By Toby Chinn – Head of Control Risks’ Cybersecurity practice
Was cybersecurity at the top of your priority list when the WannaCry attack hit? When a cyberattack strikes it can quickly become headline news, causing serious disruption to an organisation for days on end and costing hundreds of thousands of dollars in lost data, reputational damage, lost customers and regulatory fines.
WannaCry, one of the largest cyberattacks ever seen, hit thousands of organisations worldwide within a day, causing severe damage. A summary by the BBC points out that, in the first few hours of the attack, 61 National Health Service organisations in the UK were disrupted – something that was echoed among many other organisations across the globe.
One of the many lessons companies can draw from this attack is that if cybersecurity wasn’t a board-level priority before, it should be now. No company or country, however big or small, is immune to attacks by cybercriminals. In the worst case, breaches can cause major corporate crisis that can paralyse entire corporations for days, often causing severe financial damage. According to the UK National Cybersecurity Centre, the average cost of a security breach is estimated today at between £600,000 and £1.15million. Unsurprising then that The World Economic Forum has rated cybersecurity as one of the top three risks for 2017.
Control Risks’ latest State of the Cybersecurity Landscape report found that while most companies now have notional board oversight in matters of cybersecurity, around half of these companies’ key IT and business decision-makers think their boards have no proper grasp of the issues.
Obviously, one of the main challenges board-level executives face in regards to dealing with cybersecurity is the technical complexity of the tools and strategies used. But as with every other kind of corporate risk, business directors don’t need to fully immerse themselves in technology in order to play an effective role in cyber risk oversight.
An understanding at board level of the threats that an organisation faces is a first and vital step in the right direction. Without full board-level support, IT-departments, who are often in charge of dealing with cyber risks, find themselves under-resourced, isolated from the rest of the business and without sufficient budget to manage these risks effectively. In interviewing large organisations of more than 2,000 employees across 20 countries, a number of key issues consistently presented themselves as key management issues concerning cybersecurity. In particular these concerned the approach to cyber risk management as well as the issue of third-party cyber risk.
Effective risk management is crucial to reduce damage
According to Control Risks’ survey, adopting a risk-based approach to cybersecurity is something companies are really struggling with. Worryingly, more than a third of organisations interviewed have not conducted a risk assessment at all within the past year. And even though the other 68 per cent of respondents have performed a risk assessment in the past year, 45 per cent of respondents cited it as their primary challenge.
Furthermore, while the report found that the majority of organisations said the C-suite was most accountable for cybersecurity management and decision-making (77 per cent), almost half of these companies said they do not believe their organisation’s board-level executives take cybersecurity as seriously as they should. Reflecting this, around a third (31 per cent) of the companies interviewed are either ‘very’ or ‘extremely’ concerned that they will suffer a cyberattack in the next year.
Third-party breaches are a growing concern
In today’s business environment, almost all companies rely on third parties in their supply chains. This creates a potential extension of their cyber risk and is especially the case as businesses increasingly outsource sensitive aspects of their business, such as payroll and other finance functions, technology service providers, legal functions and even research and development. A cyber breach on one third party’s systems can have significant consequences for the wider network. As Ben Lawsky, New York State’s top financial regulator, said in a letter to dozens of US banks: “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the security of its vendors.”[1]
As found in the survey, 35 per cent of respondents said that a third party cyber breach had affected their organisation. This was lower for organisations in Europe and the Middle East (33 per cent) and Africa (21 per cent), but higher for respondents in Asia (39 per cent) and the Americas (38 per cent), which may lead to the assumption that there are regional differences in companies’ willingness to report cyber breaches to their customers.
Measures companies currently take to manage cybersecurity risk beyond their own IT ecosystem appear insufficient
According to the State of Cybersecurity Landscape report, 34 per cent of respondents said that vetting third parties’ cybersecurity standards is a challenge. This was significantly lower for companies in the Netherlands (13 per cent) and higher for companies in Germany (41 per cent). Only 23 per cent of the organisations interviewed described their companies’ approach to cyber risks resulting from the use or acquisition of third parties as excellent.
Of organisations that have a cyber crisis management plan, a quarter say they do not address what third parties should do if they suffer a breach that may impact the respondent’s organisation, though regional differences here are significantly high with 62 per cent for Africa and 26 per cent for the Americas, 23 per cent for Europe and the Middle East and 21 per cent for Asia.
