Stop Band-aiding your Cyber risk strategy with training

It wasn’t too long ago that sophisticated executives could have long, thoughtful discussions on technology strategy without even mentioning security. Today, companies have substantial assets and value manifested in digital form, and they are deeply connected to global technology networks – even as cyber attackers become ever more sophisticated and adaptable to defenses.

At most companies, boards and senior executives acknowledge the serious threats that cyberattacks pose to their business. What they are not sure of is how to create a strategy that helps them understand and address the threats, in all their forms, today and in the years ahead. And they’re asking for such a strategy every day.

Increasingly, the online world has grown complex and threatening. Many organizations are finding it hard to reconcile the level of their cybersecurity innovation investments with the cyber resilience outcomes for their business. Even worse, choosing the wrong strategy to invest in cybersecurity technologies can cost the organization far more than wasted cash; it can damage an organization’s brand, reputation, and future prosperity.

Both C-suite and security professionals should feel encouraged. Investment in innovation is increasing and managing the basics appears to be better. But scratch below the surface and there are hidden threats. Organizations face unsustainable costs, and security investments are often failing for the majority. With low detection rates and slow recovery times, it is important to find out what the leading organizations are doing differently to achieve cyber resilience. The good news is that most organizations, on average, spend 10.9 percent of their IT budgets on cybersecurity programs.

Leaders spend slightly more at 11.2 percent which is insufficient to account for their dramatically higher levels of performance. And their investments in advanced technologies, such as artificial intelligence, machine learning or robotic process automation, are rising substantially. Today, 84 percent of organizations spend more than 20 percent of their cybersecurity budgets on tools that use these three technologies as fundamental components. The finding represents a good step up from the 67 percent being spent three years ago. The increase is even more impressive with respect to the leaders. Three years ago, only 41 percent of leaders were spending more than 20 percent of their cybersecurity budgets on advanced technologies. Today, that has doubled, to 82 percent.

At first glance, the basics of cybersecurity are improving and cyber resilience is on the rise. The latest research in the market shows that most organizations are getting better at preventing direct cyberattacks. But in the shape-shifting world of cybersecurity, attackers have already moved on to indirect targets, such as vendors and other third parties in the supply chain. It is a situation that creates new battlegrounds even before they have mastered the fight in their own backyard.

At the same time, cybersecurity cost increases are reaching unsustainable levels and, despite the hefty price tags, security investments often fail to deliver. As a result, many organizations face a tipping point. There is good news for organizations wondering if they will ever move beyond simply gaining ground on the cyber attacker. Analysis by Accenture reveals there is a group of standout organizations that appear to have cracked the cybersecurity code for innovation.

The BBC recently reported that researchers have discovered major security flaws—which affect flood defenses, radiation detection, and traffic monitoring—in the infrastructure for major cities in the United States and Europe. Of those flaws, nearly ten are deemed “critical,” meaning that a cyberattack on these systems would have a debilitating impact on essential infrastructure, including power grids, water treatment facilities, and other large-scale systems. It seems like the stuff of disaster films: A major city loses power. Huge amounts of the population panic. The roads clog. Planes are grounded. Coordinating a rescue effort— even communicating with the public—would be a colossal task.

Detailed modeling of cybersecurity performance has identified two distinct groups: the first an elite group—17 percent—that achieve significantly higher levels of performance compared to the rest. These organizations set the bar for innovation and achieve high-performing cyber resilience. The second is the group forming the vast majority of our sample—74 percent—who are average performers, but far from being laggards in cyber resilience. This second group has lessons to learn from leaders while leaders, too, have further room for improvement.

Being innovative in security is different from any other aspect of the business. Caution is necessary. After all, a fail-fast approach is not an option for security where attack vulnerabilities could be catastrophic. Growing investments in innovation illustrate organizations’ commitment to prevention and damage limitation. And it is here that leaders excel. By focusing on the technologies that provide the greatest benefit and sustaining what they have, they are finding themselves moving fast and first in the race to cyber resilience.

What is one key to secure innovation?

Companies are using all kinds of sophisticated technologies and techniques to protect critical business assets. But the most important factor in any cybersecurity program is trust. It undergirds all the decisions executives make about tools, talent, and processes. Senior business leaders and the board may see cybersecurity as a priority only when an intrusion occurs, for instance, while the chief security officer and his team view security as an everyday priority, as even the most routine website transactions present potential holes to be exploited.

Leaders now show us that they scale, train and collaborate more. So, while non-leaders measure their success by focusing on the destination— improved cyber resilience—the leaders focus on how to get there using warp speed to detect, mobilize and remediate.

IBM Survey: Pandemic-Induced Digital Reliance Creates Lingering Security Side Effects” – IBM, 15 June 2021.
Individuals created 15 new accounts on average during the pandemic, with 82% reusing passwords across accounts. According to the report, user behavior showed strong preferences for convenience outweighing security and privacy concerns, leading to poor choices around passwords and other cybersecurity behaviors. This lax user approach to security, combined with rapid digital transformation by businesses during the pandemic poses a big risk to companies and provides attackers with further opportunities to propagate cyberattacks across industries. These poor personal security habits carry over to the workplace.

RockYou 2021: largest password compilation of all time leaked online with 8.4 billion entries” – Cybernews, 7 June 2021.
A massive 100 gigabyte text file containing 8.4 billion entries and passwords that was combined from previous data leaks and breaches was published on a popular hacker forum.

Hackers Breached Colonial Pipeline Using Compromised Password”Bloomberg – June 4, 2021.
Investigators suspect hackers got the password from a dark web leak. Hackers gained entry into the Colonial Pipeline networks through a dormant virtual private network account that was no longer in use at the time of the attack but could be used to access their network. This account’s passwords have been leaked with a batch of other passwords on the dark web. This account also used a simple username and password without any other means for authentication. The hackers also stole nearly 100 gigabytes of data which they threatened to leak if the ransom wasn’t paid. This hack caused a shutdown of the pipeline causing a fuel crisis on the East Coast. This shutdown lasted more than a week.

“SolarWinds hack was ‘largest and most sophisticated attack’ ever: Microsoft president” – Reuters, 14 Feb 2021.
The SolarWinds attack Hackers compromised a routine software update that gave them access to potentially up to 18,000 companies and government institutions globally. The hackers roamed around the networks of these companies for nine months before they were finally discovered. It will take months to identify the compromised systems and shut down the breaches. The breach of customer systems came through a small software vendor in the supply chain.

The above is just a couple of the recent examples of cyber breaches, from very sophisticated breaches such as the SolarWinds breach to less sophisticated breaches causing weeklong shutdowns in the Colonial Pipeline example. The hacks and breaches are becoming more frequent and more costly as attach surfaces are growing across the full supply and value chains of companies.

52% of email users failed to detect an actual phishing email. GreatHorn survey, September 2020.

Looking at these large-scale breaches, and trends that the attack surfaces are now extended throughout a companies’ supply and value chains, this puts companies at increased risk and it is clear that there is still a lot more work to be done when it comes to Cyber Risk management.

Yet, most companies still rely on the basis of employee training on phishing, basic pen testing, updating and creating more policies, more training on the policies, and some aspects of multi-factor authentication and VPN’s to try and secure the companies’ information systems.

Why do most companies still think this approach is enough and the responsibility of the IT and the Risk teams in the organization?

THIS IS NO LONGER A SUSTAINABLE APPROACH!

With the increased risk of the business being shut down for days and weeks on end due to ransomware attacks, stricter data privacy legislation and resulting fines, the cost to the business when an attack happens can potentially cripple the business for years to come or potentially shut the business down.

So, what do companies need to look at or change?

Let’s look at this question based on the current top trends around Cyber Risk to companies.

  • Ransomware continues to be one of the top threats to companies. The predominant way hackers gain access is still through phishing and simple password access. Operational processes of on- and off-boarding of employees, vendors, contractors across the company’s business network become critical. This requires a review of all digital touchpoints of all users across all systems in the company and reviewing if the security technology in place addresses the risk sufficiently. The fewer manual processes to manage digital credentials across all these touchpoints, the better. Multi-factor and zero-trust-based authentication is a must and all simple username and passwords credentials usage need to be eradicated across all systems.
  • Supply Chain attacks are growing and increasing the risk of attacks through a vendor or partner’s system that is integrated into the company’s information systems. This requires a cyber approval plan and constant auditing of the vendor and partner systems as it relates to all the digital touchpoints of their software or systems into the company’s networks and information systems.
  • The way we work has changed with a larger remote work force whose home networks and systems are outside the “Secure” corporate environment creating a higher risk of hacker access through unsecured wireless networks. The user behavior changes of more lax approaches to security and data privacy require more training and awareness and the potential deployment of additional security technologies to provide better security to the remote worker’s home networks. This also will require a review of the company’s overall policies on bring-your-own-device, employee conduct and how to govern employee behaviors. Security has now also become an HR matter.
  • Stricter compliance. The SolarWinds attack prompted new US government legislation and requirements being drafted with stricter compliance and standards around investigations of cyber events and standards for software development for companies dealing with government institutions. Companies will require CMCC (Cybersecurity Maturity Model Certification) control standards for companies working with Government institutions in the US. This model encompasses multiple domains, processes for each of these domains, capabilities and practices that measure a contractor’s capabilities, readiness and sophistication in the area of cybersecurity. New compliance standards will drive up the cost of doing business in much bigger ways than what Sarbanes Oxley has done for corporate financial reporting.
  • Stricter data and privacy legislation with more punitive fines. This requires a full evaluation of data vulnerabilities throughout the company as well as the company’s supply chain and coming up with clear plans and strategies on how to mitigate these.

