cyber resilience: it takes a community€¦ · in a baseline scenario, as much as $1.02 trillion in...
TRANSCRIPT
C l a r e n d o n P t r s . C o m
m a n a G I n G C Y B e r r I s K
Cyber resilience has rapidly emerged as a high-stakes challenge. To mitigate the risk of a cyber-attack, some companies could be compelled to delay innovation. There is a better way forward.
Practical solutions that work.
Cyber resilience: It takes a Community
A report by the Center for Strategic and International Studies and McAfee estimates the cost of cybercrime and cyber espionage to be $100 billion annually for the U.S. economy and $300 billion for the global economy.1 These amounts include:
•Loss of intellectual assets
•Cybercrime
•Loss of sensitive business information
•Opportunity costs
•Costs for securing networks, insurance and recovery
•Reputational damage
In addition to these losses, cyber attacks can also slow innovation. To mitigate the risk of a cyber attack, some companies could be compelled to delay the adoption of cloud and mobile technologies and implement new policies and controls that carry the unintended consequence of hampering employee productivity.
The optimal approach to achieving cyber resilience in a hyper-connected world requires collaboration and informationsharing.Ratherthangoingitalone,firmshavethe opportunity to rally together in building a cyber-resilient network that can promote innovation and protect value.
the Price of FailureFailure to attain robust cyber resilience is an expensive proposition. In the absence of a coordinated movement to clamp down on malicious cyber activity, the price tag is certain to become costlier.
Organizations seeking to guard against the loss or theft of personal protected data have been losing ground. In its 2013 Cost of Data Breach Study, the Ponemon Institute evaluated detection, response, containment and remediation costs associated with data breaches recorded by 277 organizations in nine countries.2
In a separate study, Ponemon conducted research looking at the tab organizations have had to pick up for a broad range of criminal activity conducted via the Internet. Its 2013 Cost of Cyber Crime Study, looked at cyber attacks including everything from stealing corporate IP toconfiscatingonlinebankaccountsandinterferingwithcritical national infrastructure. This study covered 234 organizations across six countries.3
The two studies revealed a dark backdrop for cyber resilience. For the companies surveyed, it was concluded that from 2011 to 2012:
•The average cost of a data breach rose from $130 to $136 per record.
•The average cost of cyber crime climbed 30 percent to $7.2 million per year.
1 Center for Strategic and International Studies, The Economic Impact of Cybercrime and Cyber Espionage, July 2013, http://csis.org/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf
2 Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, May 2013, http://www.ponemon.org/library/2013-cost-of-data-breachglobal-analysis
3 Ponemon Institute, 2013 Cost of Cyber Crime Study: Global Report, October 2013, http://www.hpenterprisesecurity.com/register/2013-fourthannual-cost-of-cyber-crime-study-global
Cyber resilience: It takes a Community
1
There is a better way forward.
The payouts that have been made to address data breaches and cyber crime may only be a fraction of the economic cost to society for suboptimal cyber resilience. The potential drag on innovation and productivity that could accompany additional regulations and corporate policies may prove to be much more expensive than the types of adverse cyber events captured in the Ponemon studies.
A recent report published by the World Economic Forum in collaboration with McKinsey & Company presents three alternative scenarios estimating the impact to technological innovation by 2020 for varying cyber resilience environments. 4
In a baseline scenario, as much as $1.02 trillion in value is left unrealized as cyber attackers maintain the upper hand over defenders. In a more ominous scenario, as much as $3 trillion in innovation is unrealized as international cooperation to prevent attacks comes up short and government cyber resilience regulations lead to a deceleration in digitization. In the third scenario, coordinated efforts between the public and private sectors beat back attackers. Resulting innovation and digitization creates between $9.6 trillion and $21.6 trillion in value.
Under siege on all FrontsThe third scenario is achievable, but corporations will face an uphill battle with cyber resilience efforts under siege on all fronts. To come out ahead, companies will have to fend off external attacks, prevent against misdeeds by insiders and address complexities introduced when doing business internationally.
In its data breach study, Ponemon
disclosed that human error and
system glitches accounted for the
majority of data breaches.
