By Paul van Kessel, Global Leader, Cybersecurity services — EY Advisory.
Every CIO must have an incident response program as part of their cybersecurity strategy. I stressed the word “must” deliberately because your organization will undoubtedly be hacked one day — if it hasn’t been hacked already.
It’s critical to have that program in place because otherwise you may not have time to pull it together once the cyber attack happens. You will then be in full fire-fighting mode, supporting an organization that is in crisis and answering a barrage of questions from police and regulators, customers, investors and suppliers. Your priority would be to figure out if money or invaluable intellectual property has been stolen while trying to maintain routine business-as-usual activities as far as possible.
During a cyber attack, you must feel confident that your team understands the incident response program and knows exactly how to implement it to protect the organization. It will be too late to prevent the crisis — at that point, the crisis can only be managed. That’s why preparing a response plan for a breach in technology defenses is a critical component of any cyber-resilience strategy. Unfortunately, many organizations have yet to accept this uncomfortable fact.
Know your enemy
In EY’s 19th Global Information Security Survey 2016-17, which queried more than 1,700 CIOs, CISOs and other executives around the world, we identified three high-level components of a cybersecurity strategy. By enhancing their capabilities with respect to these components, organizations can better protect themselves from a cyber attack. The three components are:
- Sharpen your senses
- Upgrade your resistance to attacks
- React better
Resistance, has traditionally been the area where organizations have focused most of their resources. As the board and executives have seen resistance as a priority, they have invested time and money in building powerful corporate shield involving controls, monitoring and internal audit. So unsurprisingly, our survey found that organizations’ capability was high in this area — but with some room for improvement in the reporting subcomponent.
Capability was lower in terms of anticipating cybersecurity threats (sharpening the senses), although many organizations have improved significantly in this respect in recent years. They are using cyber threat intelligence to scan the horizon for risks and installing monitoring mechanisms, such as security operating centers (SOCs), to identify and manage their vulnerabilities. Nevertheless, more progress needs to be made since almost two-thirds (64%) of respondents to our survey did not have, or only had an informal, threat intelligence program in place.
We can compare an organization with an effective cyber threat intelligence program to a goalkeeper on a soccer team. If a goalkeeper doesn’t anticipate the actions of the opposing team, they will not be able to see the ball coming; so the goalkeeper probably won’t be able to stop the ball. But when they can see the field clearly, they can anticipate the opponent’s moves, and see the angle from where the ball is coming from, and they are more likely to move in the right direction to stop the ball. Ultimately, no organization wants to be in a position where they concede the goal.
However, cyber threat intelligence, which is supplied by a host of external providers, will not give an organization sufficient visibility of the dangers it faces unless it is properly interpreted. So organizations also need to have effective internal cyber trend intelligence programs in place to make sense of the information they receive and to filter what’s important to their own business and sector.
Recently, a major player in the US leisure industry suffered a serious hack, with credit and debit card data stolen from millions of customers’ accounts. Less than a year previously, a Chinese company in the same sector had suffered a similar cyber attack. After the breaches, it quickly emerged that both companies used the same software and point-of-sale systems. This type of information, made available by companies that sell cyber trend intelligence, is an example of useful insight that would be relevant to other organizations in the industry that may use the same systems as those targeted in the attacks.
The third component of cybersecurity — the ability to react to an attack and to recover from it quickly — is the area where most organizations fail at present, according to our survey. This is the result of the very human inclination to believe that if you’ve done everything possible to prevent a cyber attack from occurring, it will not happen to your organization.
According to the findings from our survey, the corporate world lacks preparation in the event of a cyber breach. Overall, 42% of respondents said they did not have an agreed communications strategy or plan in place in the event of a significant attack. Furthermore, nearly two-thirds (62%) would not increase their cybersecurity spending after experiencing a breach that did not appear to do any harm.
Failing to prepare exposes your organization to operational and reputational risk. A truly cyber-resilient organization is ready to deal with the disruption caused by hacking through incident response capabilities, crisis management and then forensic investigation. It will have practiced its incident response program ahead of any event by using “war game” scenarios. It will also have a detailed communication plan that covers a range of eventualities, including a security breach that lasted several months before being noticed or a breach that needs to be kept confidential to give law enforcement agencies the chance to apprehend the cyber criminals.
What does a cyber-resilient organization look like?
To date, organizations have rightly focused on trying to build robust, resilient “fail-safe operations” that can withstand sudden cyber attacks. Yet, the unpredictable nature and unprecedented scale of the cyber threats that companies now face means that organizations must move from the fail-safe approach toward designing a system that is “safe to fail.”
A system that is safe to fail has been designed to absorb an attack, reduce the velocity and impact of it, and allow for the possibility of partial system failure as a way to limit damage to the organization’s systems more broadly. For example, in the event of a high-level threat to the system, a SOC can be configured to alert the system owner to the threat and to shut down the system to prevent the threat from spreading further.
A CIO looking to create a cyber-resilient organization in today’s world should have an investment program that balances the need to sense, resist and react to cyber threats. The outcome of this investment will be a cyber-resilient organization that:
- Develops a “whole of organization” response to cyber threats, based on an in-depth understanding of the business and operational landscape
- Maps and assesses the relationships the organization has across the cyber ecosystem, identifies what risks exist and performs a risk assessment
- Determines the critical assets that need to be protected
- Shares information about the risk and threat landscape so that the organization understands the broader risk landscape and is aware of any security gaps
- Boasts exceptional leaders who can communicate clearly, give direction and set the right example in the event of an attack
- Has created a culture of change readiness through simulation exercises and war games that challenge the existing crisis management, command and control center, manuals and plans
- Conducts formal investigations and prepares for prosecution