Two Views of Today's Cyber Risks

This week I've had the chance to view two reports that gave me -- and I expect others -- a powerful view of the cyber challenges we face.  One report was a global view our reliance on the Web and the "...increasing danger of global shocks initiated and amplified by the interconnected nature of the internet."

The second article was a survey done by Control Engineering magazine on the global views of cyber security of the industrial controls domain.  The survey revealed that almost 50% of the respondents perceive the control system threat in their organizations to be at a moderate level, but 25% cite a "high" or "severe" threat level in their systems.

So, rather than provide detailed reviews of each document, let me help aim you to the appropriate links with some summary notes added:

Risk Nexus - Beyond Data Breaches: Global Interconnections of Cyber Risk -- Zurich and Atlantic Council

(LINK) 

This well-written report (30 pages) consistently raises the bar of the global risk relative to our reliance on the Internet and ecommerce in a manner similar to the annual World Economic Forum's Risk Reports.  Perhaps we are so closely connected to the Internet that we put our selves in harm's way relative to our economic -- and maybe even mental well being (?).

One quote that I find especially telling is:

"The internet of tomorrow will both initiate and amplify global shocks in ways for which risk managers, corporate executives, board directors, and government officials may not be adequately prepared."

Finally, take a look at Page 8 of the report...they include 7 aggregations of cyber risk that certainly made me think:

1. Internal IT enterprise (hardware, software, servers, and related people and processes)
2. Counterparties and partners (relationship between competing/cooperating entities, etc.)
3. Outsourced and contract (IT and cloud providers, contract manufacturing)
4. Supply chain (Exposure to a single country, counterfeit or tampered products, risks of disrupted supply chain)
5. Disruptive technologies (internet of things, smart grid, embedded medical devices, driverless cars...)
6. Upstream infrastructure (submarine cables, internet governance and operation)
7. External shocks (major international conflicts, malware pandemics)

At a minimum I'd suggest you pass this report to your Board of Directors and Executive Management so they get a sense of another view of risks that need to be addressed and mitigated.


Control Engineering Cyber Security Study - April 2014 (Registration Required)

(LINK)

Compliments to the Director of Research for Control Engineering, Ms. Amanda McLeman and her colleague Mark Hoske for this summary report.  The report is based on a survey of about 190 respondents from February 7 to March 2, 2014.  So the data is fairly contemporary.

This summary report is a collection of graphs showing the demographics of the respondents as well as the summary results of the questions.

A good summary graph of the Threats considered by the respondents is below:

If you cannot adequately read the graphic above the top three system components the respondents are most concerned about are:

1. Computer assets that are running commercial operating systems
2. Connections to other internal systems
3. Network devices

Finally a summary of key "bullets" from the report include:

• 24% of respondents said they had NEVER performed a systems security vulnerability test
• 25% of those surveyed indicated their computer emergency response team appears well trained and capable
• 41% agreed having industry-required standards without government involvement would improve or enable their efforts to implement proper control system cybersecurity.  (So, maybe the NIST Cyber Security Framework has some hope?)

Thanks for taking the time to read my comments and have a good week!

###

Cyber Issues for Board and Chief Legal Officers

As my friends will tell you I am a voracious reader -- especially when it comes to cyber and physical security, supply chain security, critical infrastructure protection and industrial controls systems (ICS) security.  This past week I was catching up on my "to be read" pile and found a fantastic article I'd like to post.

Please take a moment to check out this web page -- Government Technology and Services Coalition -- otherwise known as GTSC.  From their website: "The Government Technology & Services Coalition (GTSC) is a nonprofit 501 (c)(6), non-partisan association of innovative, agile small and midsized company CEOs that create, develop, and implement solutions for the Federal homeland and national security sector."

On the GTSC Blog there was a really well done article by Divonne Smoyer, Brian E. Finch, and Emanuel Faust, Partners, Dickstein Shapiro LLP.  The blog is entitled "Ten Cyber Issues Board and Chief Legal Officers Need to Know (and Worry) About."

Of course when I saw the word "cyber" and the focus on Boards of Directors and Chief Counsels I immediately wanted to read it...and it was worth the time.

Ok, what are the 10 issues they want Board members to recognize?  Here they are in brief:

1. The stakes to share value and the bottom line are high.
2. The hackers are two steps ahead of you already.
3. Cyber and data loss threats pose merger risks.
4.  Lost or stolen intellectual property or customer or employee information can turn a deal from sweet to sour.
5.  There is a maze of state and Federal data protection and data loss notification requirements to navigate.
6. The failure to be fully informed of and proactive against cybersecurity and data loss risks could lead to litigation.
7. If the breach doesn't get you, the litigation will.
8. There are Federal programs available to help mitigate corporate liability through the SAFETY* act.
9. Insurance coverage is available through traditional or tailored policies.
10.  Outside counsel comes with the benefit of attorney-client privilege.

Many thanks to Mr. Finch, et al, for their insights.  It was quite interesting and validated my own opinion -- and I believe my friend Andy Bochman's opinion -- that the Directors and Chief Counsels need to be attuned to cyber security issues since these issues can -- and will -- affect their business.

Cheers!

* SAFETY ACT:  Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (known as the SAFETY Act). This law provides tort liability protections for products and services that can be used to detect, defend against, or respond to cyber attacks. It is essential that boards and their legal advisors be aware of these programs and assess their applicability to cybersecurity products and services they either procure or deploy on their own.

From the UK: Executive Companion - 10 Steps to Cybersecurity

"Value, Revenue and Credibility are at stake.  Don't let cyber security become the agenda -- put it on the agenda."

Ian Lobban, Director, UK Government Communications Headquarters (GCHQ)

There are so many guides, guidelines, documents available to help the security professional get a sense of what needs to be done and why.  The US National Institute of Standards and Technology (NIST) and Department of Homeland Security (DHS) certainly produce some excellent documents.  I've also even cited our friends over in Europe at ENISA - the European Network and Information Security Agency -- and some of their guidelines as excellent resources.

This past week I came across a document from the UK GCHQ called Executive Companion -- 10 Steps to Cyber Security.  It is a 20-page guide intended to get the CEO/CFO/Board Members' attention and to get a summary sense of the cyber security challenges organizations face every day.  As I've quoted from Mr. Lobban's introduction above, the best advice to today's Board of Directors and CEO's -- in addition to the CIO's and CISO's -- is to get cyber security awareness on the agenda at all levels of the company including employees, vendors, consultants, shareholders, stakeholders, and other "holders."

Of course with a title like "10 Steps..." you are probably interested in the digest of the 10 actions to be taken.  Page 7 of the Executive Companion includes the graphic below that gives you a sense of the business steps the organization's leadership should take to "...review...invest where necessary...and to improve security..."

Overall, I like the graphic designed by GCHQ but I do want to add one more consideration for all companies and organizations.  Basically you need to assume you will have a data breach and you will have an attacker inside your network -- don't assume otherwise.  As such, heed the above 10 items with the expectations that you will need to defend your data, your intellectual property, etc. sometime in the near future.

(To read more about the "Assumption of Breach" concept please see my article in Asian Power at this link.)

Take a moment to review the Guide and I'm sure you will find it useful to pass along to the CEO and Board.

Cheers!