Cyber Security is no longer just a “nuisance” add-on or cost. It needs to form a clear part of a company’s strategy and has become a key cornerstone in the Digital strategy of the company.

With the dawning era of The Internet of Things (IOT), cybersecurity affects the entire business model. Adequately addressing the threat means bringing together several business perspectives – including the market, the customer, production, and IT. Most often, the CEO is the only leader with the authority to make cybersecurity a priority across all of these areas. We believe that the issue of cybersecurity in many cases will require senior executive or even CEO initiative.

It is time to re-draw plans based on zero trust security principles and establish clear frameworks from the top down throughout all groups of the organization for monitoring, controlling, detecting, mitigating and responding to the increasing cyber threat.

As we have discussed earlier, as soon as one breach avenue has been foiled, attackers are quick to find other means. With the growth in indirect attacks, the spotlight falls on protecting third parties and other partners. But there are enormous challenges in managing third-party cyber risks. Large volumes of data can overwhelm the teams responsible for managing compliance.

The complexities of global supply chains, including the regulatory demands of various regions or countries, add to the strain. In our experience, many CISOs feel that the sizable number of vendors outstrips their capacity to monitor them. Given finite security resources, there is value in a data-driven, business-focused, tiered-risk approach to secure the enterprise ecosystem. This may mean introducing managed services to help the organization tackle the wider scope and scale.

By collaborating more broadly with others with the common goal of securing the enterprise and its ecosystem, organizations can not only play a responsible role in helping their smaller partners to beat cybercrime, but also they can be sure they are not bolting the front door from attackers while leaving the back door wide open.

A core group of leaders has shown that cyber resilience is achievable and can be reproduced. By investing for operational speed, driving value from these investments, and sustaining what they have, they are well on the way to mastering cybersecurity execution. Leaders often take a more considered approach to their use of advanced technologies by choosing those which help deliver the speed of detection and response they need to reduce the impact of cyberattacks.

And once they do decide to invest, they scale fast—the number of leaders spending more than one-fifth of their budget in advanced technologies has doubled in the last three years. The combined result is a new level of confidence from leaders in their ability to extract more value from these investments— and by doing so, exceed the performance levels of the non-leaders.

With two out of five cyberattacks now indirect, organizations must look beyond their own four walls to their broader business ecosystems. They should become masters of cybersecurity execution by stopping more attacks, finding and fixing breaches faster and reducing breach impact. In this way, they can not only realize security innovation success but also achieve greater cyber resilience.

Finally, cybersecurity remains much talked about, yet underleveraged as a differentiating factor on the business side. With the advent of the IoT, there is a real opportunity to move ahead and designate the security of products, production process, and platforms as a strategic priority. The breadth of the challenge spans the entire supply chain and the whole product lifecycle and includes both the regulatory and the communication strategy. For CEOs in leading IoT and Digital organizations, we believe cybersecurity should be at the top of the agenda until rigorous processes are in place, resilience is established, and mindsets are transformed.

As Stephane Nappo, Global Head Information Security for Société Générale International once said:

“The Internet of Things (IoT) devoid of comprehensive security management is tantamount to the Internet of Threats. Apply open collaborative innovation, systems thinking & zero-trust security models to design IoT ecosystems that generate and capture value in value chains of the Internet of Things.”

 

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping the latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programs for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Guest-blog: Alina-Georgiana Petcu discusses ‘When Insider Threat Turns Malicious – and How to Stop It from Happening to You’

Lockdown introduced new threat vectors for organisations in 2020, as cybercriminals redoubled their efforts to launch damaging cyber-attacks. Now that we are looking towards a post-lockdown future in 2021, it is worth exploring the cybersecurity landscape and assessing what steps we should take to protect ourselves from the pernicious threat of cyber-crime.

If there’s one thing you can say for cybercriminals, they rarely miss an opportunity. The coronavirus pandemic has offered cybercriminals a myriad of opportunities to exploit victims’ fears and uncertainties, sow seeds of false hope, and persistently cause disarray in the aid of compromising data and making money.

One year on from the first UK lockdown, we don’t expect this to change as we transition towards a post-lockdown world. The knock-on impact of lockdown is that many organisations are fighting to remain operational, and cybercriminals know this. They will continue to proactively target organisations that are struggling as a result of the coronavirus pandemic, as they recognise that budgets for IT and cybersecurity resources may well have been reduced – making them easier targets for phishing and ransomware attacks.

Today I have the distinct pleasure of introducing another Guest Blogger, Alina-Georgiana Petcu, who is a Communications and PR Officer at Heimdal Security.

Alina is a content connoisseur with a knack for everything tech, she occupies her spare time by trying to untangle the intricate narratives behind the world’s most infamous cyberattacks.

Alina is going to talk to us about the importance of when an insider threat turns malicious – and how to stop it from happening to you.

Thank you, Geoff, it is a pleasure to collaborate with you on this important subject.

The term insider threat refers to a certain amount of risk organizations are subjected to through their current and former employees alike, as well as through business associates or contractors.

These are all people with privileged access to a company’s systems, which means that they can access sensitive data regular staff members don’t have access to.

Insider threat becomes malicious the moment one of these people decides to abuse their access rights to fulfill nefarious motives. Let’s see how and why that happens, as well as how you can stop it from happening to you and keep your enterprise’s assets safe from the grubby paws of hackers.

Unfortunately, insider threat is a widespread issue in corporate cybersecurity. The Ponemon Institute’s 2020 Cost of Insider Threats Global Report recorded a 47% increase in insider threat incidents between 2018 and 2020. This type of inappropriate management of company data can be separated into three categories:
• Accidental, which means that the action was unpremeditated and was not driven by any ulterior motive.
• Negligent, which treads the line between accidental and malicious. The employee in question is not necessarily a hacker, but his intentions aren’t right either.
• And malicious, which consists of an action that is premeditated and was driven by an ulterior motive. That motive can be revenge, ego, financial gain, coercion, or ideology.

To better understand malicious insiders at a human level, SentinelOne’s Jeremy Goldstein classifies insider threat into four archetypes:
• The pawn, who is usually manipulated by a malicious third party into sabotaging the company. This is often unintentional, as it is carried out through phishing or CEO fraud.
• The goof, who is generally ignorant or arrogant regarding their position and thus acts irresponsibly within the company network, causing damage.
• The collaborator, who steals data and disrupts the activity of an enterprise in cooperation with a malicious third party.
• And the lone wolf, whose malicious intent is their own and they act independently of any other cybercriminal group.

Therefore, we can notice right off the bat that not all insider threat actors are malicious. Nevertheless, nearly half of them always are.

5 Threat Scenarios to Expect from a Malicious Insider

So, what happens when insider threat turns malicious? Here are the five scenarios you can expect, illustrated by a few real-life examples of what happened when renowned companies and global organizations went through them.

#1 A malicious insider stole data for competitive interests
• Steven L. Davis, a process controls engineer for Tennessee-based fabrication equipment designer Wright Industries, was contracted by Gillette to oversee their new shaving system in 1997. Out of discontent with his supervisor, Davis stole and sold private data about the technology to Gillette’s competitors.
• A naturalized Chinese-American citizen named Xudong Lao abused his privileges as an employee of the Illinois Locomotive Company between 2014 and 2015, illegally downloading thousands of confidential documents. He then got a job with a Chinese automotive service systems company in 2015 and supplied his new employee with these unlawfully obtained trade secrets.
• Walmart accused their technology vendor and partner Compucom of spying into the private conversations of the retail giant’s C-level executives in 2019. As per the allegations, Compucom employees gathered data that would later give the company an advantage in winning the bid with Walmart.

#2 A malicious insider covertly accessed customer data
• The National Security Agency (NSA) of the United States is responsible for several such cases. In 2003, an NSA employee allegedly monitored a woman he was involved with. She caught onto it and report the incident, which led to an internal investigation.
• One year later in 2004, it was discovered that another employee was keeping tabs on an unknown number she found in her husband’s contacts out of fear that he was cheating on her.
• In 2011, one staff member station oversees spied on the private phone calls of her partner back home, as well as on the conversations of the people she met in that respective country.

These incidents were referred to internally as LOVEINT, which is short for Love Intelligence.

#3 A malicious insider gained profit from privileged information
• In 2011, a former Bank of America employee provided malicious third parties with the sensitive banking info of an undisclosed number of customers. Fraudsters used this information to cause damages that amounted to a whopping $10 million.
• AT&T employee Chouman Emily Syrilien provided a co-conspirator with files containing the personally identifiable information of multiple clients of the telecom services provider. Syrilien was part of a larger data theft scheme involving multiple members of staff.
• An employee working for esteemed cybersecurity software provider Trend Micro accessed a database containing confidential customer information and sold it to a cybercriminal group in 2019.

#4 A malicious insider sabotaged company data and operations
• A former network engineer working at the Charleston-based oil and gas company EnerVest Operating remotely accessed systems in 2014. This had malicious intent behind it, as the engineer reset the network to factory setting, causing damages.
• Back when VP Kamala Harris was a district attorney in San Francisco in 2018, a network engineer for the San Francisco Department of Telecommunications and Information Services (DTIS) named Terry Childs refused to give up the login credentials to the entire network he had built.
• Upon receiving his termination notice in 2015, Canadian Pacific Railway employee Christopher Victor Grupe abused his still-valid login credentials into the company network and deleted some essential administrative accounts, and changed the passwords to others.

