five principles for improving your cyber security

Drive Your Business

Five Principles for Improving Your Cyber Security

2 ©2015 WGroup. ThinkWGroup.com

Corporate assets have been shifting from physical assets to virtual assets over the past 20

years. This trend has been accompanied by a corresponding increase in the vulnerability of

intangible assets, leading to a greater general awareness of corporate cyber security risks.

The alteration or destruction of a company’s data can result in harm to reputation, loss of

public confidence, disruption to infrastructure, and legal sanctions. The security risk can

adversely impact a company’s stock price and competitive position in the marketplace.

Many companies have viewed security risks in terms of

a risk/reward tradeoff, which is especially challenging

for cyber security threats. The complexity of these

threats has increased dramatically in recent years,

which often results in businesses facing security

incidents that overwhelm traditional defenses. The

CIOs and CISOs of midsize companies typically face

the same security challenges as larger corporations,

but with far fewer resources at their disposal.

The effects of a security breach can go well

beyond the mere loss of information to include actual financial loss. Furthermore, the pressure

to deploy cost-effective technologies continues to increase, significantly affecting resource

investments for midsize firms. The combination of these pressures on executives and staff

members means that the comprehensive oversight of cyber security is now essential.

Introduction

• Risk identification

• Risk management

• Legal implications

• Technical expertise

• Expectations

The following five principles will

help to improve your cyber security:


OverviewUntil just a few years ago, cyber attacks were primarily carried out by technically sophisticated

individuals. While frustrating, businesses could often treat these incidents as just a business

expense. Today’s cyber attackers, however, are more likely to be part of a large team that uses

malware to target a system in a multi-stage strategy known as an advanced persistent threat

(APT). These threats have migrated down the economy, placing companies of all sizes at risk.

One of the defining characteristics of an APT attack is its ability to

penetrate virtually any perimeter defense, including intrusion

detection systems and firewalls. An APT intruder uses multiple

means to penetrate the security layers. A sophisticated

attacker who targets a specific company with an APT will

almost certainly penetrate its defenses eventually. However,

insiders such as disgruntled staff members often present

at least as great a threat to a company’s cyber security as

external attackers. This situation emphasizes the need for an

adaptable security program that’s balanced between internal and

external threats and effective against low- and high-end attacks.

Government agencies are concerned with protecting critical infrastructure from cyber attacks

motivated by political aims, although most of these attacks have a financial motive. A 2014

report estimates that 95 percent of all such attacks are economically motivated. Company data

that’s potentially valuable to an attacker includes credit card information, trade secrets, and

business plans. The surreptitious nature of cyber attacks makes their specific cost difficult to

estimate, but recent sources consistently place it in the hundreds of billions of dollars each year.

A 2013 study estimates that the global economic value of assets at risk from cyber threats could

rise to between $9 trillion and $21 trillion by 2020. Governments and large corporations have

traditionally been at the greatest risk from cyber attacks, since small and medium-sized companies

were often too small to be a significant target. However, smaller organizations are often at greater

risk today because they have fewer resources to dedicate to cyber security. In addition to being

targets in their own right, these organizations also provide a pathway of attack to more attractive

targets. A business’s relationships with its customers, partners and suppliers are common

attack pathways, making partner and vendor management critical functions in cyber security.


A 2012 study by the Ponemon Institute found that attackers had a significant advantage

over defenders, and this disparity is expected to increase. Effective cyber attacks can be

performed at a relatively low cost, since the necessary skills and resources are easy to obtain.

Furthermore, the potential profit is extremely high, providing strong motive to conduct such an

attack. Many experts believe that cyber defenders are a full generation behind their attackers.

This discrepancy has two primary causes.

First, it’s difficult to justify the return on

investment (ROI) for defending against a

cyber attack that may never occur. Second,

the legal enforcement against these

attackers is virtually nonexistent. Current

estimates place the rate of successful

prosecution against these attackers at less than

1 percent. This situation doesn’t mean that defenses are impractical. However, it does

mean that business executives must be fully engaged in implementing sophisticated

plans for their cyber defenses to avoid placing their company’s core assets at risk.

