Cybers security for senior executives

7 April 2016.

This article was originally published in Govlink Issue, Issue 1, 2016

Technology has revolutionised how many of us live and work. The internet, with its three billion users, is powering economic growth, increasing collaboration and innovation, and at the same time creating jobs. Reliance on technology is rapidly increasing as Australian businesses and governments adopt more digital services to provide simpler and faster services. Now, users expect high quality services that also assure security of their information.  

Cyber security is becoming a key topic for many organisations, governments and executives. The threat landscape has evolved significantly over the past 20 years due to the increased use of technology as well as the shift from physical to virtual computing. A recent study found that 80 per cent of the total value of Fortune 500 companies consists of intellectual property (IP) and other intangible assets[1].

Organisational risks associated with cyber security challenges have evolved to include traditional threats by 'old school' hackers taking systems down, to a more modern view with a bigger impact. Many organisations have conducted a threat assessment and have an educated focus on how the loss of Intellectual Property (IP) and Personally Identifiable Information (PII) can impact their business, through the destruction or alteration of corporate data; negative impact in public confidence; harm to reputation and branding; disruption to critical infrastructure; and organisations are now thinking about how the new legal/regulatory sanctions could affect them both legally and financially.

Each of these risks can adversely affect competitive positioning and shareholder value as well as public confidence and trust in the market. Protecting key information assets is critically important to the sustainability and competitiveness of businesses and governments today. Organisations and agencies need to be at the forefront of cyber preparedness and resilience.

Cyber security is all too often thought of as an IT issue, rather than a strategic or operational risk-management issue. Some organisations and departments feel that because they are relatively small or don't hold substantial amounts of sensitive consumer data, such as credit card numbers, PII or medical information, that they are unlikely to be the victims of a cyber attack. In fact, cyber criminals target organisations of all sizes and across a range of industry verticals (e.g. health, education, defence, manufacturing, services and finance) seeking anything that might be valuable, that can be monetised or to simply gain access to another organisation along the supply chain.

For example: the recent breach of computer systems at an Australian government agency. 

In December 2015, the ABC reported[2] that an Australian government agency had suffered a 'massive' breach of their computer systems. Little is known about what systems were compromised, nor what was actually done by the attackers. This particular agency, like any government agency, is assumed to have a network of desktop computers and servers that are used for their day-to-day business. These systems may be connected to other departments and organisations such as airports and defence agencies that rely on up-to-date information from this agency to provide relevant services to other agencies.

If the hackers were state-sponsored, then the target of the hack could have been wide ranging and could have focused on information assets related to Australian defence and security services capabilities.

This is a typical example of how cyber criminals look for alternative ways to reach their intended victims. Security responder's victims have seen this many times before and it substantiates the statement that any organisation, agency or department can be a target.

Historically, many organisations and agencies have categorised information security as a technical issue to be managed by the IT department. This misunderstanding is fed by siloed organisational structures within organisations, leading to the view that the responsibility for data resides within IT rather than the business as a whole. As a consequence, the typically resource-strapped IT department is left to address the security challenges from both a people and/or funding perspective.

Furthermore, deferring responsibility to IT inhibits critical analysis and communication about cyber security issues and hampers the implementation of effective security strategies. Cyber risks should be evaluated in the same way an organisation assesses all other risks such as physical security of its users and physical assets and the risks associated with their potential compromise. In other words, cyber security is an enterprise-wide risk-management issue that needs to be addressed from a strategic, cross-departmental and economic perspective.

Business and government agencies benefit from managing risks across their organisations, drawing effectively on senior management support, risk management policies and processes, a risk-aware culture and the assessment of risks against objectives. There are many benefits to adopting a risk-management approach to cyber security, including:

• Strategic benefits: organisational decision-making is improved through the high visibility of risk exposure, both for individual activities and major projects, across the whole of the organisation
• Maintaining community and customer loyalty and trust
• Financial benefits: providing financial benefit to the organisation through the reduction of losses and improved 'value for money' potential
• Operational benefits: organisations are prepared for most eventualities, being assured of adequate contingency plans.

The impact of cyber security incidents can be far-reaching. Recent high profile incidents show that cyber attacks can strike an organisation's financial performance and also inflict unquantifiable reputational damage[3]. The reputational damage to public services will often result in the loss of trust in organisations and their capabilities to offer secure services to their users. 

No-one is immune. Large and small companies, governments and individuals are all at risk.

As a result, boards, councillors and management are being called upon to address cyber risk alongside other risks that face businesses. This means Australian businesses and government agencies should start to take steps to increase their awareness and understanding of cyber security with a view of the potential impact on overall business performance. 

So what should CEOs, senior executives, councillors, board members and directors do?

A primary responsibility of every council or board of directors is to secure the future of the organisation. The very survival of the organisation depends on the ability of the board or councillors and management not only to cope with future events, but to anticipate the impact those events will have on both the council or company and the industry as a whole.

Forty-one per cent of respondents to a recent survey of Australian security professionals believed that the CEO should hold ultimate responsibility for breaches, with only six per cent believing it should be the responsibility of the Chief Security Officer (CSO)[4].

Therefore, cyber security is one such topic for which businesses and agencies must demand information and insight. The overwhelming number of cyber crime incidents has forced organisations and agencies to become more educated about the topic and ask strategic and thoughtful questions directed toward management and internal auditors.

Some of the highest profile data breaches to date have had little to do with traditional hacking. For example, spear phishing, a common e-mail attack strategy that targets specific individuals, is a leading cause of system penetration. Product launches or production strategies that use long, international supply chains can magnify cyber risk. Similarly, mergers and acquisitions (M&A) requiring the integration of complicated systems, often on accelerated timelines and without sufficient due diligence, can increase cyber risk. Another obstacle organisations face in creating a secure business environment is the interconnection with partners, suppliers and affiliates to deliver services or products to customers. This can be seen in many of the recent breaches highlighted in the media, where too often, the breach did not actually start within the target company's IT systems, but through vulnerabilities in one of their vendors or suppliers.