#5 A malicious insider shared confidential information with the media
• In 2014, former Microsoft employee Alex Kibkalo, who worked for the company out of Lebanon and Russia, was caught disclosing trade secrets to a French blogger. The leaked information contained, among other things, screenshots of a then-unreleased version of the corporation’s renowned Windows operating system.
• A total of 29 Apple employees disclosed confidential data about product launches in 2018. Out of them, only 12 were arrested.
• While many Tesla employees practiced ethical whistleblowing against the company in the past, one staff member shared confidential business information, such as production numbers, with journalists on Twitter.

A Checklist for Malicious Insider Prevention

If you take just one thing away from the examples I listed above, let it be this – malicious insider threat can target the best in any industry. The checklist below will help you prevent it from happening to you too. So, without further ado, let’s get into some actionable advice.

❒ Know the signs of malicious insider activity
The main purpose of malicious insiders is to steal sensitive information, which they will then misuse in one of the five ways mentioned above. When this type of threat rummages around your company network, they’re going to leave a paper trail regardless of how hard they try to hide their activity. There are three telltale signs of this:
1. Logging in at odd hours
2. Unexpected traffic spikes
3. Data transfers that are out of the ordinary
Looking out for these markers of unusual activity in your system means that you will be able to respond quickly if a malicious insider threat targets your enterprise. Thus, you can take appropriate action right away and remove the privileges of the user account that is being misused.

❒ Prevent privilege creep
The term privilege creep is a cybersecurity concept that is used to describe the accumulation of redundant access privileges, permissions, and rights on a user account that does not need them.

This tends to happen when an employee is promoted to a different position or moved to a different department.

When this happens, the staff member in question is granted new access rights that are appropriate for their tasks, while at the same time retaining the privileges from their previous position.

If overlooked, privilege creep can lead to an accidental superuser account that can be used to fulfill malicious motives.

The best way to prevent this from happening within your company network is by constantly auditing user accounts and monitoring changes. Keeping track of admin rights with a privileged access management tool is another useful route and one that can help you practice privilege bracketing within your system as well.

❒ Practice privilege bracketing
While we’re on the topic of privilege bracketing, let’s take a moment to discuss this beneficial cybersecurity practice. As I mentioned before, the main reason why malicious insiders become threatening to the safety of your enterprise data is through accounts that rack up a lot of privileges over time.

Privilege bracketing is the surest and most effective way to stop this. Based on the principle of least privilege, it involves giving user accounts the minimum access rights that are necessary for the completion of daily tasks. In this way, you can ensure that your enterprise’s private data remains private, together with any personally identifiable information stored in your corporate system.

❒ Implement the zero trust model
Coined by Forrester analyst John Kindervag, the zero trust model implies that no user account operating within a corporate network is to be trusted by default. Instead, everyone’s activity should be continuously authenticated, monitored, and validated. And yes, that includes C-level execs and employees of the company on top of third-party contractors and collaborators. The reason for this is that the practice is based around the never trust, always verify mentality.

Of course, this comes with its set challenges. Implementing the zero trust model is thus an intricate process that includes multifactor authentication, data encryption, privileged access management, cybersecurity auditing, and more.

Nevertheless, it is essential for the prevention of malicious insider threat and the #1 priority in risk mitigation for the past three consecutive years, on the authority of global research and advisory firm Gartner.

❒ Work on your company culture
You know how the old saying goes – the fish rots from the head down. This is true of corporate culture as well, meaning that your leadership within the company or a specific team can be the root cause of issues such as insider threat.

As some of the examples I’ve given above show, malicious insiders are often disgruntled employees looking to cause harm to an enterprise they think has wronged them.

The solution to this issue is pretty straightforward, and it consists of improving the company culture as a whole. If your employees are satisfied with their place of work, they are far less likely to act malevolently towards it or be manipulated by someone who wants them to.

What is more, a staff member that loves their job is far more likely to practice ethical whistleblowing and denounce coworkers that might not have your business’s best interest in mind. It’s a win-win whichever way you look at it, and all you have to do is listen. Be receptive to their feedback and take constructive criticism into your account. That is the mark of a strong leader.

Final Thoughts on Malicious Insider Threat

The human factor is an unpredictable liability in any company. You never know when an employee can go rogue or mess up without meaning to. And on top of that, malware operators and other ill-intentioned third parties are always looking for pawns to help them fulfill their nefarious purposes. For this reason, insider threat is a reality of our time, and it can damage your assets and taint your company’s reputation even when it’s unintentional.

When insider threat becomes malicious, it’s a whole other story. It is your responsibility as a leader to make sure that that doesn’t happen to your company by not only putting the right policies into place but by improving your relationship with your team as well.

Change starts from the inside out, and by that, I mean from your company culture. The technical aspect of it all is not to be overlooked, of course. Privileged access management tools, as well as data encryption, multi-factor authentication, password hygiene procedures, and so on, are essential to the digital well-being of your enterprise. The process is a challenging one, but the results are worth it. Are you ready to take your enterprise cybersecurity to the next level?

Sources
CNBC
Computerworld
DataBreachToday Asia
Federation of American Scientists
FindLaw for Legal Professionals
The Federal Bureau of Investigation
Fortune
Medium
The New York Times
The Ponemon Institute
Reuters
Slate Magazine
U.S. Department of Justice

You can contact Alina-Georgiana Petcu on Linkedin with your questions:
https://www.linkedin.com/in/alina-georgiana-petcu-166905197/

Moving from Cyber Risk Insurance to a Cyber Risk Management Strategy


2021 has progressed with even more challenges and promises to deliver even more changes to the pace of a fast technological environment, risk professionals need to look back and consider the lessons learned from 2020.

Have we returned to where we were, or have we moved on to a new norm?

What does the COVID-19 pandemic market data tell us that will help us to prepare for future global crises?

2020 was a rollercoaster for the financial markets. At the beginning of the year, the economy was enjoying the longest continuous growth stretch on record.

The stock market was constantly hitting new highs. The Federal Reserve was starting to bring Treasury yields back up for the first time since the Great Recession. And, then came March.…

Given that framework, the first question we want to answer is: “As risk professionals, how prepared were we for these types of market swings?”

In the insurance industry, companies rely on economic scenario generators (ESGs) to produce a wide range of plausible, cohesive futures for the variables that drive their results — for example, corporate bond and equity returns, as well as Treasury yields.

These models are not predicting specific events, like a pandemic or a war; instead, they simply attempt to estimate the likelihood of a 20% drop in the equity market over the next year.

So, to answer the question posed above, we need to test how well the ESGs that we use we’re able to predict the financial market movements we have seen in 2020.

If our models covered these types of results, then we can take comfort that we were well prepared; if not, then we have to think about how to adjust our framework to be better prepared for the next calamity.

So, where does this leave an Insurance Chief Risk Officer?

First, we should take a critical look at how well our key economic models performed at anticipating these types of extreme market movements. If our models weren’t up to the task, then we need to rethink how those models are calibrated, as this is likely to lead us to either take on too much risk or the wrong types of risks.

We also want to make sure we perform this review on both the good times and the bad times since we are using these models for much more than just risk measurement.

This now brings us to one of the widest subjects in technology today; Cyber Risk insurance, which has become very popular over the last five years with larger corporations as a means to potentially cover the unexpected cost relating to data breaches and ransomware attacks.

This is not surprising taking into consideration that Global ransomware damage costs are predicted to reach $20 Billion (USD) by 2021 according to the latest report by Cyber Security Ventures.

According to the report, this is a 57X increase in the last five years. Ransomware is expected to attack a company every 11 seconds according to the report.

Ransomware poses the biggest threat as a business is adversely impacted to a point where business is shut down. In 2019 alone, the average business downtime was over nine days. According to Bitdefender, downtime costs due to ransomware on average were 50 times more than the ransom requested from Cyber Criminals.

According to the latest IBM Security Ponemon report on the cost of data breaches, the average for data breaches in the US was $3.8 million (USD) for less than 100,000 records. The average time to identify and contain a breach is 280 days. In breaches of 1 million to 10 million data records breached, the average cost was $50 million (USD), more than 25 times the average of the cost of breaches for less than 100,000 data records.

Looking at the following top Cyber threats to companies for 2021, according to Security Boulevard, the cyber attack surface is increasing as companies accelerate digital transformation and remote work, leaving the company at higher risk for Cyberattacks.

• Cloud-based threats. As more companies move to cloud services and adopt more cloud-based tools from 3rd party vendors, this also increases the security footprint the company needs to look at protecting. It is no longer just the internal systems of the company that poses a risk.

• Insider threats. This involves internal actors (employees, contractors, vendors) with valid credentials to key business systems colluding with cybercriminals to provide them access to data that can lead to data breaches and ransom attacks.

• Remote worker end-point security using unsecured network services leading backdoors open for cybercriminals to gain access to company data and infrastructure.

• Phishing attacks employing social engineering to gain access to access credentials.

• Deep Fakes. A growing threat where artificial intelligence is used to manipulate videos that falsely represent a person to commit more advanced phishing attacks. This could generate synthetic identities to gain access to systems.

• IoT devices. Unless properly secured within the overall part of the business, the introduction of IoT devices increases the complexity and attack surface for cybercriminals to exploit. The recent Verkada cyberattack exposing video footage of over 150,000 cameras of various companies such as Amazon, Tesla demonstrated this risk.

