At a time when businesses are digitally interconnected more than ever, the nature of risk and uncertainty is fundamentally changing. Cyber criminals are targeting not only entire organizations but also every individual that works for, or conducts business with it.
New corporate initiatives enabled by IT are moving forward at a pace that previous generations could only imagine. These initiatives improve efficiency, but they trigger a wide range of vulnerabilities that can expose your company's most valuable assets, from trade secrets to customer accounts.
Creating an efficient procurement process, for example, often entails connecting external suppliers directly to a corporate network. Enhancing employee productivity means allowing multiple new types of devices to connect to the network. Installing new web applications can expose employees to email schemes that capture proprietary log-in credentials.
The effect of unintentional exposure can be catastrophic. Hackers who steal administrative credentials can hold hostage an entire organization, by making it impossible to access company data, for example. This can put a company out of business.
Seen from this perspective, the more companies rely on IT to grow the business, the greater the risk of a security breach. Cyber theft is a burgeoning global industry that currently generates billions of dollars in illicit trade annually. It is fueled by a strong reseller's market where hackers sell stolen data to others who possess the desire but not the tools to harvest valuable IP. It is funded by organized crime and actors within nation-states that not only operate beyond any jurisdiction, but also have access to billions of dollars in tax-free capital to invest in these criminal operations. Cyber criminals are focused on stealing data every moment of every day.
In the face of such adversaries, it is understandable that confidence in information security is low. The challenge facing senior business leaders today is to find a way to defend information assets, while at the same time enabling the business to continue to innovate. There is no such thing as perfect security, of course. But there are actions that organizations and individuals can take to protect themselves.
As part of their larger risk management responsibilities, executives and boards are increasingly being held accountable for making sure that information security risk is neither overlooked nor underestimated. This means that the entire organization needs to enhance its overall security intelligence, at a time when the threat has never been more difficult to discover and assess.
Recent high profile breaches have resulted in executive shakeups and breach costs as high as nine figures after insurance and deductions.
Other impacts have yet to be revealed over time, including opportunity loss due to the distraction of these crises, erosion of investor confidence, employee morale and trust, and government intervention. As a result, most business executives today are keenly aware of how a significant cyber theft can hurt their company—and not just in dollars and cents but reputation loss and lawsuits.
Luis A. Aguilar, a Commissioner with the Securities and Exchange Commission, pointedly told business leaders at a New York Stock Exchange Forum last year that boards that "choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril."
Naturally, negligence is often in the eye of the beholder. But as information technology becomes more crucial to modern business processes, it is more reasonable to expect senior executives to comprehend and address information security risks. Corporate boards are now expected by their shareholders, customers and regulators to demonstrate that they are making every reasonable effort to oversee the identification, monitoring and mitigation of those risks.
In fact, a recent survey of board members conducted by the Institute of Internal Auditors finds that 58% of them felt they should be actively involved in cybersecurity preparedness. But in reality, only 14% said they were doing so, even though 65% said their perception of the cybersecurity risk facing their organizations had increased over the past year.
The challenge for boards is that uncertainty abounds when it comes to information security. Threats are not easily understood, methods used in the attacks are opaque, and the front lines of the battle are often fought using an alphabet soup of IT hardware, software and data analysis technologies whose effectiveness is hard to evaluate. The data that indicates a company's resiliency from cyber attacks is not easily translated into risk management terms that help directors determine potential losses, set risk appetite, or approve resources to improve data security.
As with any form of risk, uncertainty and complexity are no excuse for hesitating to lead. The issue that business leaders must address is, firstly, how much risk are they willing to accept as it relates to key information assets and, secondly, how can they reduce uncertainty as they assess the company's ability to protect and defend itself?
The first step is to understand the evolving nature of today's threats to the whole enterprise. Once this framework is established, it is easier not only to meet the cyber security challenge but also to thrive in a digitally interconnected business environment.
