Cyber risk continues to be a concern for many, as witnessed in recent coverage. And it looks as if hackers are getting smarter, while businesses remain in denial.
The Deloitte post, "Cyber risk, issues and opportunities for private companies" is important because it asserts — correctly — that cyber risk is not limited to public companies, financial institutions, government agencies or the like. It is an issue for everybody, including private citizens.
ABC News reported that even former Vice President, Dick Cheney, feared that his pacemaker might be hacked in an assassination attempt.
However, the hacking of our personal devices is more likely done by criminals and state actors. Motives include holding individuals to ransom after taking control of our computers (this happened to a member of my family); using our computers for a denial of service attack on a target; stealing personal information so they can raid our accounts; obtaining personal information that they can use in phishing attacks on our employer; and so on.
The last point, obtaining personal information about employees to make phishing and other attacks more realistic and likely to be believed, is troubling. Hackers are definitely getting smarter.
While the Deloitte piece is directed at private and mid-size organizations, its lessons apply to us all.
The report acknowledges the pervasiveness of cyber attacks, but also points to how current pressures on companies to transform digitally carry both opportunity and risk. Some key quotes:
"Let there be no doubt about it: Cyber criminals have grown up. Once characterized as members of the dark web and denizens of the underbelly of society, today’s increasingly sophisticated hackers steal financial information, intellectual property and other highly sensitive data that its owners believe are tucked away where outsiders can’t find it.... While this kind of theft is damaging on its own, the ripple effects from a reputational standpoint are just as harmful. Customers are not only aware of cyber crime in its many forms, they fear it. They’ve personally felt the effects of attacks on high-profile, business-to-consumer companies. And as a result, they’re concerned for their financial security, their identity, and ultimately, their privacy.
"In some cases, how an organization treats it customers in the wake of an attack can be at least as consequential as the attack itself.
"While most recent high-profile cyber attacks have targeted major organizations, all companies, regardless of size, must operate with the assumption that cyber attacks will happen — to them. If short on resources and advanced cyber security skills, mid-market companies may be more vulnerable than larger ones.
"This doesn’t always mean layering on new security controls, which is often cost-prohibitive. In some parts of the business, it may be more appropriate to emphasize detection capabilities so threats and infiltrations can be identified more readily, and to be more fully prepared for the eventuality of a cyber incident taking place.
"Cyber risk and business growth are inextricably linked: Leveraging digital innovation can help a company achieve its market position objective, but many of the actions companies now take to meet increased demand, drive efficiencies and capture market share – embracing cloud computing, developing mobile apps, engaging in social marketing — can also elevate their risk for assault.
"The typically less sophisticated cyber infrastructure of subsidiaries and third-party vendors allows not only for their data to be compromised, but acts as a backdoor into the larger organization’s security apparatus. Once inside the smaller company, hackers could make themselves comfortable for an extended period of time, undetected, and chip away at the barriers of the larger company’s security structure, paving the way to create real harm in the future."
Deloitte suggests five “foundational” questions to ask in assessing your information security program. They are all good, but I would add these:
- What effect might a successful cyber attack have on your corporate objectives? How might that be prevented or detected? Is your program designed such that you know the risk in business terms and are ready and able to adapt business strategies as needed?
- Even if you detect a breach promptly, do you have the capability to know what damage has been done, to evict the intruder, and to repair the defenses - promptly?
- Have you discussed the program and your response to a breach with the board? Do you have an agreement about when and how they will be notified?
We Are All Under Attack
Back to the title of this post — “The Greatest Risk of All.” It comes from reading a Tripwire study featured in SC magazine under the headline, “Study: 61 percent of critical infrastructure execs confident systems could detect attack in less than a day.” As the article says, “Rekha Shenoy, vice president of business and corporate development for Tripwire, believes this sureness isn't rooted in reality.”
The Tripwire study found that 8 percent of the surveyed individuals in the energy, oil, gas and utility industries believe they could detect a cyber attack on a critical system within minutes. An additional 49 percent said that they would require less than 24 hours. But, when executives were singled out, an astonishing 61 percent said they could detect a cyber attack within 24 hours.
Just 8 percent of respondents (all levels) acknowledged the truth: they didn’t (and should not) have confidence that they would detect an attack.
Six percent felt their organization wasn’t a target. (Little do they know!)
The greatest risk isn't that people don’t understand the risk, or even that defenses are not capable of preventing an intrusion.
The greatest risk is that executives and CISOs believe that their defenses would either prevent or detect a successful attack.
We are all under attack. But our systems are not capable of detecting every attack, successful or not. Just look at JPMorgan Chase or the recent OPM hack. In both cases, the hackers were in the system for a year or more before they were detected.
The good news is that the technology for detecting intruders is improving. The bad news is that it has an immense distance to travel and is not cheap.
The 61 percent of executives do not have their heads in the sand. They are proudly erect and facing in the wrong direction.
I welcome your comments.