Cybersecurity will – and should – continue to be a priority for enterprises in 2018 and beyond. This is due to the increasing volume and sophistication of cyber attacks. A poignant example was the year 2017, which saw two prominent data compromises, namely the Wannacry
ransomware attack, which paralyzed hospitals throughout the UK and affected millions of computers across countless other countries, and the Equifax data breach, which compromised the personal information of half of the US population.
So, what can enterprises do to prepare now? The answer is shift their mindset from notions of pure defense to cyber resilience. Based upon discussions with our clients, we analyze 3 cybersecurity myths to relinquish in 2018.
Myth 1: Unlike other industries, technology companies can be 100% secure.
Technology companies are facing a continuous pressure to innovate. In addition, their customers demand that information and services be dynamic and available on demand from an ever-growing variety of access points. In these conditions, technology companies simply cannot be 100% secure. Put differently, the notion of pure defense is a fantasy. Technology companies face additional challenges that increase cyberrisk:
- They have access to large amounts of data from many sources, making them attractive targets for bad actors attempting to steal information.
- The business requirements of such organizations need to deliver vast data troves, requiring alliances with third parties to address back-office operations and service delivery.
- Increasingly, technology companies are operating in an outsourced cloud environment.
- Technology companies often serve customers in industries outside of their own and each industry has its own cyberrisks (e.g., financial services, healthcare, and public sector).
Historically, organizations have been focused on securing the perimeter and hardening internal systems. Yet, in recent years, the sophistication of attacks have involved techniques that circumvent traditional control structures related to perimeter security and hardened internal systems. Accordingly, enterprises need to change their mindset from that of building an impenetrable defense to developing resilience to innovative attacks. In short, companies need to recognize this reality and align their cyber strategy accordingly, implementing controls and protections within processes and monitoring control activities continuously. Additionally, organizations must not only record the protocols with which they will respond to data incidents, but they must also practice these protocols on a regular basis – incorporating a multidisciplinary team necessary to effect a complete response (including, but not limited to, legal, IT, finance, HR, crisis management, PR, and the communication and investor relation teams).
Myth 2: Technology company boards have a full cyberrisk picture from their IT departments
Business as usual is a thing of the past. Boards need to be attuned to this and get involved appropriately. Historical cyber strategies are becoming outdated – such as delegating cybersecurity to IT, relying on vendor-driven security, or conflating the concepts of compliance and security. These outdated notions expose companies to more frequent incidents, to larger operational losses, to more significant costs, and to increased reputational damage.
Boards need to reevaluate the role they can play to help position their organizations to operate in an increasingly digital world. Cyberrisk should be prioritized among other enterprise-wide risks. Only by establishing a proper governance structure that is derived from clear, written policies, regularly practiced incident response protocols, and a multidisciplinary approach, can organizations hope to become resilient to cyberrisk. Another aspect to consider is training practitioners in the context of this governance structure and exercising the key controls within that structure regularly. To achieve this, organizations and their boards need to consider investments in deep specialization – from legal counsel and crisis management to public relations and insurance considerations and beyond. This area is much too nuanced to be treated like a technology issue alone.
58% of legal departments are highly involved in responding to data security risks. Nearly 25% have primary responsibility for the issue.
Grant Thornton’s 2017 Corporate General Counsel SurveyMyth 3: No data loss, no harm done
Cyber attacks are no longer exclusively geared toward data exfiltration. System compromises can result in numerous substantial harms to the organization, even if no sensitive data ever leave the organization’s information technology environment. To illustrate this, consider that ransomware attacks aren’t necessarily designed to steal data; they can merely render data inaccessible. Similarly, an increasingly common attack vector converts the computing power of a compromised machine for other purposes (e.g., mining of cryptocurrency). These attacks don’t move – or even touch – organizational data, they merely hijack the often expensive resources of an organization for an agenda important to the hijacker.
Related to this sophisticated situation that bad actors can create for enterprises, two issues figure prominently in our discussion with clients: communication and forensics. First, a written communication plan is imperative, to complement an established and practiced game plan, supported by a multidisciplinary team. It is simply not possible to design an effective communication plan when the participants are in the midst of a crisis. Protocols need to be recorded, memorized and practiced with regularity before the bad thing happens, which will allow for a more directed, unified organizational response. Some considerations for a well-drafted communication plan include: 1) communication to law enforcement; 2) communication to the various state Attorney Generals offices; 3) communication to the press; and 4) communication to clients and other key stakeholders to whom a legal disclosure requirement might be owed.
A second factor to contemplate is how to balance recovery efforts (i.e., containing the threat and restoring normal operations to your systems) with forensics. For instance, there will always be intense pressure to restore system operations as soon as possible, but it’s imperative that this pressure doesn’t fail to weigh forensic considerations (such as the need to preserve key artifacts and other evidence that may be required to answer key questions and address litigation issues down the road).
This last point is especially cogent, as it can hurt organizations by hindering their ability to reach a proper conclusion about whether a given data incident constitutes a “breach”. In a very real sense, the determination of whether an organizations suffers a “breach” is a legal conclusion. Organizations should only arrive at such a conclusion after a proper, thorough, and defensible investigation of the available evidence. Ideally, these analytical steps – as well as any related conclusions – are achieved via a mature incident-response process, directed by counsel and including key organizational functions operating as a unified group.
Principal and National Practice Leader, Forensic Technology Services
+1 404 704 0144
Managing Director, Cyberrisk
+1 415 318 2240