firm, APC, San Diego. Grabbing Life by the Pearls: PearlsAs Bagla Law Firm, APC celebrates 10 years of success, Founder, Business Lawyer,... 4 Compelling Reasons Why Lawyers Should Consider Starting a Podcast: Lawyers are building new and innovative thoughtleadership platforms using video and... Consider this Version of the Reptile: It’s Not Fear, It’s Anger: Defendants in many areas of litigation are likely familiar at this point with the Reptile... Make Your Firm Family-Friendly … Don’t Just Say You Are: There’s been much discussion in the legal industry lately about female- and... Learning to Develop Business? Think Like a Stand-Up Comic: Risk intolerance can be bad news for the aspiring partner. After all, a risk adverse... Client Intimacy 22: The first commandment of marketing is Know thy client! Client research is the key to... Best Attorney Websites of 2019: More than just a fancy business card, legal website design can be a branding vehicle, an... It’s Not Stalking if You’re Offering Value to Your Clients: We conducted a business development training workshop last week that included one-on-one... Community News – October 2019: Butterfield Schechter LLP is pleased to announce that attorney Paul Woodard has been... FULL COURT PRESS: Hepburn, Hernandez & Jung Trial Attorneys’ Relentless Pressure Leaves Opponents...
Executive Presentations-468x60-1

The Principles of Good Cyber Risk Management

In the world of cyber risk, we are dealing with unprecedented events. Apart from headline-grabbing attacks such as the global malware incident that impacted Mondelēz’s business and the Russian military-run global cyber-attack, NotPetya, we are now seeing an epidemic of cyber-attacks. Concern has shifted from dealing with data being stolen and sold on the dark Web to handling serious ransomware and destructive attacks, where attackers are looking for immediate monetary output. This is the new threat. Malware such as TrickBot can infect an entire corporate network allowing hackers to surreptitiously gain access to systems, embed nefarious files and clean themselves, leaving no trace. The source of the attack is not, however, dealt with—allowing hackers time to monitor what is valuable to an organization and prepare a more sinister attack. At a later date, entire networks are encrypted, and companies are brought to their knees, unable to access email, payment systems, and operational systems. Everything goes down, including email, calendars, Skype and VOIP, leaving a company unable to operate or communicate.

What remains is a ransom note demanding payment, usually in cryptocurrency, to regain keys to unlock the systems. These attacks can cost companies from $100,000 to over $1 million and specialist services are required to negotiate with the hackers.

We have seen companies with their entire information technology infrastructure brought down over multiple countries, leaving them completely crippled. Added to that, companies face fines for data breaches, breached contracts with their customers due to an inability to perform services, the consequences of being unable to pay invoices, and of course their overall reputation is damaged.

Why Are Companies Getting It Wrong?

It has become much harder to protect a company’s digital assets because the digital landscape is shifting rapidly under our feet, catching many mature businesses off guard. Businesses need to determine which components of their business rely on technology and digital assets, exactly where those assets are (being less tangible than hard assets like real estate or cash), and how to protect them and the data flowing through them. Often new systems are deployed, and the data being processed is not fully understood, classified or safeguarded appropriately.

The old “protecting the center” model of the last decade is no longer enough to keep companies secure. The old model involved protecting your network and protecting a company at its perimeter. Now with data being commonly housed in cloud applications with third parties and mobile devices, a new approach is needed. Many companies now have legacy systems that cannot simply be replaced given the associated cost. These systems are not “safe by design” like some of the newer systems, and many lack even basic security mechanisms and still rely on non-complex passwords, which an attacker can easily overcome.

Protection methodologies have also gone out of date, including the “air gapping” of environments designed to isolate systems from each other and protect sensitive data. The old “people and process” security model has evolved, and we now rely on “people, process, and technology.” Before the technology boom, security was a manual process—people had to monitor systems or processes looking for threats. Technology is now able to help automate threat monitoring.

What Does Good Security Today Look Like?

Firstly, it’s important to note that “good” is not a static state and what is needed for security should be dynamic and agile. Second, one can never totally eradicate risk, but can only reduce it to a level that any organization finds to be commercially acceptable.

“Good” is no longer having the highest walls or the deepest moats to stop the bad guys getting into a company’s systems. In a controlled environment “good” means:

  • Having increased visibility of potential threats which will tell you how and where to protect your systems;
  • Understanding how current threats could impact your organization and its information;
  • Understanding your key business processes and data;
  • Knowing how your data is regulated in each region and appreciating other risks relating to your business data, such as commercial risk
  • Understanding where your business is underpinned by technology;
  • Understanding the degree of control you exercise over that technology, for example is it a legacy system with out-of-date security or is it controlled by a third party;
  • Understanding the skill of your workforce and the effectiveness of your governance structure; and
  • Quantifying the cost spent on cybersecurity versus the value that protected technology brings to the business.

This means having visibility of the people and processes in your business that interact with your technology and data so that you can identify risks, having visibility of attacks through advanced threat detection and containment technology, and being aware of when there is heightened risk of a cyber-attack—for example, when a patent is being granted.

How Do You Develop Controls That Respond to Your Business Environment?

What is needed now are dynamic controls—controls that respond to your business environment or to the threats around you.

