Resilience and risk management help steer network security strategies

Cyberspace is the land of opportunity for hacktivists, terrorists, and criminals motivated to wreak havoc, commit fraud, steal information, or take down corporations and governments. They can hide out in the dark web, geographically removed from the scene of their crimes, launching automated attacks on thousands of targets knowing a fraction will succeed. They can steal seemingly innocuous bits of data from disparate sources and combine them to create powerful leverage and gain access to lucrative caches of money and information to sell on the black markets of cyberspace. They operate with near impunity, using vast networks of crime comrades and illicit infrastructure to escalate their exploits and cover their tracks.

Organisations operate in increasingly connected environments where the network perimeter has essentially dissolved. With new technical vulnerabilities being discovered every day, it has never been more important for businesses to assess and understand their critical infrastructure. Cybercriminal syndicates are ahead of the game, finding new and intricately sophisticated ways to gain access to an organisation’s 'crown jewels', often through their networks.

Information security breaches are increasing

The capacity for disruptive innovation among technology entrepreneurs is well-regarded, but they are not the only ones known for constantly upsetting traditional procedure. Hackers and organised criminals continue to hone their capabilities and attacks, hiding their online activity in a flood of data to overwhelm or subvert organisational defences.

Recent PwC global survey results highlight the challenge at hand: while cybercrime is the second most reported economic crime, only 37 per cent of organisations have any sort of incident response plan. Furthermore, according to the Ponemon Institute’s 2015 Cost of Data Breach Study, the average consolidated cost of a data breach is $3.8 (£2.7) million, and costs continue to rise.

Just as data privacy has developed into a highly regulated discipline, the same is happening for data breaches originating in the Internet of Things (IoT) environment. The number of data breaches is escalating, and the resulting fines are also increasing. As more regulators wake up to the potential havoc caused by insecure storage and processing of sensitive information, they will demand more transparency from organisations and impose even bigger fines.

Organisations that get on their front foot now to prepare for stricter data breach laws and more severe penalties will find themselves ahead of the curve and in customers’ good graces. They’ll also make better business decisions overall.

Cybercrime has a value

It goes without saying that information that is being stolen, leaked or lost, has a value. Cybercrime syndicates mature as malspace continues to develop. Let’s take a look at a few types of cybercrime that we at the Information Security Forum (ISF) are seeing:

Rogue governments

Rogue governments already provide support to terrorist groups in the form of financing, weaponry, and logistics. These partnerships are based on a government’s need to carry out covert actions with deniability and a terrorist group’s need for resources they would struggle to find elsewhere. These partnerships are developing advanced capabilities to launch cyberattacks on infrastructure or organisations in other countries. The resulting cyber incidents will be more persistent and damaging than organisations have experienced previously, leading to business disruption and loss of trust in existing security controls.

Crime-as-a-Service

As crime syndicates mature, they emulate corporate practices by aligning commercially and diversifying their enterprises, seeking profits by moving more of their activities online. They base their operations where political and law enforcement structures are weak and malleable in order to conduct their activities relatively undisturbed. This level of sophistication forces legitimate organisations everywhere to adapt their security strategies and fortify their internal business operations.

In a criminal marketplace with a global talent pool, professionalisation will lead to specialisation. Different criminal business units will focus on what they do best, and strategy development and market segmentation will emulate private sector best practices; malware development is a prominent example. Rising profits will allow crime syndicates to steadily diversify into new markets and fund research and development from their revenue. Online expansion of criminal syndicates will result in Crime-as-a-Service (CAAS) offerings and the proliferation of bulletproof distributed hosting providers that turn a blind eye to the malicious activities of their outlaw clients.

Mobility concerns

Smartphones are a prime target for malicious actors. The rapid uptake of Bring Your Own Device (BYOD), and the introduction of wearable technologies to the workplace, will intensify the high demand for mobile apps. To meet this increased demand, developers working under intense pressure and on razor-thin profit margins will sacrifice security and testing to rapid delivery and low cost, producing poor quality products that are easily hijacked by criminals or hacktivists.

Mobile devices, applications, and cloud-based storage introduced to the workplace by employees constitute a growing security risk to businesses of all sizes. These risks stem from mismanagement of the device itself, external manipulation of software vulnerabilities, and the deployment of poorly tested, unreliable business applications (shadow IT).

IoT adds unmanaged risks

The billions of devices that comprise the IoT will collect a wide variety of data from users, who will be unaware that it is happening, where the data is being stored, or who has access to it. These devices may be inadequately protected, exposing critical infrastructure, including industrial control and financial systems, to attack.