Hacking: An Industry Fueled by Demand for Stolen Assets
Hacking is not just a crime; it's a maturing industry. Just like any other product or service, online markets cater to the demand for stolen corporate and consumer data that includes passwords, credit card numbers, corporate intellectual assets, and even complete human identities. In fact, the Commission on the Theft of American Intellectual Property recently estimated that the robbery of U.S. intellectual assets amounted to $300 billion a year, almost half the annual level of U.S. eports to Asia.
Just like any business, these professional criminals respond to market demands:
- Hackers not only sell the data they have stolen, they also offer their services. The current fee for hacking a web site is between $100 and $200, depending on the expertise of the hacker. The cost of buying access to compromised computers also varies. The price for 5,000 individual bots located in the U.S. is $600 to $1,000, while the same number of bots in the UK is $400 to $500. Just like any service, the fee is determined by the potential value of the data harvested.
- Hackers also sell products in the form of Hacker Training Tools. A manual containing handfuls of tutorials that explain how to hack into systems can be acquired for $30, while individual training tutorials can cost as little as $1.
- The people buying this stolen data range from petty criminals to nation states. An organized crime ring might, for example, use stolen credentials to engage in "ransomware" which holds corporate networks hostage while they extort hundreds of thousands of dollars from the company.
- Nation states around the globe are engaged in acquiring intellectual property that can benefit their industries and military. While countries have engaged in this activity for centuries, the rate and scale at which it is happening today is unprecedented. It's important to note that intellectual capital commands a higher price on the black market than any other type of data asset.
- Also on the rise are attacks from "hacktivists." A marketing message or product may offend a particular group, or a political position taken by the company may make it a target for hackers who are passionate about the issue. Hacktivism has emerged as a way to lash out, by defacing or shutting down an organization's website. The financial damage is usually small, but the effect on the organization's reputation can be huge.
- For as little as $25, criminals can now assemble what is known as a "doxing report" to create a digital profile of an intended target. They then use the information to send fake emails intended to entice the unsuspecting end-user to click on attachments or links that appear to be coming from trusted sources. For example, they may determine what school your child attends by monitoring social media outlets. Armed with a small amount of information, hackers can create a fake email from the school that many people ultimately will click on or open.
- When not robbing banks wholesale, hackers are just as happy to dive into individual accounts. Almost anyone can use the "darknet" to purchase usernames and passwords for "high value" online bank accounts that have "verified" account balances between $70,000 and $150,000. These can be purchased for as little as 6% of the balance of each account.
- Cyber criminals also offer satisfaction guarantees, for example guaranteeing that all the credit card numbers they have stolen are actually valid.
While organizations have invested billions of dollars in information security, it often turns out that the biggest vulnerability comes from within. The single most effective tool of hackers is the readiness of people to inadvertently click on malware in seemingly safe emails. Through techniques known as spearphishing, hackers trick unsuspecting victims to click on links and attachments that are loaded with malware. Once installed, hackers use the malware to gain access to other systems. In fact, this was the technique that recently led to over $1 billion being pilfered from as many as 100 banking and financial institutions across the globe in as little as two years by a single criminal gang.
Employees that have drug or financial problems can be bribed. Individuals that employees have become friendly with may have ulterior motives. A former employee may become disgruntled or may be motivated by greed. Whatever the motivation, employees that go rogue can inflict significant damage on a company. Such threats are not going away anytime soon. The challenge is how to minimize these risks when resources are limited.
Four Areas of Vulnerability Where Business Leaders Must Engage
Once important assets are identified and vulnerabilities recognized, companies can reduce the likelihood that information security defenses will be compromised. Four evolving areas of vulnerability that business leaders should understand are:
- End Points: Criminals and hackers know that, while networks may be well-protected, devices and individual systems are vulnerable to sophisticated forms of malware. To combat this, companies need to have the same 24/7 monitoring and detection capabilities on their endpoints as they do on their network. Business leaders should make this a priority, both when employees are connecting their own end points to the corporate network, and when new end points are added.