Business executives must be fully engaged in implementing sophisticated cyber defense plans to avoid placing their company’s core assets at risk.


Balancing security against profitability

Many factors must be considered to determine the resources that may be allocated for cyber

security. Business executives must always balance security level against the potential losses from

an attack, while still remaining profitable in a competitive environment. Conversely, many profitable

business practices and technical innovations can reduce security.

For example, business practices such as bring your own

device (BYOD) provide employees with easy access

to data at any time and from any location. Many

businesses must use international supply chains

to remain competitive. Both of these practices can

dramatically reduce an organization’s security.

Furthermore, cloud computing, mobile technology,

and smart devices yield significant savings by

increasing business efficiency, but they can create

significant security risks when implemented haphazardly.

A smaller business must use several strategies to obtain

adequate defenses while maintaining profitability. Most importantly,

cyber security must be an integral component of the business process, rather than

bolting it on at the end. Businesses must implement specific security controls to

maximize the cost-effectiveness of their cyber security. For example, a 2013 study

shows that the following four controls can prevent 85 percent of all cyber attacks:

• Restricting the installation of applications by users

• Updating the operating system (OS) regularly

• Updating software applications regularly

• Restricting administrative privileges


This study also showed that these controls generated an immediate ROI by

improving business efficiency, a benefit that was exclusive of the economic

advantage of reducing security breaches. Effective security threat management

also can provide your company with the confidence needed to take reported risks in

information technology (IT), such as migrating to a cloud-computing platform.

The five principles presented in this white paper are relatively general, providing the

opportunity for executives to discuss strategies for implementing them. The best way

to adopt these principles depends on a company’s unique characteristics, including

business plan, culture, geographic footprint, lifecycle stage, and industry sector.


The identification of security risks includes a determination of the best course of action

to take for each risk. These actions may include acceptance, avoidance, mitigation, or

transferring your risk through insurance, with each action requiring a specific plan for

implementation. Complete security is never a realistic goal, so a company’s tolerance for

cyber risk must be consistent with its resource allocation and overall business strategy.

Executive management needs to answer specific questions relating to risk tolerance.

This process generally involves selecting the level of security risk that an organization

is willing to accept. Risk tolerance requires executives to differentiate between

data that’s mission-critical and data that’s important but not as essential.

1. Risk identification

Resource allocation

Resource allocation involves deciding which resources to allocate for each security threat.

Management should devote the greatest resources toward the most sophisticated defenses,

which are typically designed to protect the most critical assets. However, research from the

Armed Forces Communications and Electronics Association (AFCEA) shows that companies

often apply resources to protect all data and functions equally. This study also indicates that

the protection of low-impact assets may require a greater investment than the expected

benefits warrant. Companies should therefore consider accepting a higher level of risk for

these assets based on their projected ROI. The ROI of IT assets should be reassessed

on a periodic basis, to account for changes in asset priorities and protection costs.


Transfer options

All businesses have access to endpoint solutions that help to transfer some part of their security

risk, regardless of their size or industry sector. Some endpoint solutions add an additional

layer of security by providing access to resources such as IT security services, employee

training, and proactive tools. These value-added services emphasize the benefits of moving

discussions on security risk from the IT department to executive management. While endpoint

solutions assist in reducing the risk of property damage or loss due to a security breach, some

companies will need to transfer their risk to

an insurance carrier. A cyber-insurance

carrier should have global capabilities with

the capacity to tailor an insurance policy

to fit each company’s specific needs. This

type of carrier should have experience

and expertise within your industry sector.

Impact assessment

An assessment of a security breach’s impact typically requires the consideration of many

factors, especially when the breach becomes public knowledge. The stakeholders in such a

breach include customers, employees, investors, suppliers, and the press. Many stakeholders

see little distinction in the severity of security breaches. This tendency often means that the

loss in share price and reputation have little to do with a breach’s actual severity. Executive

management must therefore consider this possibility when establishing risk priorities.

A cyber-insurance carrier should have global capabilities with the capacity to tailor each policy to fit a company’s specific needs.


