Tag Archives: cyber resilience

Time to Focus on Cyber Resilience

From a cyber security standpoint, the move back to a work setting for employees should not be the challenge that moving to “work from home” may have been for many organizations. Network security in the workspace is already in place, and employees are quite familiar and at ease working in the work environment.

By now, businesses should have already addressed issues of remote access, the use of multifactor authentication and virtual private networks (VPNs). But in the wake of COVID-19, as businesses return to the workplace, organizations should take some lessons from the COVID-19 pandemic. We recommend they use this information to shore up potential weak spots in their cyber security program’s incident response plan.

The greatest lesson to take away from the pandemic has to do with preparedness. What has been witnessed over the last three months is crisis response, on a global level, taken to its extreme. Every business and local, county and state government, and even individuals were forced into some form of crisis management. Some were able to respond better than others.

“Something like this will never happen”

One of the reasons that many were not prepared for the pandemic and did not respond well was because they believed that “something like this will never happen.” It’s a phrase that is heard often by those in the cyber security industry. Organizations often rationalize they are able to live with less than optimal cyber security because they feel they are too small to attract hackers, or they don’t have anything that anyone would want to steal. We know now that “something like this” can happen, and the results can be catastrophic.

Additionally, an organization does not have to possess something that a hacker wants to steal, to be a desirable target. All it has to possess is an opening; some vulnerability that allows a bad guy entry to exploit the opportunity to interrupt business and maybe even demand a ransom.

See also: How to Fight Rise in Cyber Criminals

Lessons from the COVID-19 pandemic

As businesses begin to return to workplace operations, now is a great time for them to reevaluate their approach to cyber security as a whole, and cyber resilience in particular, while drawing some comparisons to what the world has experienced in the pandemic.

1. Identify assets

Using the National Institute of Standards and Technology (NIST) Cyber Security Framework as a guide, consider the first risk category of IDENTIFY. The first objective of cyber security is for an organization to understand its assets. A business must ask itself, “What do we have that needs to be protected? What are our high-value/high-criticality assets? What are the risks and vulnerabilities associated with those assets? Where are those assets located? Are they on the cloud? On the premises? Do we have all of our assets accounted for in an inventory? Do we verify that inventory regularly?”

When the pandemic hit, many entities found themselves without a full understanding of the assets they possessed and what they still needed. Assets including hospital beds, ventilators, usable test kits and procedures and personal protective equipment. In many cases, the result was a scramble over a long period to acquire the necessary assets.

2. Protect assets

Following the NIST framework, once assets have been identified, and risks assessed and ranked for criticality, what protective controls are in place to protect those assets? In the towns, cities and states that we live in, there are healthcare systems, networks of healthcare providers, nursing homes, pharmacies and other components all geared to providing protection to our countries’ most valuable assets: people.

What about in the business community? Are businesses providing their most critical assets, such as data, hardware, software and even business processes, with the protections aligned with their importance? Do these businesses segment their critical assets or encrypt critical data? Do they educate their employees about cyber security and the roles they play in maintaining it? Do they provide their employees with the proper amount of access to IT assets?

3. Detect the problem

The third risk category in the NIST framework is DETECT. How can businesses know when something bad might be happening? How do businesses monitor for indicators of compromise within their networks? In the pandemic, the World Health Organization has been acting as a parallel to a managed security services provider (MSSP) or a security operations center (SOC) for the network of countries around the world. The job is to detect the initial outbreak and alert the rest of the world to the danger.

4. Respond to the crisis

Each business needs to assess its ability to detect potentially malicious activity in corporate networks. Is each organization engaging a third-party MSSP? Is it performing up to expectations? If a business is doing its own monitoring, is that monitoring complete and effective? Is the business monitoring the most valuable or risky assets closely enough? Is it processing all the right information? Does the business even know what malicious behavior looks like or how to find it?

5. Find a path to recovery

With these steps developed, businesses can finally consider what response and recovery will look like. NIST suggests considering how to handle response and recovery in our networks compared with how the various government agencies have handled theirs.

See also: 10 Tips for Moving Online in COVID World

First, businesses should have a documented incident response plan for their networks and should make sure it has been reviewed recently for adequacy. The incident response plan needs to clearly define roles and responsibilities for all participants. It needs to include procedures for identification, containment, eradication, recovery and lessons learned. The plan should also state how the business will communicate information about the incident to internal and external audiences. In developing the incident response plan, it is key for businesses to line up and perhaps even contract with third parties for technical response services that they don’t have in-house.