Businesses often have on-premise security tools to protect  their businesses and then realize they have purchased cloud-based platforms that are entirely unprotected. Big banks in the UK, for example, have invested heavily in security over the years. After the Financial Conduct Authority clarified its stance on the use of public cloud services through the publication of FG 16/5, none of this capability was effective in any of the public cloud offerings they developed. This has given challenger banks a clear advantage.

In other situations, major companies in the energy sector have made exorbitant investments on advanced threat intelligence but have an inability to change their controls to respond to the intelligence gleaned. For one company, the threat increased or decreased week-to-week, but the control landscape could not respond or adapt to the changing landscape, rendering the investment ineffective. The result was that the control bore no resemblance to the threat level.

Why Is Agility in Cyber Risk Management so Important?

Agility is crucial when it comes to reducing cyber risk and requires companies to understand their business and model their security strategy on current and future business strategy. Referring again to the big banks and oil and gas companies, many have offshored all their IT and processing centers, but not kept enough internal knowledge or skilled staff to manage third-party suppliers. This means they do not understand their environment and therefore cannot respond quickly to changing threats.

Agility in a control environment also means adapting to security threats. This could be allowing users greater degrees of functionality and freedom through the deployment of advanced threat detection tools instead of locking users down.

We have seen small organizations save themselves from significant impact by pulling the cables on the Internet during an active cyber-attack. This approach is now being used in critical infrastructure organizations. By designing red button type processes, they can shut down an entire gas compressor or segment of the control network, for example, if it poses a risk to the entire grid. In the old world, a plant operator would simply not be able to obtain the required executive authority to shut a plant down (given that it would cause millions in damages) within the time required to defend against an active cyber-attack. Crisis plans need updating to consider and imbed rapid responses to cyber specific threats.

What Does Best Practice Look Like When it Comes to Cyber Risk Management?

The approach to security that we advocate is risk-based. In this context that means evaluating the business desires and goals and underpinning and assuring elements that are the most reliant on technology. It also means that the level of investment in security should be linked to the value of the asset being protected within the specific commercial landscape. A company can examine the types of threats it is exposed to and select where to deploy controls that reduce the risk to an acceptable level, but not at an untenable cost to the business. This might involve deployment of some enhanced detection controls, network segregation, and system recovery controls to a manufacturing environment to detect and contain threats and, if needed, rebuild parts of the environment. Contrast this to a full redesign of the factory before it naturally becomes obsolete, bearing in mind a typical 30-year lifecycle of such assets.

Integrating controls and layering defenses to make sure they fit into one another is also important. Buying all the latest tools will not protect your business. Coherent security is an end-to-end integrated system of people, processes and technologies coming together to protect business value.

We often see customers deploy Office 365 because they have been told that it is secure, but then they neglect to deploy multifactor authentication (MFA) and other advanced controls available to protect it, due to the perceived impact it has on users and usability. This is akin to refusing to wear a seatbelt and then claiming that a car is unsafe. In 2017 and 2018, Ankura dealt with approximately 1,000 data breaches—over half of which were due to business email being compromised, and 90% of which were due to a lack of MFA or other basic Office 365 security controls.

How Do You Weigh Risk and Cost?

Risk-based security is inherently business focused. If IT and security departments are not business focused, they will be viewed as cost centers rather than business partners. When practiced correctly, security should understand and advise the business but not seek to block it.

As such, security also needs to be cost appropriate. A security investment plan should always consider the value at risk and underpin that value with appropriate controls up to a percentage of the value and should never seek to deploy security for security’s or compliance’s sake. Being able to articulate the business proposition of security is essential. Failure to do so is currently resulting in an underinvestment in technology evidenced by the significant number of breaches being reported in the media daily.

On the positive side, efficient cybersecurity can be a huge differentiator when used to pursue opportunities in heavily regulated markets. Cybersecurity strategies can be leveraged to de-risk technology during mergers and acquisitions, investments in emerging technology such as the cloud, the Internet of Things and artificial intelligence to give a business the competitive edge.

Ankur Sheth and Jano Bermudes

Ankur Sheth is a Senior Managing Director at Ankura, based in New York. Ankur has been focused on cybersecurity for more than 14 years across a variety of competencies and industries and continues to serve his clients in successfully mitigating potential cyber threats. Jano Bermudes is a Managing Director at Ankura, based in London. Prior to joining Ankura, he was in Navigant’s information security investigations and assessment practice, acquired by Ankura in 2018, and lead the proactive and reactive incident response team outside of the America’s region. Reprinted with permission from the “April 2019” edition of the “Cybersecurity Law & Strategy”© 2019 ALM Media Properties, LLC. All rights reserved.

More Posts

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)
www.pdf24.org    Send article as PDF   

Filed Under: Featured StoriesPersonal Development

About the Author: Ankur Sheth is a Senior Managing Director at Ankura, based in New York. Ankur has been focused on cybersecurity for more than 14 years across a variety of competencies and industries and continues to serve his clients in successfully mitigating potential cyber threats. Jano Bermudes is a Managing Director at Ankura, based in London. Prior to joining Ankura, he was in Navigant’s information security investigations and assessment practice, acquired by Ankura in 2018, and lead the proactive and reactive incident response team outside of the America’s region. Reprinted with permission from the “April 2019” edition of the “Cybersecurity Law & Strategy”© 2019 ALM Media Properties, LLC. All rights reserved.

RSSComments (0)

Trackback URL

Leave a Reply

  • Polls