2. Risk managementBusinesses have traditionally treated cyber security as a technical issue that should be handled

by the IT department. However, management should handle cyber security as a company-wide

issue, rather than just an IT issue. Existing corporate structures often foster this misperception,

preventing individual business units from taking responsibility over their own data’s security. An

environment in which IT handles all cyber security for the organization can result in inadequate

security, since this department often has a low priority for resources. This practice can also

inhibit communication on security issues and the implementation of effective strategies.

An organization should manage cyber security in the same way that it manages

the physical security of its personnel and facilities, which is typically handled

as a company-wide issue. This change should result in senior executives

addressing risk management from a strategic and economic perspective.

Security risks in a business environment

High-profile security breaches are often the result of non-traditional hacking techniques. For

example, spear phishing is a common method of penetrating a system. This technique involves

targeting a specific individual with malware hidden in an e-mail message. The use of long supply

chains can increase security risks, especially during product launches and changes in product

strategy. Business systems are more vulnerable to

attack during mergers and acquisitions, since they

often require the integration of IT infrastructure. This

risk is especially high with an accelerated timeline,

which may prevent adequate due diligence.

A corporate network also represents a challenge to

cyber security, since this network must connect to many

outside parties such as affiliates, customers, partners,

and suppliers. Several recent high-profile breaches

have originated from the systems of outside parties rather than the target organization’s own

systems. Many organizations are migrating their data to an external network, such as a public

cloud platform. This practice can cause security challenges because the client organization neither

owns nor operates the infrastructure, and therefore has little ability to directly control its security.


Businesses are connected to parts of the national infrastructure in many cases, which

can compromise an organization’s own security. This trend increases the likelihood that

company security could be considered a part of public or even national security. Board

members should therefore ensure that management considers the effects that security

measures will have on the organization’s own networks, as well as the other networks

in which it operates. They should also discuss the various levels of security risk with

management, taking into consideration the appropriate tolerance for each risk.

It’s vital for board members to know which assets to protect most. They must ensure that

management develops a strategy that initially focuses on protecting those assets that have the

highest probability of attack while building outward. Furthermore, the board should also ensure that

management considers low-probability attacks that could have a high impact on the organization.

Cyber-risk oversight

Considerable debate exists on the best approach to managing the oversight of cyber risk. The

National Association of Corporate Directors (NACD) Blue Ribbon Commission on

Risk Governance recommended in 2009 that cyber risk oversight should be a

function of a company’s entire board of directors. However, many boards

still continue to assign most risk oversight tasks to the audit committee.

This practice is common even though most directors believe that the

whole board should be responsible for risk oversight, according to the

NACD. Furthermore, a fourth of directors believe that the audit committee

should be entirely responsible for risk oversight. Directors should therefore

assign full responsibility for risk oversight to the entire board or an individual

committee. The committee with responsibility for risk oversight should receive

briefings at least once each quarter, especially for cyber risks where information

can change quickly. The entire board should receive a briefing at least once every six months.

The NACD recommends that boards and committees address cyber security as a

stand-alone item on their agendas. However, this issue may also be integrated into

discussions by the full board regarding new business plans. Common topics of this

type include mergers and acquisitions, market inquiries, product offerings, and the

deployment of new technologies. Major decisions on capital investment such as system

upgrades and facility expansions may also include a discussion of cyber security.


3. Legal implicationsCorporate liability in this area is evolving rapidly, making the specific legal risks to the entire

board and individual directors difficult to determine. Board members must understand

the legal implications of their company’s cyber risks. Board minutes should show when

cyber security was on the agenda of either the entire board or the relevant committee,

depending on where the responsibility for security oversight has been allocated. Specific

items of discussion will typically include updates on specific risks, along with reports

on the overall program and the integration of security into business activities.

Recent high-profile attacks have resulted in lawsuits, including derivative suits by shareholders.

These suits typically allege that the board of directors failed to take the steps needed to adequately

protect the company from breaches of customer data. The most important areas of concern

for directors include maintaining complete records of any discussions on cyber risks. Directors

must also decide on the specific information to release in the event of a security incident.

Public disclosures

The Division of Corporation Finance for the Securities and Exchange Commission’s (SEC)

has issued guidance on the public disclosure of information regarding cyber security incidents.

