October is promoted as cyber security awareness month in the US and across the European Union. We're all for increasing awareness of security issues and threats, so we're in, but we know our average SecurityStreet reader likely works in information security and is already “aware.”
Year round we try to provide content to help you keep up with the latest threats and trends, so in the spirit of a month dedicated to enhancing the security awareness of the general public, throughout October we'll focus on providing content you can use to educate those around you that may be less security savvy.
Last year we did this through a series of primers designed to help you educate your users on the risks they face daily, and how to protect themselves. If that sounds of interest, it's not too late to make use of them to educate your users about phishing, mobile threats, basic password hygiene, avoiding cloud crises, and the value of vigilance.
This year we're focusing on the executive team. Given the number of high profile breaches in the past year, the C-suite and Boards of Directors are paying closer attention to cyber security and the potential business risk in terms of liability, loss of reputation, and revenue impact. This is a great time for you to explain why cyber security is important and help your executive leadership navigate the risks.
To help you with that, we'll share a series of posts covering five topics: why security matters now; corporate liability and duty of care; building security into the corporate culture through policies and user education; how organizations can make security into a strength and advantage; and crisis communications and response. Each post will aim to make the topic easy-to-understand and digest for busy execs. The goal is to give you content you can use to advance the cyber security knowledge of your executive team, with no need to edit.
To get us started, this week we're focusing on why the C-suite should care about security…
Why is Cyber Security a C-level Issue?
The economics for cybercrime are shifting, creating a great deal of opportunity for attackers. To start with, the technical skills requirement is decreasing as malware and attacker tools become commoditized. This makes it easier for even unsophisticated attackers to succeed. At the same time, adoption of technologies such as smart phones, cloud apps, and social media makes every user in your network a potential weak point that an attacker could target to gain a foothold.
In addition, the strengthening of shadow financial systems has increased the potential for monetizing stolen information. There are abundant “black-markets” though which attackers can sell stolen credit cards, healthcare information, intellectual property and just about anything they are able to steal. Combined, these factors are lowering the barriers to entering the market, increasing the potential pay-off, and increasing the numbers of state-sponsored, corporate espionage, organized crime, and opportunistic cyber-attackers.
In this environment, it's not surprising we frequently see breaches make headlines. A recent report from the Ponemon Institute claimed that 43% of businesses suffered a breach in the past year alone. Included,were some very high profile names – Target, eBay, JP Morgan, Home Depot – but you don't have to be a huge billion dollar organization to fall victim to a cyber-attack. Even if you don't attract the attention of a focused, targeted attack, there are plenty of opportunistic criminals launching untargeted, broad reach, “drive by” attacks that could affect your business. Remember, criminals have a ready market to sell your information. They don't need any other reason.
The recent spate of breaches have revealed many lessons for anyone leading an organization. The first critical lesson is that regulatory compliance, such as PCI or HIPPA does not ensure security. All of the brands mentioned above were subject to, and compliant with, security regulation of some kind. It didn't stop them from being compromised. Executives need to recognize that compliance does not equal security and checking the box is no longer sufficient.
Another lesson learned from these breaches is that it is critical that your organization is able to quickly detect and respond to security incidents should they occur. It's not enough to just focus on prevention as a truly motivated, resourceful attacker will find a way in. You will be judged on how your organization responds and protects its customers and users. Ensure your organization has the tools it needs to detect breaches early, and processes in place to respond should an incident occur.
Speaking at a conference in July, the US Secretary of the Treasury, Jacob J. Lew focused on the increasing importance of cyber security, stating:
“If you are the leader of a business, you should know how strong your company's defenses are, you should know if there are response plans in place in case a significant security breach occurs, and you should be getting regular reports on cyber security threats and what your company is doing to respond to those threats.”
The concept of liability for breaches is changing. Following the Target breach, both the CIO and CEO exited the company. There's been speculation that there was more than just the security incident behind the CEO's departure, but it seems to have at least been a contributing factor. Since the breach, the retailer has also faced a Congressional investigation, lawsuit from the financial sector, stock market dips, and has failed to meet its earning expectations. Target has demonstrated that being breached is not just a security risk, it's a risk for the business as a whole, and needs to be taken seriously at the executive level.
The National Association of Corporate Directors offers several worthwhile resources for board members or executives who would like to learn more, including what kinds of questions they should be asking their team. One you might want to read is the “Cyber-Risk Oversight Handbook.”
Follow this series to learn more about how to build security into your business planning to minimize risk to your organization.