- Unwitting Employees as The Threat "Vector" of Choice: Many recent security breaches point to poor vigilance by employees. Spearphishing is the most widely used style of attack. Executives are targeted as frequently as lower-level employees because they have access to the most sensitive data. Employees and contractors need to be continuously educated and reminded about the consequences of inadvertently clicking on malware. Most importantly, companies should test the IT environment frequently. New employees create gaps and longevity engenders complacency. Only by setting the right tone at the top of the company will the risks be reduced.
- Risk from Suppliers, Partners and Affiliates: All supply chains are connected on the Internet. Companies can implement security best practices within their environment, but those technologies and policies are only as secure as their weakest link on the supply chain. Companies should require every supplier and business partner to demonstrate the same levels of security controls as they have, and assessments should be conducted regularly with those entities to identify vulnerabilities. When information security is addressed in the context of enterprise risk management, product and service line leaders will be empowered to implement security policies such as requiring contract assurances of security from business partners.
- Ransomware: Once hackers gain access to IT systems, they can encrypt massive amounts of data and then extort hundreds of thousands of dollars from companies. Preventing ransomware and mitigating the risk require: blocking executable files before they reach a user's inbox, keeping hardware and software fully updated, maintaining threat intelligence on the latest known indicators, reevaluating permissions on shared network drives, and regularly backing up data using offline media. Business leaders need to ensure that all of these security controls are in place and consistently deployed, and there should be stiff consequences if policies are not enforced at all levels of the organization.
Information Security Is a Leadership Imperative
It is clear that investing in security technology is only half the battle. The other half requires human intelligence, human management and human analysis of the threat data. It requires quantifying risk, articulating a risk appetite, enforcing a culture of security, and setting expectations for suppliers and partners. It also requires people who can analyze data and apply real-time threat intelligence to make tactical decisions.
With 10,000 of the world's largest corporations experiencing a total of more than 40 million security incidents in 2014, it is easy to see how the requirements of information security can overwhelm organizations. As network security becomes more sophisticated, so does the threat. Companies have to carefully monitor and analyze thousands of cybersecurity events a day.
Yet resources are in short supply and expensive. A tech career web site, Dice, reports that job postings for cybersecurity are up 91%. And, even if you can find security experts, they are among the most expensive IT professionals to hire. The recruitment firm, Robert Half Technology, reports that IT security salaries are more than 6% higher in 2015 than in the previous year.
Of course, security intelligence is not just about throwing people at the problem. Organizations must be able to see potential threats before they occur. This helps organizations to fortify defenses, continuously detect and disrupt cyber-attacks, and recover faster from security breaches.
To this end, Dell SecureWorks has a deep bench of security experts and a formidable technology platform that provides actionable intelligence tailored to specific companies' environments. It can resource companies with clear and concise threat and vulnerability analyses and detailed remediation recommendations based on the very best intelligence should a breach occur.
Dell SecureWorks processes and analyzes 110 billion cyber events each day, on behalf of more than 4,500 clients, across all types of vendor platforms and technologies. Its security specialists perform risk assessments, test for vulnerabilities and help companies recover from breaches, gaining a deep knowledge of security trends and solutions across all industries. Meanwhile, Dell SecureWorks also has the nation's top researchers mining data "in the wild" to augment what is learned in the field. All that data is then analyzed and correlated so it can be made useful to clients in all stages of their information security program. With this kind of intelligence and resourcing, security professionals can stay one step ahead of the threats and focus on top priorities as the business changes and grows.
Savvy business executives know it is always best to work with people who have relevant experience when navigating unknown territory. While securing information assets is of paramount importance, the real issue for business leaders is to make sure the organization has enough confidence in its information security to continue to innovate.
An organization's decisions after an attack are likely to be less important than the decisions made before an attack is launched. A good security posture depends on knowing how to apply existing resources, as much as on acquiring new capabilities. Good security intelligence can help minimize risk to the enterprise and, in turn, the potential liability for people who manage and oversee it. Business resiliency comes down to adaptability, human capital and processes.
Ignorance of threats to an organization has never been a legitimate defense against liability. By understanding the intentions and capabilities of their adversaries, as well as their own information security vulnerabilities, senior business leaders and boards can enable organizations to succeed, regardless of the persistent efforts of criminal entities intent on doing harm.