• Malvertising where malicious advertisements including technical support scams are used to spread malware.

• Sophisticated and targeted ransomware attacks. This includes a key risk around personal staff safety.

• Social Media attacks where cyber criminals use social media platforms posing as the legitimate company in order to spread malware.

Taking into consideration that the average cost of Cyber Insurance in 2020 in the US, according to AdvisorSmith was $1,485 per year covering the liability of up to $1 million.

There are a number of factors such as company revenues, and the number of sensitive data records, to name a few, that impacts Cyber Insurance premiums.

Looking at the averages for Cyber insurance and the explosive growth in the cost of data breaches, most companies are grossly under-insured to cover the costs of potential data breaches or ransomware attacks.

Cyber-insurance may be a good option for covering some of the liability and cost in the event of a breach, however, it falls way short in minimizing the actual liability in the cost of a data breach or ransom attack to the company.

How should companies and the Board balance the cost to cover the liabilities due to cyber risk in the company?

Spend more money on insurance with higher premiums vs. more investment to implement risk management across the organization and supply chain through policies, incidence response preparedness, cyber training, and Cyber Security systems?

The latter part of the equation can be quite daunting, and the “easy” way out seems to be to rather take out the insurance, and deal with it when a breach happens.

What shall companies look at in order to solve an increasingly complex cyber governance problem when looking at the cost, and where to most effectively spend the money to mitigate the risk?

The typical cost for a cyber attack when that happens can be broken down into the following elements:

• Forensic analysis for identifying the attack source
• Unplanned IT spend to recover data, remove malware, recover from downtime, implementation of new systems to prevent similar attacks, 3rd party vendor or supply chain systems updates, other
• Public relations services
• Notification of clients, shareholders, and regulators
• Credit monitoring services (if financial data was stolen of customers)
• Loss of income
• Regulatory penalties depending on the breach

The best strategy is to as much as possible, avoid the additional cost through better governance and incidence reporting and planning and implementation of automation of security as reasonably possible.

Worldwide spending on information security and risk management technology and services continued to grow through 2020, although at a slower rate than previously forecast, according to Gartner, Inc.

Information security spending grew 2.4% to reach $123.8 billion in 2020. This is down from the 8.7% growth Gartner projected in its December 2019 forecast update. The coronavirus pandemic is driving short-term demand in areas such as cloud adoption, remote worker technologies, and cost-saving measures.

“Like other segments of IT, we expect security will be negatively impacted by the COVID-19 crisis,” said Lawrence Pingree, managing vice president at Gartner. “Overall we expect a pause and a reduction of growth in both security software and services during 2020.”

Gartner’s survey showed the top 10 categories of expenditures as follows:

1. Application Security
2. Cloud Security
3. Data Security
4. Identity Access Management
5. Infrastructure Protection
6. Integrated Risk Management
7. Network Security Equipment
8. Other Information Security Software
9. Security Services
10. Consumer Security Software

How big is your cybersecurity budget? Probably not big enough. Organisations need to invest more in their security.

Over the years, spending on cybersecurity has changed substantially. In 2019, worldwide spending for security products and services is estimated to be more than $124 billion, an increase in growth of 8.7% from last year.

Companies around the world are no longer considering cybersecurity a minor part of their spending budget, but rather a priority. One of the main reasons for this is the large security breaches that have occurred in the past few years, putting business and personal data at a higher risk than ever before.

According to IBM’s report, companies with fully deployed security automation saw a cost-saving of $3.58 million (USD) on the cost of a data breach vs. companies with no security automation.

Companies with incident response preparedness so an impact of $2 million (USD) savings on average on the total cost of a data breach.

Boards and companies should have clear plans and strategies around the following four cost centers. Where cost centers are missing, these need to be taken into consideration. Start with assessments of the status of the activities within these four key pillars for cyber governance and make these a strategic part of all budget spend and activities across the whole company, as well as 3rd party supply chain of the company.

Detection and escalation. Activities that enable a company to reasonably detect the breach.
• Forensic and investigative activities
• Assessment and audit services, including Incident Response
• Crisis management
• Communications to executives and boards

Lost business. Activities that attempt to minimize the loss of customers, business disruption, and revenue losses.
• Business disruption and revenue losses from system downtime
• Cost of lost customers and acquiring new customers
• Reputation losses and diminished goodwill

Notification. Activities that enable the company to notify data subjects, data protection regulators, and other third parties.
• Emails, letters, outbound calls, or general notice to data subjects
• Determination of regulatory requirements
• Communication with regulators
• Engagement of outside experts

Ex-post response. Activities to help victims of a breach communicate with the company and redress activities to victims and regulators.
• Help desk and inbound communications
• Credit monitoring and identity protection services
• Issuing new accounts or credit cards
• Legal expenditures
• Product discounts
• Regulatory fines

(Cost center model per IBM in the Cost of Data Breach Report)

Digital technologies are ushering in a new era and driving transformative changes in every industry, as organizations adopt these technologies to redefine how they create, deliver, and capture value.

Identifying, understanding, and addressing new risks associated with digital transformation will help businesses derive more value from their efforts in the future. What’s more, understanding how digital transformation can be applied to risk management will enable organizations to take a more balanced view of digital technologies as both a source of risk and a way to manage risk.

As your organization embarks on its digital journey, we invite you to learn more about the evolving risk landscape and new opportunities to better manage risk.

Misalignment between an organization’s goals for digital transformation and employee values and behavior creates new culture risks.


The final topic we would like to address is digital ethics, being more in tune with digital ethics and having plans and processes in place will also help organisations respond more effectively when an incident does occur.

Firms not only need processes in place to ensure that they are ready to respond quickly to address problems but also to fulfill their regulatory obligations by promptly disclosing any breach to the regulator as well as any impacted customers.

As part of their digital transformation efforts, organizations need to act responsibly and promote ethical use of technology.

They also need to have pre-established influencer relationships that they can leverage to counter any hysteria or misinformation which might arise that could interfere with their business or impact their brand.

Organisations that have a culture that takes digital ethics seriously, will behave in ways that will minimise the risk of incidents and will act in ways that help build stakeholders’ trust. Those that don’t take digital ethics as seriously will not only be at higher risk of impact but will struggle to establish such trust.

Making data ethics a key corporate value can have a significant potential upside. Implementing data privacy policies and updating crisis management plans to address data breach scenarios will minimise any downside.

At the very least, engaging with Influencers or Cyber professionals/experts early can help you be better prepared to respond to calamities, our definition of influencers is quantified as Cybersecurity specialists who play a key role in securing information systems.

By monitoring, detecting, investigating, analyzing, and responding to security events, cybersecurity specialists protect systems from cybersecurity risks, threats, and vulnerabilities.

While taking their advice or using them to independently assess or benchmark your data privacy policies and crisis management plans can be used to demonstrate best practice in these areas, which in turn can mitigate potential fines or legal exposure in the event of a calamity.

Your customers want you to take a stand on data security and privacy, and be transparent about it – seeing it as more important than either your diversity or sustainability efforts.

Each and every company, regardless of its industry, has weaknesses that hackers exploit for their own gain. Just because a business is small or not in a vertical often associated with valuable data (such as healthcare or financial services) doesn’t mean it won’t make an enticing target for an opportunistic cybercriminal.

In fact, there are a number of reasons why start-ups and small businesses are sometimes more likely than even big businesses to be targeted.

  • Customer Information: Even the smallest start-ups often store or handle customer data such as financial information, Social Security numbers, and transaction history.
  • Proprietary Data: Start-ups often carry innovative and creative ideas for products and services, as well as internal research data that could be valuable to outside parties.
  • Third-Party Vulnerabilities: Hackers also target small businesses and start-ups because they sometimes do business with larger companies as third-party vendors and can provide entry points into those more valuable networks. Target’s infamous 2013 credit card breach, for instance, happened because of vulnerabilities in a third-party vendor’s system.
  • Multiple Interfaces: Another reason for increased attacks is the growing use of Internet of Things (IoT) devices that increase the attack surface of networks. Small businesses are turning to IoT devices more often due to their lower costs and growing capabilities. Unfortunately, hackers often exploit poorly secured devices as a backdoor to access broader, more sensitive networks.
  • Lack of Finances: Since small businesses and start-ups are working on a tight budget, they don’t always place cybersecurity is not at the top of their priorities list and often neglect the latest patches and updates.

The power of digital technologies to enable new sources of revenue can be significant. Due to the proliferation of digital technologies and the particular ethical challenges they present, organizations are increasingly expected to consider ethical obligations, social responsibilities, and organizational values as guides to which digital opportunities to pursue and how to pursue them.

As discussed in the “Managing data risks for value creation” trend, responsible and unbiased collection, handling, use, and privacy are top areas for concern when it comes to data. Also, there are increasing calls for digital services that are fair and equitably accessible, promote physically and mentally healthful uses, encourage inclusion, and are geared toward socially beneficial uses.

Digital adopters want technologies that aren’t harmful or abusive and are safe and error-free. There’s an opportunity to do well by doing good—pursuing digitally responsible growth strategies that build stakeholder trust.

Finally, organizations are conscious that digital transformation involves more than technology adoption. It requires concerted efforts to define how enterprises organize, operate, and behave by aligning strategy, structures, processes, people, and technology to build a unique digital DNA.