The cyber crime study by Ponemon also underscores the threat presented by insiders. Although only 37 percent of the companies sampled reported attacks attributable to malicious insiders, this category of attack proved to be much more costly than more common attacks such as those from malware which 99 percent of the companies reported. “While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious,” said Larry Ponemon, chairman ofPonemonInstitute,toCSOonline.comofthefindings.5
When weighted by attack frequency, malicious insider attacks topped the list from a price standpoint costing companies an annualized average of $154,453. Malware on the other hand came out as the least expensive category of attack with an annualized average of $491.
4 World Economic Forum and McKinsey & Company, Risk and Responsibility in a Hyperconnected World, January 2014, http://www.mckinsey.com/insights/business_technology/risk_and_responsibility_in_a_hyperconnected_world_implications_for_enterprises
5 CSOonline.com, Most Data Breaches Caused by Human Error, System Glitches, June 17, 2013, http://www.csoonline.com/ar-ticle/735078/most-databreaches-caused-by-human-error-system-glitches
Cyber resilience: It takes a Community
C l a r e n d o n P t r s . C o m
37%
34%
29%
Human Factor
Malicious Attack
system Glitch
root Cause of data BreachesF I G U r e 1 :
2
For companies that conduct business across international borders, the challenge of preventing and responding to these attacks has an added degree of complexity. The focus of cyber resilience extends to operating within the bounds varying regulatory requirements and differing cultural norms.
It is not uncommon for corporations to face a wide range of data residency and privacy regulations. It is plausiblethatamultinationalcompanycouldfinditselfina situation where it is forced to navigate a different set of requirements for each location where it has data stored.
The challenge of meeting these legal requirements may actually pale in importance when compared with conforming to cultural norms. In the United States for example, companies have not experienced the same magnitude of public outcry for better data protection as has been witnessed in other countries. On a comparative basis, data breaches have become more widely acceptable to consumers in the U.S. where the typical response is to provide identity theft protection policies to the consumer affected.
Even for multinational
corporations that have been able
to adequately address compliance
concerns and adapt to cultural
norms, the challenge of bringing
attackers to justice remains.
In Europe however, a heightened sensitivity to privacy couldtranslateintoadatabreachhavingsignificantlycostlier consequences for a company. Rather than striking a stance of indifference, European consumers could be much more likely to keep a data breach in the public eye. This sentiment has rippled through legislative arenas as the European Union Commissioner for Justicerecentlywentonrecordseekingheftierfines for companies that breach data privacy laws.6
With attacks originating from all ends of the globe, cyber criminals are destined to remain elusive without advances in cross-border legislation and concerted efforts between companies, governments and law enforcement agencies to combat cyber crimes.
Attempts to spur international cooperation have been made inrecentyears.Forinstance,fortyonecountrieshaveratifiedthe Convention on Cybercrime treaty. However, a great deal of work still lies ahead in enhancing a criminal justice system that can retain an advantage over cyber attackers.
a step ForwardThe goal is to establish a trusted network of organizations in this hyper-connected world that will improve the cyber resilience of each of these trusted counterparties. This objective will not happen overnight. In order to achieve this vision, we must set ourselves on a path that will enable organizations to improve tactical capabilities in the near term while building the foundation of trust necessary tofightcyber-attacksinacoordinatedfashion.Achievingthis coordination across organizations will enhance the cyber resiliency of all member organizations.
6 Naked Security, EU Commissioner Calls for Larger Data Breach Fines, January 22, 2014. http://nakedsecurity.sophos.com/2014/01/22/eucommissioner-calls-for-larger-data-breach-fines/
3
annualized averagesF I G U r e 2 :
$154,453Malicious Insider Attack
$491Malware Attack
The short-term activities that companies will need to consider include the following.
Define the risk appetite for the company relative to IA categories. Senior management shouldinitiateanefforttoformallydefineitsrisk appetite. This undertaking should be a collaborative, cross-functional endeavor.
Establish quantitative methods for risk evaluation. Companies should quantify the likelihood of occurrence of cyber risks and the cost in the event of an occurrence. Such an approach will allow the organization to better prioritize the focus of its cyber resilience efforts.