Businesses also should make sure their incident response plan is designed to consider a “black swan” event, which is an unexpected, catastrophic event that forces a complete shutdown of a company’s network and its services. As rare as black swan events may be, they do occur. Many remember the first outbreak of ransomware just a few years ago and how it caused the complete shutdown of some global networks. Even some companies with what might be considered very good cyber security were severely hurt. Why? Because they did not contemplate such an event and therefore did not build their response plan for effectiveness against a black swan event. The development of an incident response plan is not complete until it contemplates and prepares for such a rare and devastating event.

Finally, with respect to response and recovery, testing plans is incredibly important. Plans that are in place, but have not been tested for several years, are likely to be missing some details that will limit their usefulness when it really counts – in a cyber event. Businesses that test their plans regularly – minimally once per year – and update the plan based on lessons learned from both tests and actual events will have experiences in actual cyber events that are probably much less painful than if they did not plan and test the plan regularly.

The COVID-19 pandemic of 2020 is real – it’s not a test – and the lessons learned from the event are substantial and painful. The phrase “Never let a good crisis go to waste” has been repeated in a cynical manner many times, but it does have value in the context of current events. City, state and federal governments will certainly be revisiting their pandemic crisis management policies and procedures in the near term. It’s also a good time to revisit cyber risk management and incident response procedures.

Visit Zurich’s COVID-19 Resource Hub for more information.

3 Steps to Improve Cyber Security

In the recent science fiction film Inception, protagonist Dominic Cobb infiltrated his victim’s dreams to gain access to business secrets and confidential data. He would then use this knowledge to influence things in his (or his client’s) favor. Cobb’s success depended on his ability to manipulate victims through greater understanding of their human vulnerabilities. Just like Cobb, cyber crime perpetrators begin by identifying their targets’ vulnerabilities and gathering intelligence required to breach their systems. Armed with this intelligence, they navigate their targets’ complex systems, establish covert presence and often remain undetected for a long time.It is clear that the growth in cyber crime has continued, if not accelerated, in the financial services industry. U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represents the highest average loss across all industries. This number is 44% higher than in 2012, when the industry was ranked third, after the defense and utilities and energy industries. While this trend is not to be ignored, these actual losses are sometimes not meaningful to firms’ income statements. The potentially greater impact from cyber crime is on customer and investor confidence, reputational risk and regulatory impact that together add up to substantial risks for financial services companies. A recent global survey of corporate C-level executives and board members revealed that cyber risk is now the world’s third corporate-risk priority overall in 2013. Interestingly, the same survey from 2011 ranked cybersecurity as only the 12th-highest priority.

In Inception, although Cobb succeeded in conning most of his victims, he faced stiff resistance from Mr. Fischer, whose strong automated self-defense mechanisms jeopardized the attackers’ plans several times. However, every time Cobb’s team faced an obstacle, they persevered, improvised and launched a new attack. Real-life cyber attacks are, of course, far more complex in many ways than the challenges and responses between Cobb and Fischer. That said, the film does provide an interesting analogy that in many ways illustrates the problems that financial services companies face when dealing with cyber crime.

The interplay between attacker and victim is, indeed, a cat-and-mouse game in which each side perpetually learns and adapts, leveraging creativity and knowledge of the other’s motives to develop new offensive tactics and defensive postures. The relatively static compliance or policy-centric approaches to security found in many financial services companies may be long outdated. The question is whether today’s industry can create a dynamic, intelligence-driven approach to cyber risk management not only to prevent, but also detect, respond to and recover from the potential damage that results from these attacks. As such, transformation into a secure, vigilant and resilient cyber model will have to be considered to effectively manage risks and drive innovation in the cyber world.

The evolving cyber threat landscape

Although cyber attackers are aggressive and likely to relentlessly pursue their objectives, financial services companies are not passive victims. The business and technology innovations that financial services companies are adopting in their quest for growth, innovation and cost optimization are, in turn, presenting heightened levels of cyber risks. These innovations have likely introduced new vulnerabilities and complexities into the financial services technology ecosystem. For example, the continued adoption of Web, mobile, cloud and social media technologies has likely increased opportunities for attackers. Similarly, the waves of outsourcing, offshoring and third-party contracting driven by a cost-reduction objective may have further diluted institutional control over IT systems and access points. These trends have resulted in the development of an increasingly boundary-less ecosystem within which financial services companies operate, and thus a much broader “attack surface” for the threat actors to exploit.