Organizations can sidestep unnecessary risks and harness risk to power performance by adopting a risk lens and a holistic approach as part of their efforts. Below are a few guiding principles.

Conclusion; Boards can harness risk to power performance in a digital world, but only with a responsible Digital DNA and hopefully with the Digital Services Act (DSA) that will bring digital reform.

As Tom Golway, Chief Technologist in the Advanced R&D organization of Hewlett Packard Enterprise once said:

“The deeper, philosophical question is does the 1st Amendment apply to AI algorithms. Resolving this is an immediate challenge that needs open dialogue that includes a broad set of disciplines, not just technologists”

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Are corporate boards complacent with cyber risk?

Boards of directors have been working hard to fulfill their risk oversight responsibilities in a challenging environment. Regulations are changing rapidly in most industries, and vary significantly across countries.

Investors, analysts, and the public are demanding greater transparency into risk and risk management, as are creditors, counterparties, and other stakeholders. Many boards legitimately wonder not only what regulators want, but also which approaches to risk oversight actually work.

Deloitte set out to study a specific and very effective risk governance mechanism: board-level risk committees. This report revealed the prevalence of board-level risk committees (whether standalone committees focused solely on risk, or hybrid committees such as audit/risk) based on an analysis of 400 large public companies in eight countries.

In summary, these were some of the findings:
§ Board-level risk committees are well-established and widespread — present in 38% of the 400 companies analyzed. About a quarter (22%) have standalone board-level risk committees, while 16% oversee risk through hybrid board-level committees.
§ As might be expected, board-level risk committees are most prevalent in FSI companies (88%), but are also present in other industries (26%), often to a significant extent, depending on the country.
§ Local regulations affect risk oversight structures. Australia, Brazil, Mexico, Singapore, the UK, and the US have regulations that require risk committees at the board level for FSI companies (sometimes dependent on the type and size of the company).
§ Overall, 62% of all companies analyzed do not have a board-level risk committee. This largely reflects the lack of regulatory requirements for board-level risk committees in non-FSI companies in most countries.

Every week, a new data and security breach seems to be reported that appears to exceed previous breaches and hack in scale. This year we are also seeing different uses for Distributed Denial-of-Service beyond simple volumetric attacks, including what we call quantum attacks.

Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation.

These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.

This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.

If it were to be measured as a country, the facts are; cybercrime which is predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the U.S. and China.

Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year and will be more profitable than the global trade of all major illegal drugs combined.

The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state-sponsored and organized crime gang hacking activities, and a cyberattack surface which will be an order of magnitude greater in 2025 than it is today.

Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data, and systems, and reputational harm.

Some with more complexity in the hack such as the Solar Winds supply chain breach, and others with less complexity, such as the recent global breach of Verkada of over 150,000 security camera data by hacktivists. Once again, the data breach was global in nature and exposed again the security policy and process vulnerabilities these hackers are using to gain access to corporate data via root access.

Industry research has shown that hackers are active in corporate systems for an average of 8 months before they may do something or make themselves known. Over 76% of cyber risk is due to insider risk, involving collusion between hackers and corporate insiders. It is no longer just a “technical” hack.

What is root access? A root administrator or gatekeeper is a superuser account on a computer or network and that has complete control over all aspects of the system or network. The root administrator can access all data, software, configure, delete and change software code in the systems or network.

One of the top risks identified in cybersecurity audits today is a regulatory governance risk. This requires a legal requirement to be audited with respect to IT security, making audit and compliance metrics highly relevant and important.

Some examples include:

Audit and compliance metrics
➢ “Are we ISO-27001-compliant?”
➢ “Do we have a vendor risk management program?”
➢ “Do we have any outstanding high-risk findings open from our last audit or assessment?”
➢ “What percentage of the NIST framework are we implementing?”
➢ The NIST framework has roughly 80 questions associated with it. If a board member asks if you’re doing the NIST framework, you might say, “Today we’re doing 60% of it.”

Operational effectiveness metrics
➢ How many intrusions were detected this year?”
➢ “How quickly are we detecting, investigating and remediating threats?”
➢ “How much have we spent this year?”
➢ “How many vulnerabilities were in our network and how quickly were they fixed?”
➢ “How many compromised systems did we have compared to last year?”
➢ “Has our risk profile changed?”
➢ “How did we compare to our peers across X time span?”

Knowing the best practices on how to present cybersecurity to the board is one thing but without substantive data, you won’t have a very compelling (or helpful) presentation.

The first thing you need to keep in mind regarding metrics is context. Board members likely don’t know what it means if you say that “500,000 intrusions hit the detection system.” You need to focus on being concise with your explanation and show them how the metric impacts the health of the company.

You’ll want to focus on showing metrics over time that the management, or lack of management, processes and policies of root admin passwords. In most cases, these processes are manual at best and there seems to be little appetite to implement additional security technologies that can dramatically reduce this risk.

IT organizations have become more fragmented in nature, especially where there are differing roles for Chief Digital-, Chief Information- and Chief Information Security Officers in organizations, each having responsibility for specific aspects of the overall technology stack of the corporation.

Unless there is a close collaboration between these roles, there will remain gaps in governance of access to data, systems and networks in corporations.

Take into consideration that a corporation is part of a business ecosystem of employees, contractors, 3rd party vendors and their contractors, resellers, partners and customers. All these parties require access to corporate data, systems and networks. The management of access and data security is no longer just contained to the closed “bubble” of a corporation and its employees alone.

The cyber strategy needs to incorporate this more complex supply chain risk and how to manage this across the business ecosystem. This is especially true for management of user access into these systems.

Very few companies have checks on when employees from vendors, 3rd party contractors and partners leave, and need to be off-boarded off the corporate systems. The more manual these processes, the higher the risk that their will be dormant user credentials that hackers can exploit.

Where there is little appetite to spend more money in key IT security systems, the typical practice is to have the risk logged in the corporate’s risk register and key executives, and in some cases the board, to accept and sign off on the risk.

Another approach is to do more “training” in awareness of cyber risk and write more policies, which again is only an internal approach to the corporation and employees alone. Training tends to happen when new employees are onboarded, and perhaps retrained after yearly pen-testing.

Employees tend to step through training, which includes reviewing the policies, and then forget about it as soon as they have received the credits for the training. The more extensive the policies are, the less effective they are in having people follow and implement them.

There still seems to be a lot of complacency at board level in managing the cyber risk, or in some cases, this is non-existent at board level. The main driver is the perspective of an “insurance” approach of cyber risk management.

As long as there is an “insurance” cyber risk mindset believing that a breach has not happened and we will “insure” the risk in case it happens, the corporate will remain at high risk when a breach happens. CISO and/or CIO’s are still missing at the board table, although this is changing. This leaves a gap in poor understanding of cyber governance for the company at board level.

Don’t just leave the Cyber risk management up to the audit committee.

When cyber events happen, how do boards manage the challenges, cost and potential reputational risk?

Key steps boards can take to improve cyber governance, strategy and response to a major cyber event:
● Appoint third-party Cyber advisers as non-executive directors of the board.
● Appoint the CIO and/or CISO as members of the board
● Cybersecurity technology and services investment plan and strategy – ensure there is sufficient budget
● Establish a cyber business response plan
● Have a clear plan in place protecting the well-being and safety of employees
● Employee cyber safety reporting – especially where employees may be threatened and at risk
● Cyber incident and risk reporting as part of the monthly board agenda

Cyber risk can no longer be viewed as an “insurance” type of risk. The stakes are too high. The risk is no longer just relevant to your corporate, it involves managing the cyber risk as it relates to your full supply chain and business ecosystem.

The bottom line is that every board should periodically assess the risk oversight and governance needs of the organization and take whatever steps it deems necessary to address those needs. A board-level risk committee, whether standalone or hybrid, is one effective means of attaining the necessary visibility into risks and risk management and of exercising risk oversight. It is also one that most boards should at least consider

Not long ago, a board of directors would meet once or twice a year to be briefed on cybersecurity, check the box, and move on. Cybersecurity was little more than an afterthought, and mostly a box-checking exercise for compliance or to make sure the bases were covered in the wake of a newsworthy event. With little technical understanding at the board level, many were happy
to simply throw money at the problem and leave it to IT professionals to handle.

The Cyberspace Solarium Commission has an urgent message for the boardroom and C-suite executives: The status quo in cyberspace is unacceptable, which is spelled out in its groundbreaking 2020 Report which proposes a strategy of layered cyber deterrence to protect all U.S. businesses and governments from cybercrime and cyberwarfare.

Finally, We can all agree over the course of 2020, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cybersecurity landscape. Traditional threats such as generic Trojans, ransomware and spambots were transformed.

Every company should have a CISO or cybersecurity expert on their board because cybercrime is the greatest risk to business continuity that every company faces.

Cyber should be at the center of business strategy – not technical strategy only.

The idea that we are describing, is to put a senior cyber executive in the boardroom who will wave the red flag and challenge the severity of the risk and have the main and operational board pay attention to the severity of risks. No longer can you rely upon or expect the CEO to be carrying the competency of cyber risk to the business, but to have the inclusion of Cyber experts and make better decisions on business risk, absolutely.

The question is not whether you will be attacked. The case may be that you have already been attacked or witnessed a vulnerability breach without your prior knowledge. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.

