Managing the Risks of CyberspaceBy Steve Durbin
Managing the Risks of Cyberspace
By Steve Durbin
Hardly a day goes by without news of a new cyber-security threat or a major data breach arising from “malspace”—that online environment inhabited by hacker groups, criminal organizations and espionage units. As hacktivists, cyber-criminals and nation-states excessively increase traditional information security risk, it’s becoming clear that the business risks of operating in cyberspace is quickly moving to the top of most chief executives’ agendas.
Today, CIOs, CISOs and other information practitioners are accountable to report on and explain the corporate risks associated with an organization’s activities in cyberspace. Highly publicized breaches, financial losses and more stringent government regulations have put the spotlight on information security in most organizations around the world. And, as a result, stakeholders need to be reassured that an organization’s sensitive information is secure.
Malspace vs. the Real World
Malspace is a thriving marketplace for those motivated to make money, get noticed, cause societal disruption and take down corporations and governments through cyber-attacks. Part of the attraction of doing business in malspace is its anonymity because the risk of getting caught is much less than the risk of committing a crime in the “real world.”
Cyberspace is a far better hiding place and the turf is much more dynamic in terms of thwarting IT software, staff and systems. Furthermore, there is the challenge of differing laws and regulations across different jurisdictions, which can make prosecuting cyber-crime extremely difficult.
In addition, cycle times for the people committing cyber-crimes are shortening while the potential rewards are growing. Global cyber-criminals are increasingly organized and professional in their approach. They are as innovative and strategic as many legitimate businesses, and their financial capabilities are ever evolving, keeping pace with the online economy.
With unprecedented opportunities for collaboration, a malspace ecosystem has developed, complete with marketplaces for buying and selling the expertise and tools needed to target and execute cyberattacks. Every hacker group, criminal organization and espionage unit in the world now has access to powerful tools and expertise for identifying, targeting and attacking their victims.
All of this makes it absolutely imperative for enterprises and governments to build up cyber-resilience. But how can this best be achieved?
Extending Risk Management
While cyber-security and risk management practices largely focus on achieving security through the management and control of known risks, cyber-resilience requires that businesses of all sizes prepare now. To cope with and mitigate the negative impacts of cyberspace activity, organizations must extend risk management to include cyber-resilience.
As everything from supply chain management to customer engagement shifts to the cloud, operating in cyberspace now has bottom-line implications if systems are disrupted. Fortifying governments and enterprises to build up resilience is imperative. Cyber-resilience requires a balanced approach that protects both organizations and individuals while also enabling open, safe commerce and communications.
Unfortunately, the risks that accompany doing business in cyberspace don’t always allow for that. In order to achieve cyber-resilience, risk management should encompass the confidentiality, integrity and availability of information. At the same time, resilient organizations must recognize the unintended business consequences from activity in cyberspace, such as commercial, reputational and financial risks, are real and growing.
Cyber-Security: All Hands on Deck
Cyber-threats are no longer the domain of information security. All units within the organization are affected, as are external customers, suppliers, investors and other stakeholders. Senior business leaders, preferably the chief executive or chief operating officer, should lead the charge with a coordinated and collaborative approach that allows the organization to prepare for unpredictable events.
Managing the Risks of Cyberspace
Organizations must be agile in order to prevent, detect and respond effectively, not just to incidents, but to the consequences of cyber-attacks. An incidence response team comprised of departments from across the organization should be created to develop and test plans for pre- and post-incident. This team should be equipped and trained to respond quickly to an incident by communicating with all parts of the organization, including potentially comprised individuals, shareholders and regulators.
Dealing With Complex Threats
The array and complexity of cyber-security threats will continue to rise significantly in the next decade, and for businesses, the preparation time is now or the consequences will be felt later. As I mentioned earlier, managing risk from cyberspace must extend beyond information security to include risk on reputation, employee devices and third-party suppliers.
As they prepare to deal with these increasingly complex threats, businesses must consider three main drivers:
Internal Threats. As technologies bring new benefits to the enterprise, they also increase the potential for risk, particularly when businesses do not fully assess the security implications prior to purchase or implementation. Add rogue insiders to this mix and you have a lot more risk under your roof. Periodic reviews of the business impacts and risks stemming from the supply chain should be conducted. Employee policies and procedures for BYOD programs, as well as password logins, should be stepped up. Your security team should be involved at the outset to review security of any new suppliers.
External Threats. Cyber-crime, state-sponsored espionage, hacktivism and persistent attacks on critical infrastructure systems in the real world—the list is growing faster than your IT resources can keep up with. Enterprises would do well to follow the governmental approach of a unified situational-awareness approach with controls in place to monitor, detect and remediate problem areas in real-time. Collaboration and sharing of attack information with trusted law-enforcement agencies, as well as business partners, will help to reduce the risk from external threats.
Regulatory Threats. Compliance requirements, regulatory mandates, data privacy, the push toward greater private- and public-sector collaboration, and disclosure about security preparedness are all better managed with information security governance and better reporting. Incident response procedures should be in place and tested. In addition, improve your security assurance requirements for business partners.
Instituting a Cyber-Resilience Program
Organizations function in a progressively cyber-enabled world today and traditional risk management isn’t nimble enough to deal with the risks from cyberspace. Enterprise risk management needs to be extended to create cyber-resilience, built on a foundation of preparedness. From cyber-threats to insider threats, organizations have varying degrees of control over evolving security risks.
A comprehensive cyber-security program leverages industry standards and best practices to protect systems and detect potential problems, along with processes to be informed of current threats and enable a timely response and recovery. Using a resilience-based approach to apply cyber-security standards and practices allows for more comprehensive and cost-effective management of cyber-risks than merely compliance activities alone.
Cyber-resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack. By adopting a realistic, broad-based and collaborative approach to cyber-security and cyber-resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately.
About the Author
Steve Durbin is global vice president of the Information Security Forum (ISF), an independent, nonprofit association. His main areas of focus include the emerging security threat landscape, cyber security, consumerization, outsourced cloud security, third-party management and social media across both the corporate and personal environments. He was formerly a senior vice president at Gartner, where he was the global head of Gartner’s consultancy business.