It noted that businesses are migrating toward greater dependence on digital technologies for

their business operations. The SEC also added that investors are increasingly more likely

to consider cyber security when making investment decisions. Companies should therefore

consider disclosing the details of specific security incidents based on the following criteria:

• Frequency and severity of prior incidents

• Potential costs of the incident

• Risk level of security threats

• Preventative actions taken


The SEC contacted 50 companies between 2000 and 2013 regarding their disclosure

of their security practices. The results of that survey led the SEC to recommend

that companies release the following information to their prospective investors:

• Potential costs and consequences of specific risks in

internal business operations

• Risks of outsourced functions and how those risks may

be addressed

• Risks of incidents that may be undetected for a

prolonged period

• Relevant insurance coverage

The SEC also stated that its examination priorities for 2014

would include information on cyber security.

The guidance offered by the Division of Corporate Finance isn’t a rule or regulation. However,

the SEC does have broad power to enforce its “books and records” requirements through

audits, investigations, and subpoenas. Compliance with these guidelines may therefore be

advantageous for a company within the context of litigation, especially after a successful

cyber attack. The lack of disclosure regarding security threats may result in lengthy litigation

based on inadequate disclosure, even when the attack

causes a modest drop in stock price.

Directors should therefore request that senior

management solicit counsel’s advice regarding the disclosure

of security risks. The company’s responses to a major

security breach are important issues to consider disclosing.

Directors and management should receive regular updates from counsel on these topics as

company circumstances, disclosure standards, and formal requirements continue to evolve.

Directors should solicit counsel’s advice regarding the disclosure of security risks.


4. Technical expertiseBoard members should have ready access to technical expertise on cyber security issues. The

agenda for board meetings should also allow adequate time to discuss the management of cyber

risks on a regular basis. The 2013 NACD Public Company Governance Survey reported that 87

percent of respondents felt that their board members needed a greater understanding of IT risks,

although this is a general term that may include many specific risks. The survey also indicated that

directors generally have a low level of confidence in their members’ understanding of cyber risks.

The NACD hosted a roundtable discussion of directors

regarding cyber security in late 2013. These directors

generally agreed that a lack of technical knowledge

made oversight of management’s security activities a

challenge. The participants in this discussion added that

directors can’t easily distinguish between management

and oversight without adequate knowledge on security.

Furthermore, directors have difficulty in assessing

the board’s appropriate level of involvement in risk

management without the necessary technical expertise.

Improving technical expertise

The lack of technical knowledge among its directors is causing some companies to

consider recruiting additional directors with expertise in cyber security. However, this

expertise is only one of many factors that governance committees must consider when

nominating a replacement on a board of directors. Additional factors include financial

knowledge, global experience, industry expertise, and other specific skill sets.

Directors can still bring technical expertise into the boardroom even they choose not

to add another board member. Common methods of obtaining this capability include

leveraging independent advisors, such as external counsel and auditors. These experts

can provide a perspective on trends in cyber risks across multiple clients and industries.

Board members also can schedule detailed technical briefings from security firms,

industry associations, government agencies, and other subject-matter experts.


Improving management reports

Board members require current information on their company’s security environment to approve

management’s priorities or effectively oversee their priorities. However, a 2012 survey by

Carnegie Mellon University found fewer than 40 percent of responding board members receive

regular reports on cyber security and data privacy. Twenty-six percent of these respondents said

they rarely if ever receive such reports. A 2014 study by Ponemeon Institute found that only 12

percent of responding board members regularly receive briefings specifically on cyber threats.

The NACD’s 2013 Public Company Governance Survey shows that many directors believe

their organizations require more technical expertise at the executive level. The directors

responding to this survey rated IT as the area with the lowest quality of information provided

to senior management by the board. More than a third of the responding board members

reported that their information on their organization’s IT capability was insufficient. Only 13

percent of these respondents said they were satisfied with the quality of their IT information.