James Brien Comey Jr, an American lawyer who was the 7th director of the Federal Bureau of Investigation (FBI) famously once said: “We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy.“

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Sources:
Deloitte
Cyber Security Ventures
CSC Research

Guest-blog: Simon Rycroft discusses the importance of basic cyber security hygiene and the 5 inalienable truths

Simon Rycroft

In today’s ever-changing threat landscape, it is more important than ever to use a cyber hygiene routine to help prevent hackers, intelligent malware, and advanced viruses from accessing and corrupting your company’s data.

Cyberattacks are growing in both frequency and impact. The repercussions of security mistakes often end up being headline news and can cause significant harm to the victim organisation.

However, there is a perception that only big, global, corporations are at risk and, as a result, thousands of attacks against the Small-Medium business sector go largely unreported. Most successful attacks leverage well-known security problems.

Reporting from the UK Government’s CESG (the part of GCHQ tasked with protecting the nation) indicates that around 80% of cyber attacks4 are the result of poor cyber habits within the victim organisations. To address this, a cyber hygiene strategy should be implemented which emphasises the importance of carrying out regular, low impact security measures.

James Comey – Former Director of the Federal Bureau of Investigation once said ‘We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy.’

This will minimise the risks of becoming a victim of a cyberattack or spreading the impact of a cyberattack to other organisations. In this context, cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organisation will be simple daily routines, good behaviours and occasional check-ups to make sure the organisations online health is in optimum condition.

Today I have the distinct pleasure of introducing another Guest Blogger, Simon Rycroft, who is the CEO and CoFounder of CRMG (Cyber Risk Management Group), an expert company in the field of providing cybersecurity and information risk consultancy services.

Simon is passionate about cybersecurity, his career spans over 23 years. Most recently Simon held leadership roles at the Information Security Forum (ISF) as Head of Consulting and Global Account Director. In particular, Simon played a leading role in growing the ISF’s Consultancy business, steering it from its inception to become a multiple award-winning cybersecurity practice. Simon’s expertise spans both subject matter and operational management. Core areas of specialism include cyber risk management and assessment, information security governance and benchmarking.

Simon is going to talk to us across the importance of basic cybersecurity hygiene and the 5 inalienable truths

At CRMG we don’t have an aversion to the array of highly impressive products and services that compete for the modern CISO’s budget. As an example, the role that artificial intelligence (AI) can play in speeding up an organisation’s targeted response to a new breach is exciting. Where once a team of analysts might scramble to understand the implications of a piece of malware found on the corporate network – and err on the cautious side when deciding whether to advise pulling the plug on critical business systems – increasingly sophisticated tools can now instantly determine (and execute) exactly what containment measures are needed without bringing the organisation’s operations to a screeching halt.

However, irrespective of the pace of technological advances that increase our firepower in combatting the cyber threat, there remain a number of inalienable truths that mean we can’t ignore the importance of ‘basic cybersecurity hygiene’. Here are ‘5 truths’ that explain the point.

Truth #1: Don’t forget it’s still all about the information

There’s a reason why those of us who’ve been kicking about for a while in the cybersecurity industry used to call it ‘information security’. ‘Cybersecurity’ is no more than ‘information security’ on the steroid we know as the Internet.

Just because the Internet introduced new threats, attack surfaces, and accelerated the ability of nefarious entities (individual, corporate or nation-state) to cause untold mayhem, the underlying principle hasn’t changed. IT’S STILL ALL ABOUT THE INFORMATION.

Since the dawn of mankind, information has accrued value for its owner. Information is a competitive advantage. Information is intelligence about our customers that enables us to sell services to them without incurring undue risk. Information is the blueprint for the self-driving car that can tell the difference between an elderly lady about to cross the road and a traffic bollard.

Information is the finer detail of the due diligence activity on which our next investment round is predicated. Information is a commodity no less valuable than hard currency, and in many cases, it’s way more valuable.

Truth #2: Not all information is created equal

Assuming you accept Truth #1, it follows that it’s only worth getting out of bed to protect the information that you’re really bothered about. If you have no means by which you can value the information on which your organisation thrives (assuming you don’t have an infinite information protection budget), you might as well pack up and go home.

The information you’re really bothered about is entirely a subjective matter of course. That’s why purchasing off the shelf cyber products and services – without understanding whether you’re genuinely focusing on what matters – runs the risk of being the equivalent of buying up the entire stock of Fortnum’s ground floor on 22 December just because the in-laws are popping round for a mince pie and a sherry on Christmas Eve.

Truth #3: Sometimes what YOU think doesn’t matter

Sometimes, the decisions you make as to whether it’s worth protecting (or not) the information your business holds might just not be up to you. Something as simple as building a database of phone numbers and e-mail addresses of those you think might be interested in your services will, of course, incur the wrath of regulatory bodies if said database doesn’t meet the requirements of data protection regulations.

Depending on your native industry and target market, you may be subject to regulatory requirements that are completely beyond your control, irrespective of the information you hold or the value you attach to it. And more often than not, these regulations will require baseline information security measures to be in place. No ifs, no buts. That’s the nature of compliance.

Truth #4: Information has a nasty habit of seeping all over the place

Think of information as water that trickles throughout the arterial canals and rivulets of your organisation. Well channelled and protected, it enables the business to thrive. Leave a sluice gate open inadvertently and – to mix metaphors – you’re toast.

Pinning down exactly where information resides, and protecting it only in the locations in which you THINK it SHOULD reside, is a very tricky business. Even more so when you take today’s complex ecosystems of supplier relationships into account – introducing the possibility that your network of arterial canals and rivulets extends into places way beyond your control.

If you fail to apply a baseline level of protection throughout the entirety of your organisation (and its sphere of influence), you’ll run a significant risk that information seeps out via channels you just didn’t envisage and didn’t protect.

Moving on to another analogy, ghosts really DO exist in the information world. Even if you think you’ve disposed of information at the end of its useful life, the chances are that traces of it will still exist in multiple locations throughout the organisation. How can you be completely sure that staff haven’t created copies of information that you just don’t know about, and that these copies still don’t exist? Without the consistent implementation of baseline information security practices throughout the entirety of your organisation, you’ll likely be exposed.

Truth #5: The Robots ain’t taking over any time soon

The cyber workforce is still some way off. While AI is showing massive potential in all sorts of contexts, the human being as the ultimate decision-maker in our businesses isn’t going anywhere fast. For the most part, this is reassuring, not least because most of us aren’t likely to be put out to pasture just yet by a new workforce of indefatigable, infallible robo-colleagues.

The implication? Fallibility. Glorious, old-fashioned, human nature. Business decision-making tempered by human conscience. All good, until someone makes a glorious old-fashioned mistake, at which point you might wish that a robot had been in charge.

Did that procurement manager really mean to share a dump of the entire customer database with that unvetted supplier? Ouch. The point here is that, along with information, PEOPLE still represent most organisations’ greatest asset. The problem is that, on the flip side, people also represent most organisations’ greatest weakness.

Given that we’re not yet able to implant chips behind the ears of employees to regulate reckless decision-making, we come back to the importance of basic security awareness.

The articulation of meaningful, responsibility-riddled messages that resonate with staff, resulting in people refraining from doing bad things. It’s not rocket science, but it’s not easy either.

As your business matures you will inevitably turn to technologies to assist you in keeping your information safe and away from prying eyes. Data Loss Prevention (DLP) technology is a great example. Well implemented, DLP can prove a great asset in preventing important information from filtering outside the organisation without you knowing about it.

BUT – unless such solutions are supported by a consistent foundation of straightforward, well-understood, information security good practices – you’re taking a huge risk. This is why no CISO can afford to ignore basic cybersecurity hygiene. And if this argument doesn’t persuade you, your regulators most probably will.

So, what specifically are we referring to when we talk about basic cybersecurity hygiene? Here are just some baseline good practices. Just to add context, they are related back to the 5 truths:

Truth #1 (Don’t forget it’s still all about the information)

If you haven’t done so recently, embark on an information discovery exercise. At its simplest, this might start with a simple map of your key business processes and information systems that support them. Don’t forget to explore instances where information is shared between systems/functions and – just as importantly – to identify where information is shared outside the organisation.

This activity doesn’t have to be sophisticated (at least at first). You just need to come away from it with a high level of confidence that you understand what information lives in your organisation, where it lives, and who interacts with it.

As a tip, it can be really useful to run this exercise as a workshop that includes both technical and business people (or a series of workshops if your organisation is large or dispersed).

You’ll be surprised at what can get unearthed… did you have any inkling that Mervyn in Accounts routinely does a monthly .csv export of all employee data and shares it with your outsourced benefits management provider via a cloud drive that goes nowhere near your protected corporate network?

Truth #2 (not all information is created equal)

Once you have your basic map of what information lives where in your organisation, it’s a good idea to have a crack at valuing it in some way. This might be as simple as identifying what information your business can’t function without.

By implication, everything else will be slightly less important. Once you understand the relative value of different information types or systems, you’ll then know where information protection efforts should be focused – because the realities of business economics tell us that in most cases it just isn’t possible to apply the same level of protection to absolutely everything throughout the organisation.

By the way, possibly without knowing it, by this stage, you’ll have worked through the first steps of a basic information risk assessment (but we’ll save that for another day).

Truth #3 (sometimes what YOU think doesn’t matter)

This is all about regulatory compliance. All sorts of businesses face all sorts of compliance requirements. The point here is that you must take the time to understand exactly which laws and regulations you’re required to comply with by virtue of your business activities and the information you hold.