Cyber risk is no longer limited to financial crime

Complicating the issue further is that cyber threats are fundamentally asymmetrical risks, in the sense that oftentimes small groups of highly skilled individuals with a wide variety of motivations and goals have the potential to exact disproportionately large amounts of damage. Yesterday’s cyber risk management focus on financial crime was — and still is — essential. However, in discussions with our clients, we hear that they are now targets of not only financial criminals and skilled hackers but also increasingly of larger, well-organized threat actors, such as hactivist groups driven by political or social agendas and nation-states, to create systemic havoc in the markets. An illustrative cyber threat landscape for the banking sector suggests the need for financial services firms to consider a wide range of actors and motives when designing a cyber risk strategy. This requires a fundamentally new approach to the cyber risk appetite and the corresponding risk-control environment.

The speed of attack is increasing while response times are lagging

Threat actors are increasingly deploying a wider array of attack methods to keep one step ahead of financial services firms. For example, criminal gangs and nation-states are combining infiltration techniques in their campaigns, increasingly leveraging malicious insiders. As reported in a Deloitte Touche Tohmatsu Limited (DTTL) survey of global financial services executives, many financial services companies are struggling to achieve a level of cyber risk maturity required to counter the evolving threats. Although 75% of global financial services firms believed that their information security program maturity is at level three or higher, only 40% of the respondents were very confident that their organization’s information assets were protected from an external attack. And that is for the larger, relatively more sophisticated financial services companies. For mid-tier and small firms, the situation may be much worse, both because resources are typically scarcer and because attackers may see them as easier targets. In a similar vein, the Snowden incident has perhaps increased attention on insider threats, as well.

Multipronged approach can supplement traditional technologies that may now be inadequate

Given that 88% of attacks are successful in less than a day, it might be tempting to think taht the solution may be found in increased investment in tools and technologies to prevent these attacks from being successful. However, the lack of threat awareness and response suggests that more preventative technologies are, alone, likely to be inadequate. Rather, financial services companies can consider adopting a multipronged approach that incorporates a more comprehensive program of cyber defense and response measures to deal with the wider array of cyber threats.

Financial services firms have traditionally focused their investments on becoming secure. However, this approach is no longer adequate in the face of the rapidly changing threat landscape. Put simply, financial services companies should consider building cyber risk management programs to achieve three essential capabilities: the ability to be secure, vigilant and resilient.

— Enhancing security through a “defense-in-depth” strategy

A good understanding of known threats and controls, industry standards and regulations can guide financial services firms to secure their systems through the design and implementation of preventative, risk-intelligent controls. Based on leading practices, financial services firms can build a “defense-in-depth” approach to address known and emerging threats. This involves a number of mutually reinforcing security layers both to provide redundancy and potentially slow down the progression of attacks in progress, if not prevent them.

— Enhancing vigilance through effective early detection and signaling systems

Early detection, through the enhancement of programs to detect both the emerging threats and the attacker’s moves, can be an essential step toward containing and mitigating losses. Incident detection that incorporates sophisticated, adaptive, signaling and reporting systems can automate the correlation and analysis of large amounts of IT and business data, as well as various threat indicators, on an enterprise-wide basis. Financial services companies’ monitoring systems should work 24/7, with adequate support for efficient incident handling and remediation processes.

— Enhancing resilience through simulated testing and crisis management processes

Resilience may be more critical as destructive attack capabilities gain steam. Financial services firms have traditionally planned for resilience against physical attacks and natural disasters; cyber resilience can be treated in much the same way. Financial services companies should consider their overall cyber resilience capabilities across several dimensions. First, systems and processes can be designed and tested to withstand stresses for extended periods. This can include assessing critical online applications for their level of dependencies on the cyber ecosystem to determine vulnerabilities. Second, financial services firms can implement good playbooks to implement triage for attacks and rapidly restore operations with minimal service disruption. Finally, robust crisis management processes can be built with participation from various functions including business, IT, communications, public affairs and other areas within the organization.

For the full report on which this article is based, click here.

Kevin Bingham is sharing this excerpt on behalf of the report’s authors, his colleagues Vikram Bhat and Lincy Francis Therattil. They can be reached through him.