Directors should consider the possibility of bias when evaluating management reports

regarding their organization’s security risks. These reports will generally tend to

minimize the severity of these risks. A 2014 study published in International Business

Times found that 60 percent of IT staff members failed to report cyber security risks

to their superiors until they were urgent. These staff members admitted that they

attempted to filter unfavorable information on their organization’s cyber security.


5. ExpectationsTechnology is useful for keeping an organization well-integrated, even when its workers

are physically separated. However, many organizations still have siloed structures

that were established when the organization wasn’t well-integrated. Furthermore,

individual departments often make decisions that are relatively independent of

each other. This decision-making process often fails to account for the high degree

of digital interdependency that typically exists in modern businesses.

Directors should therefore expect senior management to establish a

framework for managing cyber risk across the entire organization. They

should ensure that this process has an adequate budget and staff.

In order to account for the high degree of digital interdependency that typically exists in modern businesses, there must be a framework for managing cyber risk across an entire organization.


Security framework

President Obama signed Executive Order 13636 into law in February 2013. This order,

entitled Improving Critical Infrastructure Cybersecurity, instructed the National Institute

of Standards and Technology (NIST) to develop a framework for cyber security that

organizations in the private sector can adopt. The NIST framework

includes standards, procedures, methodologies, and other

processes that can help an organization to ensure that its

policies and business practices align with cyber security.

This framework provides senior management with a common

language for use in developing a strategy for cyber-risk

management that will cover the entire organization. It recommends

that the first step in this process should be a review of the

organization’s security practices to determine where it currently stands

in terms of risk management. This review should result in the assignment

of a number from 1 to 4, with 4 representing the highest level of risk management.

This rating system is as follows:

1 – partial 2 – risk-informed 3 – repeatable 4 – adaptive

It may not be practical for a particular organization to achieve the highest level

of risk management, although all organizations can achieve some of these

levels. However, directors should still expect management to consider the NIST

framework when developing an organization’s plans for managing cyber risk.


SummaryCyber risk is ultimately a human issue that affects almost all activities in a modern

business. The impact of a successful attack can be very high due to a combination of

factors, especially the potential damage to a business’s competitive advantage, finances

and reputation. The complexity of modern cyber attacks and the speed at which they’re

evolving make it challenging to develop a strong defensive strategy. The current business

environment favors attackers despite the dramatic increase in spending on cyber security.

Business innovations often increase an organization’s vulnerability to cyber threats and

make risk management more challenging, especially innovations that facilitate access

to an organization’s data. Additional obstacles to strong cyber security include the

traditional view of IT as an expense rather than an investment. Executives must continually

assess the level of their organization’s cyber security to ensure adequate oversight

over management’s activities without compromising their fiduciary responsibilities. This

assessment also should identify opportunities for improving the organization’s security.

This white paper provides principles for selecting a starting point and establishing benchmarks for

cyber security, although many specific approaches exist. Executives should strive to implement

a company-wide strategy for managing cyber risk, as opposed to the traditional approach of

assigning sole responsibility to the IT department. Additional principles of cyber-risk management

include an understanding of the legal implications of cyber risk, both for the board members and the

company as a whole. Finally, executives must have access to expert information and enough time

on the agenda to conduct well-informed discussions with management on cyber security issues.

Senior executives must provide the guidance that management needs to develop an

effective strategy for an organization’s cyber security. This strategy must be sufficiently

flexible to handle the frequent changes in business process that are common with

many small and medium organizations. Executives also must ensure that their

cyber risk strategy is an integral part of their company’s overall risk strategy.

Many IT security advisory firms will conduct complimentary security scans to

determine your firm’s current situation and create a baseline for recommending

action. Contact one now, before a breach puts you into recovery mode.

Drive Your Business

Founded in 1995, WGroup is a boutique management consulting firm that provides Strategy,

Management and Execution Services to optimize business performance, minimize cost and create

value. Our consultants have years of experience both as industry executives and trusted advisors

to help clients think through complicated and pressing challenges to drive their business forward.

Visit us at www.thinkwgroup.com or give us a call at (610) 854-2700 to learn how we can help you.

301 Lindenwood Drive, Suite 301 Malvern, PA 19355

610-854-2700

ThinkWGroup.com

five principles for improving your cyber security

Sports