While highly regulated sectors (such as Finance, Insurance and Healthcare) have been used to managing compliance requirements for many years, there’s a whole new generation of businesses that have only really been forced to start taking notice of compliance because of GDPR. Once you know what regulations you’re required to comply with, you’ll then need to understand EXACTLY what measures you’re required to have in place to comply with them.

If you don’t spend money on consultancy anywhere else, this is one area where it’s probably a good idea to call in an expert to help you.

Truth #4 (information has a nasty habit of seeping all over the place)

Notwithstanding any beefed-up protection you apply to your most important information, you still need to implement a baseline set of security measures throughout the entirety of the organisation. This includes things such as:

• Developing a straightforward information security policy that is accessible by every employee and which clearly states exactly what is required by staff to protect the information handled throughout the business
• Making sure that all employees are aware of their information security responsibilities (more on that below)
• Liaising with key suppliers/partners to ensure they are operating to a minimum, defined, information security standard
• Keeping all systems patched and up-to-date, and checking this routinely
• Ensuring all systems and end devices are installed with up-to-date anti-malware software
• Only providing staff with access to systems if they really need it (when you do provide access, make sure that access rights aren’t excessive – and don’t forget to revoke them once they’ve moved to a different function or left!)
• Encrypting particularly sensitive information (remember that even if personal data isn’t critical to your business’ success, you’re still required by law to apply strict controls when storing or handling it)
• Maintaining backups – and testing them periodically
• Implementing business continuity and disaster recovery procedures (even if they’re basic) that support ‘business as usual’ as far as possible in the event of an incident
• Working with a credible third party to undertake a periodic penetration test of your systems – and making sure any recommendations are applied
• Having specialist support available on speed dial if something does happen that you can’t manage yourself!

Truth #5 (the Robots ain’t taking over any time soon)

Good information security awareness is critical to any business these days, and you just can’t afford to skimp on it. So, think about the basic information security good practices you want ALL staff to be aware of, and come up with an engaging way of ramming the message home. Be creative. Incentivise. Draw a picture. Make a video. There’s a reason why those opting to attend a driver awareness course instead of getting slapped with extra points on their license get shown the horrific aftermath of traffic accidents.

Whatever approach you choose (and remember it doesn’t need to cost a fortune and it doesn’t have to be cast in stone… you can try different methods over time), just make sure you do it. And do it again.

Also, have a think about whether there are specific roles in the business that require an additional level of training – particularly those handling sensitive information.

Lastly, remember that people – just like information – have a habit of moving about. Don’t forget that when new people join, staff move to new roles in the business, or when they leave, you’ll need to have a clear process to make sure they’re getting the right security awareness training at the right time.

None of what is outlined above should be considered to be advanced if your organisation conducts its business using the Internet (and whose business doesn’t?). There’s plenty more you’ll need to do as your business matures. We haven’t even mentioned cybersecurity strategy, threat profiling, and so on….

If you choose to skip any of the basic hygiene measures outlined relative to Truths #3, #4 and #5, have a long hard think, because you might not have a business left to mature if you ignore them. Choose to ignore the guidance related to Truths #1 and #2, and you’ll have to protect everything to the highest level just to be sure – which in an extreme case might just amount to the same thing.

Thank you Simon, for your incredible insights on a terribly important subject, cybersecurity threats I fear will not be removed any time soon.

You can contact Simon Rycroft:
LinkedIn – profile
email – simon dot rycroft AT crmg DASH consult dot com (removing all the spaces)
web – www.crmg-consult.com

Predictions for the start of 2020

2019 was definitely an interesting year!

As Abraham Lincoln once said: “The best way to predict your future is to create it.”

It’s hard to imagine that we’re living in the year 2020. Though we’ve seen plenty of impressive technological advances, like artificial intelligence and phones that unlock by scanning our faces, it’s not quite the world of flying cars and robot butlers people once imagined we’d have by now.

As crazy as these all seem, the world is on track for some spectacular innovations in 2020. Privately operated space flights, self-driving taxis and increases in cyberwarfare would have all seemed like science fiction a few decades ago, but now they’re very real possibilities.

So, let’s have a look at some of the expectations for 2020:

Space Travel
Humans living on other planets is a staple in sci-fi, but it’s growing closer to reality thanks to private space travel initiatives.

As greater advances in space travel are made, the media’s interest will be revitalised. Those private companies will likely capitalise on that attention, which could lead to opportunities to bid on government contracts. Jobs will be created. Auxiliary innovations will be developed. And our chance to become a multiplanet species will (infinitesimally) increase.

Self-Driving Cars

Ride-hailing services are already part of everyday life, but self-driving cars are set to cause seismic changes to the industry. Once safety concerns are addressed, many passengers might find that they prefer being driven by a computer rather than a nosy human. And implementing a network of self-driving cars will be crucial in order for these platforms to finally make a profit.

Companies may adapt to self-driving cars as well. Autonomous transport obviates the need for large fleets of corporate cars. Transportation costs for employees could be drastically reduced. The company could get depreciating assets off the books. And energy efficiency would increase. It’s a win-win-win.

Cybersecurity

Cybersecurity continues to grow in importance as more of our information moves online. Unfortunately, we’ve seen how woefully unprepared even trusted sectors like finance and government can be when it comes to keeping data safe.

No one wants their credit card information appearing on a hacker’s forum, so cybersecurity is crucial for any company doing business online. Cyberattacks are becoming more sophisticated, but fortunately, innovation in countermeasures has surged forward as well. Going into the next year, the cybersecurity industry will likely grow, assisted by cutting-edge technology like artificial intelligence (AI) and machine learning.

We are amidst the 4th Industrial Revolution, and technology is evolving faster than ever. Companies and individuals that don’t keep up with some of the major tech trends run the risk of being left behind. Understanding the key trends will allow people and businesses to prepare and grasp opportunities.

Artificial Intelligence (AI) is one of the most transformative tech evolutions of our times. Most companies have started to explore how they can use AI to improve the customer experience and to streamline their business operations. This will continue in 2020, and while people will increasingly become used to working alongside AIs, designing and deploying our own AI-based systems will remain an expensive proposition for most businesses.

For this reason, much of the AI applications will continue to be done through providers of as-a-service platforms, which allow us to simply feed in our own data and pay for the algorithms or compute resources as we use them.

Currently, these platforms, provided by the likes of Amazon, Google, and Microsoft, tend to be somewhat broad in scope, with (often expensive) custom-engineering required to apply them to the specific tasks an organization may require. During 2020, we will see wider adoption and a growing pool of providers that are likely to start offering more tailored applications and services for specific or specialized tasks. This will mean no company will have any excuses left not to use AI.

The 5th generation of mobile internet connectivity is going to give us super-fast download and upload speeds as well as more stable connections. While 5G mobile data networks became available for the first time in 2019, they were mostly still expensive and limited to functioning in confined areas or major cities. 2020 is likely to be the year when 5G really starts to fly, with more affordable data plans as well as greatly improved coverage, meaning that everyone can join in the fun.

Super-fast data networks will not only give us the ability to stream movies and music at higher quality when we’re on the move. The greatly increased speeds mean that mobile networks will become more usable even than the wired networks running into our homes and businesses.

Companies must consider the business implications of having super-fast and stable internet access anywhere. The increased bandwidth will enable machines, robots, and autonomous vehicles to collect and transfer more data than ever, leading to advances in the area of the Internet of Things (IoT) and smart machinery.

Extended Reality (XR) is a catch-all term that covers several new and emerging technologies being used to create more immersive digital experiences. More specifically, it refers to virtual, augmented, and mixed reality. Virtual reality (VR) provides a fully digitally immersive experience where you enter a computer-generated world using headsets that blend out the real world.

Augmented reality (AR) overlays digital objects onto the real world via smartphone screens or displays (think Snapchat filters). Mixed reality (MR) is an extension of AR, that means users can interact with digital objects placed in the real world (think playing a holographic piano that you have placed into your room via an AR headset).

These technologies have been around for a few years now but have largely been confined to the world of entertainment – with Oculus Rift and Vive headsets providing the current state-of-the-art in videogames, and smartphone features such as camera filters and Pokemon Go-style games providing the most visible examples of AR.

With so many changes to our technology coming so fast, it can be hard to grasp the sheer scale of innovation underway. The list above highlights some of the more interesting developments, but is far from exhaustive. Whatever happens, 2020 will be an interesting year for major tech companies and budding entrepreneurs alike.

2020 will be a year of reckoning for those that have held on too long or tried to bootstrap their way through transforming their business.

Simply put, the distance between customer expectations and the reality on the ground is becoming so great that a slow and gradual transition is no longer possible. Incrementalism may feel good, but it masks the quiet deterioration of the business.

Whether CEOs in these companies start to use their balance sheet wisely, find new leaders, develop aggressive turnaround plans, or do all of the above, they and their leadership teams must aggressively get on track to preserve market share and market standing.

Purposeful Discussions cover

Finally, 2020 brings ‘Purposeful Discussions’ which is now my fifth book in a series of books that provide purpose driven outcomes in support of some of the most talked-about subjects in life today. This book demonstrates the relationship between communications (human 2 human), strategy and business development and life growth. It is important to understand that a number of the ideas, developments and techniques employed at the beginning as well as the top of business can be successfully made flexible to apply.

As Swami Vivekananda once said:

“Take up one idea. Make that one idea your life – think of it, dream of it, live on that idea. Let the brain, muscles, nerves, every part of your body, be full of that idea, and just leave every other idea alone. This is the way to success.”