As organisations deal with this complex digital environment, they will respond by automating tasks previously performed by people. Human cognitive abilities will be regarded as a bottleneck to task completion and efficiency. Algorithms will be increasingly used to ensure tasks are performed with accuracy and timeliness. However, the interactions between these algorithms will become overwhelmingly complex, introducing significant new vulnerabilities and new challenges for security experts.

Insiders continue to pose a threat

Most high-profile attacks on corporate data centres and institutional networks have originated outside of the victimised organisations. But the network openings that allow outside cyber-attackers to burrow in, infect databases and take down file servers almost always originate with trusted insiders. According to a worldwide survey of ISF members, the vast majority of those network openings were created innocently through accidental or inadvertent insider behaviour. Vulnerabilities can be created by something as mundane as a trusted employee taking files to work on at home.

Moving forward, organisations must nurture a culture where insiders can be trusted – and insiders can trust the organisation in return. Organisations with a high exposure to insider risk should expand their insider threat and security awareness programs. A culture of trust becomes more imperative as the volume of information insiders can access, store, and transmit continues to soar and mobile working for multiple employers becomes the status quo.

Reducing the risk of attack

Deploying cybersecurity measures is not enough. Risk management largely focuses on achieving security through the management and control of known risks, but rapid evolution of opportunities and risks in cyberspace is outpacing this approach. Organisations must extend risk management to include risk resilience, in order to mitigate any damaging impacts of cyberspace activity.

Cyber resilience programs help anticipate and prepare for uncertainty with comprehensive rapid-response capabilities. Once one has acknowledged that cyber-attacks are unavoidable, the next logical step is to prepare and rehearse a decisive and effective response plan. Cyber resilience recognises the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. Above all, cyber resilience is about ensuring the sustainability and success of an organisation, even when it has been subjected to an attack.

Utilising standards to protect against risk

Business leaders recognise the enormous benefits of cyberspace — innovation, collaboration, productivity, competitiveness, and engagement with customers — but they have difficulty assessing the risks versus the rewards. That’s why the ISF has designed its new tools to be as straightforward to implement as possible. These ISF tools offer organisations of all sizes an 'out of the box' approach to address a wide range of challenges: strategic, compliance-driven, or process-related.

For example, the ISF’s Standard of Good Practice for Information Security (the Standard) is the most comprehensive and current source of information security controls available. It enables organisations to adopt good practices in response to evolving threats and changing business requirements. The Standard is used by many organisations as their primary reference for information security. The Standard is updated annually to reflect the latest findings from the ISF’s Research Program, input from our global member organisations, and trends from the ISF Benchmark, along with major external developments such as new legislation.

Institute a risk assessment process

Managing information risk is critical for all organisations, but effective only if it enables business strategies, initiatives, and goals. As a result, an organisation’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of which risks could compromise business success and resilience.

For help with information risk assessment, I recommend reviewing the ISF Threat Radar. The Threat Radar plots the ability to manage a threat against its potential level of impact, thus helping determine its relative importance for an individual organisation. It can also demonstrate any change likely to occur over the period in question.

It is important to remember that it is not feasible to defend against all threats. An organisation therefore needs to look closely at its resilience: analyse and optimise the plans and arrangements in place to minimise impact, speed recovery, and learn from incidents.

Preparing your people

Many organisations recognise their people as their biggest asset but fail to recognise the need to manage the human element of information security. People should be an organisation’s strongest control. Organisations must go beyond security awareness training and policy to embed positive information security behaviours that will turn into habits, creating a sustainable security culture throughout the enterprise. The real commercial driver of security awareness activities should be risk, and how new employee behaviours can reduce that risk.

Adopting the perspective that disclosure will be more damaging than the data theft itself is a guaranteed way to damage customer trust. However, many organisations lack rehearsed incident response and tech-literate public relations plans. We urge our members to carefully consider their response, because your organisation can’t control the news once it becomes public. This is particularly true as data breaches occur with greater frequency and the general public pays greater attention to privacy and security matters. I highly recommend running simulations with your public relations firm so that you are better prepared to respond following a breach.

Requirements for security professionals in 2016…and beyond

Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling. As you prepare your organisation to navigate the security minefield keep this guidance top of mind:

  • Focus on the basics
  • Re-assess risk from the inside out
  • Adopt a risk vs. reward mindset
  • Address major threats to mission critical information
  • Think resilience, not security

Organisations of all sizes need to ensure they are fully prepared to deal with attacks on their business and reputation. The more resilience and security-oriented thinking you can embed into all aspects of your business strategy and planning, the more equipped you will be to respond effectively and move forward from a place of strength.

Steve Durbin, Managing Director of the ISF

Image source: Shutterstock/Maksim Kabakou