Drive cultural awareness through training and change management activities that reinforce the importance of these assets. The best cyber resilience programs are led by a good offense. The proactive engagement of employees in training and change management initiatives will establish a shared understanding of the value of IA and the need to safeguard them.
Employ a risk-based approach for cyber resilience. Companies should establish policies that treat a variety of categories in different ways. These categories do not limit access to information based upon hierarchy, but rather on a need-to-know basis.
Establish defined roles and responsibilities for the ongoing management of IA inventory. Organizations should ensure roles and responsibilities for safeguarding IA inventory havebeenclearlydefinedandcommunicated.This process will instill accountability and help to align the actions of employees with strategic objectives related to the protection of IA.
Establish a security element to the company’s standard Data Management Program. The security element of a Data Management Plan is vital to securing the sensitive data and IA of a company. This component should be periodically reviewed and adapted to address changes in risk.
C l a r e n d o n P t r s . C o m
4
near-term activitiesWhiletheobjectivesarealignedforallorganizationslookingtofightcyberattacks,thepathtakenwillvary.Someorganizationswill necessitate more extensive counter measures in order to improve their resiliency. For all companies the starting point for determining the extent of measures necessary for each organization is to evaluate the risk related to their intellectual assets(IA).WehaveseenthatmanycompaniesdonothaveaformalprocessfortheidentificationandtrackingofIA.Bynothaving a formal process for managing their IA inventory a company cannot then evaluate the risk related to those assets.
Once a company has adopted a formal process to track and risk-rank their IA inventory, the company can then both drive cultural awareness of the importance of those assets and align cyber protection activities to provide improved protection totheareasthatprovidethegreatestbenefit.Thisisadifferentapproachthanmostorganizationsusetodaywhereallinformation assets are treated in a similar manner.Malware Attack
The long-term activities that companies should strive to achieve include the following.
Fortify communities of resilience. Collaboration is needed between entities in effectively utilizing and improving the quality of information sharing venues such as Information Sharing and Analysis Centers (ISACs). These partnerships will foster a macro environment that encourages and protects innovation and roots out cyber threats. Active participation by all member organizations will be required for this endeavor to succeed.
Establish a trusted-counterparty database. The development of a formal trusted-counterparty database will be crucial for effectively tracking counterparty relationships and building trust between participants. An automated solution will resultintheefficientexchangeofinformationbetween counterparties and enable organizations to become more agile in their response to emerging cyber threats.
Develop comprehensive law enforcement capabilities. To better anticipate and respond to cyber attacks, an increased level of cooperation is needed between the private sector and law enforcement agencies. Law enforcement capabilities shouldbesufficientlyfundedtoprosecutecybercrime and protect technological innovation.
summary Buildingaunifiedfrontisnosmallundertaking.Determining root causes of cyberattacks, prioritizing responses, developing law enforcement mechanisms that pack a punch and establishing effective information sharing channels are just a few of the more notable challenges facing cyber security stakeholders.
It takes a community. Synergies resulting from companies working together will enhance response capabilities, protect corporate brands, spur innovation and deter future attacks. These developments are unlikely to materialize through independent efforts.
long-term activitiesCompanies can independently carry out the near-term activities presented to protect IA and improve cyber resilience capabilities. Thesuccessfulexecutionoftheseactivitiesisnecessaryforcompaniestohaveafightingchanceagainstcyberthreats.
Over the long term, coordination between organizations will be required to accelerate the implementation of innovative technologies and give companies the upper hand over attackers. The pursuit of the recommendations that follow will empower organizations to build a potent network of trusted counterparties that can endure.
Clarendon Partners combines extensive industry
knowledge with business skills that allow us to deliver
pragmatic advice and guidance to help our clients
improve performance, effectively manage risk, and
gain insights from data in order to achieve their
business objectives. Rather than following a formulaic
methodology, we tailor our approach to each
engagement to improve the outcomes for our clients.
© Clarendon Partners. All rights reserved. | 2000 Clarendon Blvd., suite 102, arlington, Va 22201 | 703.201.2062 | clarendonptrs.com5