What can we all learn from the cyber threat landscape of 2018?

Every year, as a co-founder and member of the Neustar International Security Council, I attend The Neustar Cyber Summit, this year the summit was held at the OXO Tower in London and there really were some very interesting findings from the summit which I would like to share.

Rodney Joffe, Chairman of NISC, started to discuss where the Internet of Things fits into the equation.

‘The first thing to recognize is that the Internet of Things is a new phrase for something that’s existed for years. The only difference is scale.
Sometime in the late 1970s or early 1980s, some computer science students wired a Coca-Cola vending machine to the Internet. The students wanted to solve the problem of walking down three flights of stairs to the lobby only to discover there weren’t any cold Cokes in the machine.
It was one of the first devices wired to the Internet, and anyone could connect to it and ask for the status of the Cokes. So IoT isn’t really new. It’s probably best defined as all of the devices that can be connected to the Internet that don’t necessarily look like traditional computers. Items like smart power meters, smart lightbulbs and modern home thermostats, all the way to critical medical appliances and devices, jet engines and power turbines.

Because everyone is now focused on the IoT, we’re trying to develop rules around how all people, places and things interconnect. But millions of devices and things that are out there already are not secure, so we have to find ways of securing them and making sure that everything that gets added in the future is secure.
It’s no big deal if the Coke machine is wrong, but what if a nuclear-generating turbine goes down or if all the air-conditioning systems in a city go on at the same time because the smart meters that control the smart homes were compromised?

The other thing to recognize is that the industrial IoT is much larger than the consumer IoT. The breach of Target customer credit cards started when network credentials were stolen from an air-conditioning filtration vendor that had serviced various Target stores. Those credentials were used to hack into Target’s system, then install malware on a large number of the chain’s point-of-sale devices. The end result was brand damage for Target that has reverberations today.

The facts are, in 2016, we saw a number of huge attacks — many that exceeded 1Tbps. In 2017, by contrast, we saw fewer large distributed denial-of-service (DDoS) attacks, possibly because hackers were finding little advantage in taking a company completely offline. Another explanation is that hackers were simply enjoying the success of the previous year’s myriad of extortion and ransomware-oriented attacks, as well as the many DDoS associated data breaches.

So far in 2018, however, the big attacks are back with a vengeance. Earlier this year we saw the largest DDoS attack ever recorded — 1.35Tbps — using a new type of attack called Memcached, which will be discussed later. Then, a 1.7Tbps DDoS attack was recorded. Previous amplification attacks, such as DNSSEC, returned a multiplication factor of 217 times, but Memcached attacks returned amplification records exceeding 51,000 times! In fact, the potential return from Memcached attacks is so large that they do not require the use of botnets, making them a new and dangerous risk vector.

We are hoping that these attacks will go the way of the Simple Service Discovery Protocol (SSDP) amplification attacks, which used the protocol designed to advertise and find plug-and-play devices as a vector. SSDP amplification attacks are easily mitigated with a few simple steps, including blocking inbound UDP port 1900 on the firewall. There are similar steps that organizations can take to mitigate Memcached attacks, including not exposing servers and closing off ports, but until then, Neustar is prepared.

This year we are also seeing different uses for DDoS beyond simple volumetric attacks, including what we call quantum attacks. Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation. These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.
This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.

Neustar recently thwarted what is believed to be the first IPv6 attack. This attack presented a new direction that attackers are likely to pursue as more and more companies adopt IPv6 and run dual IPv4/IPv6 stacks. We believe that IPv6 vectors will continue to emerge as organizations around the world move to adopt the new standard.

You can also expect to see more Layer 7 (application layer) attacks, including those targeting DNS services with HTTP and HTTPS requests. These attacks are often designed to target applications in a way that mimics actual requests, which can make them particularly difficult to detect. It is important to note, however, that Layer 7 attacks are typically only part of a multi-vector DDoS attack. The other parts are aimed at the network and overall bandwidth.

DDoS attacks can be found in a multitude of sizes and for any reason imaginable. They can now be used to find vulnerabilities, to locate backdoors for exfiltration, and as a smokescreen-like distraction for other activities. Today’s organized criminals are able to focus on the results that they want and simply buy or rent the malware or botnets they need to get there. Some have gone so far as to comment that criminals are getting more and more like corporations, each with their own specialization.

The simple fact is that if you’re online, you’re susceptible to an attack. Whether you are vulnerable or not is entirely up to you.

The summit and Rodney Joffe’s keynote was incredibly insightful, but where does that leave us today and how can we guard against such threats in our business and personal lives?

A New York Times report reveals another cyberattack using stolen NSA hacking tools, and experts warn computer systems are not prepared for even more widespread attacks likely in the future. Max Everett, the managing director at Fortalice Solutions, joins CBSN to discuss the threat.

Cybersecurity expert warns the world is not ready.

We can all agree over the course of 2018, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cyber security landscape. Traditional threats such as generic trojans, ransomware and spam bots were transformed.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers.
Powered by military-grade code allegedly leaked from the NSA, threats such as WannaCry and GoldenEye wrought havoc throughout, shutting down businesses and causing unprecedented operating losses.

The effectiveness of these threats has been compounded by novel lateral movement vectors that augment zero-day exploits such as EternalBlue and EternalRomance, allowing malware to ‘hop’ from one network to another, from organisation to organisation. These targeted attacks are reshaping corporate and government digital security, whilst simultaneously causing fallout in the consumer space.

Ransomware specifically aimed at companies has also become far more prevalent. Since the re-emergence this March of Troldesh, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers.

Certain strains of ransomware such as Troldesh and GlobeImposter come equipped with lateral movement tools (such as Mimikatz), allowing malware to infect an organisation and log clean-up mechanisms to cover their tracks.

Following a surge of market interest around cryptocurrencies that has continued through 2018 and into 2019, miners have diversified and proliferated. Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, allowing cybercriminals to infect computers in organisations and increase mining efforts.

Based on threat developments in 2018, organisations should essentially prepare for more sophisticated iterations of malware based on the same theme in 2019.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers. Lateral movement will become standard in most malware samples, either via password-grabbing utilities like Mimikatz, or by exploiting wormable vulnerabilities. In addition, the number of malicious attachments in SPAM emails will increase, particularly those written in scripting languages such as PERL or Python.

“All the world’s a stage/ And all the men and women merely players”; Shakespeare’s famous line makes us consider each person an ‘actor’ in their own right, with their own individual role to play. And when looking across the cyber threat landscape, this rings especially true – each actor has their own motivations and distinct part to play.
When the proverbial hits the fan, it’s typical for the victim – a business or government entity – to focus on the indicators of compromise (IoC) rather than what led to the attack in the first place.

Looking at IoCs is an essential part of a cyber defence strategy and can help victims identify who is targeting them. But it’s a reactive approach, which doesn’t help once your organisation has been breached.

This rear-facing view is also reflected in the cyber sensationalist news narrative. The media tend to focus on the number of attacks – a vanity metric – but rarely on its complexity, length, or who was behind it, and what their motivations were for attacking the organisation in the first place.

IoCs tend to change very quickly, the actor behind does not, nor their objectives and tactics, techniques and procedures (TTPs). For example, US-CERT’s release of the Grizzly Steppe malicious Russian activity was complex in that many of the IoCs that were provided were false positives or TOR exit nodes, making it difficult for companies to make sense of them and ingest.

As such, it’s vital that organisations look to understand the actor – their motive, opportunity and means – and not merely read into the IoCs if they are to protect themselves from potential attack.

Threat intelligence highlights IoCs around an attack, such as that the actor was using cheap outsourced labour to perpetuate the attack, was using a particular hosting platform, or shared infrastructure.

IP addresses and domain names change very quickly, but the adversary’s motive does not. Knowing this is the first step towards changing an organisations’ security stance to mitigate the threat, identifying the indicators of attack (IoAs) rather than just the IoCs. Without intelligence, this would be impossible.

The type of malicious actor organisations must deal with will differ. Some may be state-sponsored, for example, carrying out cyber espionage on behalf of a nation. Others may be hacktivists, looking to incite political change, or cyber criminals looking to make a profit.
Understanding the bigger picture beyond the impact of the attack itself is critical if the good guys are going to triumph over the bad. Intelligence plays a key role in getting to the core of that bad apple.

STIX, the standardised language to represent structured information about cyber threats, helps to store and share information on actors and TTPs. It has become the de facto standard for information sharing in cyber threat intelligence as it facilitates automation and human assisted analysis.

Finally, it’s worth remembering that intelligence is not a silver bullet. It’s a part of a wider puzzle that enterprises need to put together in order to give themselves the best chance of defence against a cyber attack.

Security needs to be seen as an architecture, embedded in the foundation of an organisation. Hygiene factors such as ongoing patch management and end-user training also need to be considered.

The human element behind an attack is often forgotten. However, analysts can create a ‘big picture’ of the lifecycle and ecosystem of hackers by adding in the more specific details.

Enterprises and governments are under a constant barrage of cyber attacks. With the threat landscape evolving and attacks becoming ever-more sophisticated, having time to stop and think about the actor behind the malicious intent may seem like a luxury.
However, businesses need to start looking at cyberattacks from the adversary’s perspective to understand what is most attractive to an attacker. Without this understanding, the problem will persist and the next newspaper headline will feature their name.

In summary, the question is not whether you will be attacked. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.

James Comey once said:
“We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy. “