Most (93 per cent) respondents’ organisations say that they have taken steps to evaluate their third parties’ cybersecurity measures. Around half acquire signatures on contracts that legally oblige the vendor to adhere to security and privacy practices (53 per cent), obtain evidence of security certification (49 per cent) or conduct an independent audit of the vendor’s security and privacy practices (48 per cent). Despite this, nearly half (48 per cent) of those surveyed agree that their organisation does not consider the impact of partners/vendors’ cybersecurity as much as it should.
The way cyber threats are assessed and communicated throughout a business is key
Control Risks’ advice is always to start with the threat. This should involve considering the specific cybersecurity threats to the organisation, what impact these threats might have and how current controls mitigate them. Having assessed these risks, the organisation can then integrate them into the organisation’s overall risk management strategy.
“Moving towards a common perception of cybersecurity as a holistic business risk, and educating all employees on the importance of good cybersecurity practice, must be the next steps in tackling today’s challenges”
Taking the wider business through the process of how an external threat actor (e.g. a cybercriminal) may utilise a specific attack to gain access to data and systems and exploit them will help to explain exactly why other departments and senior leaders need to take action and champion relevant parts of any cybersecurity strategy. Such an approach also ensures that the variables that indicate how a risk may evolve over time (threat, likelihood, impact) are clearly understood, leading to clearer discussions on prioritising spending and focussing effort on the areas that matter most.
Building confidence in the board’s cybersecurity management capabilities
It is important that everyone across all levels of an organisation, including those at C-suite and executive board level, approach cybersecurity as an enterprise risk and develop a mitigation strategy that not only protects the company, its assets and its operations, but also enables business. Actionable recommendations include:
1. Ensure cybersecurity becomes a regular board agenda item This should include reviewing your external cyber threat landscape and include an IT expert; or create a committee to address the issue as a wider business threat. This also ensures that the cybersecurity budget is being spent in the most effective way.
2. Conduct regular cyber crisis management exercises that involve all relevant parties Include the C-suite, IT, legal, communications and any other members of the crisis management team – so that all parties understand their roles and responsibilities and the potential implications of a cyberattack.
3. Ensure all employees, including the board, are educated to understand their potential cyber exposure This includes how a breach might occur in any part of the business. Risk assessments in particular are a good way to educate employees on cybersecurity threats that the organisation might face.
4. Conduct a risk assessment A comprehensive assessment is required to identify gaps in cybersecurity across the wider organisation and potential legal, reputational and financial implications of a breach. An assessment usually starts by taking employees through the process of how an external threat actor (e.g. a cybercriminal) may utilise a specific attack method to gain access to data and systems and exploit them. Assessing risks on this basis will help to explain exactly why other departments and senior leaders need to take action and champion relevant parts of any cybersecurity strategy. Such an approach also ensures that the variables that indicate how a risk may evolve over time (threat, likelihood, impact) are fully understood, leading to clearer discussions on prioritising spending and focusing effort on the areas that matter most.
5. Take steps to understand the impact a third-party breach could have on the business This should go beyond simply acquiring a signature on contracts to legally oblige the vendor to adhere to security and privacy practices. Therefore, cybersecurity should be included in a company’s broader vendor vetting process, which should consider the company’s broader risk strategy and account for accepted risks as well as proactive mitigations. Beyond this, a company should ensure that its crisis management plan accounts for circumstances that may lead to a loss of customer data, or fines as a result of a third-party breach.
When it comes to a cyberbreach, it really isn’t a case any longer of ‘if’ but ‘how badly’ your organisation could get hit. WannaCry serves as just one of many examples why having cybersecurity on the board’s ‘to do’ list is no longer sufficient. Moving towards a common perception of cybersecurity as a holistic business risk, and educating all employees on the importance of good cybersecurity practice, must be the next steps in tackling today’s challenges.
There is no magic formula for protecting your organisation against the rapidly evolving world of cyberattacks. But acknowledging this and adapting your cybersecurity measures to match the threat landscape as well as upskilling the entire organisation based on this understanding can make a considerable difference in the resilience of your organisation to resist the next cyberattack that you might face.
About the Author:
Toby Chinn is head of Control Risks’ Cyber Security practice, based in London, UK.