Organisations and departments are often interconnected with elements of the national critical infrastructure, raising the prospect of corporate insecurity becoming a matter of public security or even affecting national security. As a result, boards should ensure that management is assessing cybersecurity not only as it relates to the organisation's own networks but also with regard to the larger ecosystem in which the organisation operates. Progressive boards and councils will engage management in a discussion of the varying levels of risk that exists in the organisation's ecosphere and take them into consideration as they calculate the appropriate cyber risk posture and tolerance for their own organisation or department.

Organisations should also understand what 'crown jewels' the organisation should protect and ensure that management has a protection strategy that builds from those high-value targets outward. The board should guide management to consider not only the high-probability attacks and defences, but also low-probability, high-impact attacks that would be catastrophic.

Cyber risk oversight responsibility at the board level

Organising the board to manage the oversight of cyber risk and more broadly, enterprise-level risk oversight is a matter of considerable debate. We see a large percentage of boards continue to assign the majority of tasks related to risk oversight to audit committees. We strongly believe that risk oversight should be allocated to the full board and not the audit committee.

Therefore, chairs of boards, councils, board executives and directors need to understand and approach cyber security as an enterprise-wide operational risk-management issue, not just an IT issue.

Identifying the company's 'crown jewels'

Executives should engage management in a discussion of the following questions on a regular basis:

• What are the organisation's most critical data assets (what are our 'crown jewels')?
• Where does it reside (one or multiple systems, internally or externally)?
• How is it accessed and by whom?
• How is it protected (what controls and how often are those controls assessed)?
• What dependencies are there on suppliers or vendors (3^rd parties)?
• What is the organisational plan if the data assets are compromised (destroyed or stolen)? 

IT departments will implement security controls based on their best knowledge of the systems they manage on behalf of the business or agency. These departments are often too far removed from the business or agency to have a comprehensive understanding of what are the most critical data assets. Many IT departments apply their limited resources to keeping the lights on, rather than focusing on cyber security. 

It is therefore imperative not to relegate the cyber security topic to the IT department. Councillors and directors need to take an active role in the organisation's cyber security, or face the possibility of potential lawsuits and even the possibility of being removed from their position.

Only by working collaborating with the IT Department, will executives and risk managers gain an understanding of:

• data assets within the organisation

• appropriate security controls required to protect the data asset

• resources (people and funding) required to adequately implement, manage and monitor security controls.

Cyber mastery in the boardroom

Despite the significant escalation of risks posed by the use of technology, many boards have found it challenging to develop a comprehensive response. Generally, IT expertise is lacking at the board level. Recent studies revealed that more than three quarters of public company respondents admitted that they personally could use more IT knowledge, and almost 90 per cent felt their board's IT knowledge could be improved[5]. Notably however, a demand for IT experience generally has not surfaced in director recruitment. Apart from the IT industry, which has an above-average need for directors with IT expertise, this area of expertise was viewed as 'most important' for just 7.8 per cent of directors by companies recruiting in 2013. 

How much knowledge is enough? 

Lack of boardroom expertise makes it challenging for directors and councillors to effectively oversee management's cyber security activities. Without sound knowledge of, or adequate sensitivity to the topic, our most senior leaders cannot easily draw the line between oversight and management. The board or council may overly rely on C-suite experts, such as the chief information officer (CIO), chief technology officer (CTO), or chief security officer (CSO), who can lead the dialogue into technical areas beyond the realm of oversight. Once 'in the weeds', directors and councillors can find it difficult to assess the appropriate level of involvement in risk management.

A lack of technical comprehension, or even inadequate planning by management for board meetings to discuss cyber security, can easily result in poor communication and information sharing from the C-suite. Are directors and councillors adequately equipped to understand the information they receive from management? Are they confident that their boards possess a director with the necessary expertise to provide effective oversight in regard to cyber security? Generally, directors are significantly less likely to challenge what is presented at board meetings when they lack knowledge of the topic. In the face of this real and urgent threat to oversight, should directors and councillors be experts? AISA's view is that directors and councillors should have the basic cyber security knowledge to ask management the suitable questions when it comes to determining the organisation's risk exposure. In many boardrooms the rapid rise of cyber security has often left directors struggling to find the balance between the necessary comprehension and expertise.

The 'People' component

Leading practices and policies surrounding cyber security are rendered ineffective if employees are not trained in their use. Cyber security at its core is a human issue. Too often the biggest problems are caused by an unintended employee clicking on a link or opening an infected attachment or leaving highly confidential information in a public area. In effect 'people are the constant weakness'. Their actions are frequently the result of careless behaviour rather than malicious actions.

In my discussion with directors of various organisations, they repeatedly emphasised the need for ongoing training and consistent implementation of appropriate procedures in order to embed cyber security awareness into the organisation's culture at all levels. Data privacy and cyber security should be part of the organisation's brand. Having cyber aware staff is an important line of defence and could be more effective than a technology security perimeter. Although many technologies will prevent the delivery of a large number of threats from reaching individual employees, there is always a risk that an unidentified threat could reach employees and there is no technology that can prevent users from opening these unidentified links or files. As a consequence adversaries use flaws in human behaviour to easily trick the average user time and time again. 

Once clear standards and practices are established, companies must focus on employee education and awareness. A strong communications program that heightens the overall awareness of cyber risk greatly complements strong technical security controls (e.g. firewalls, antivirus, antispyware, and web-filtering technology). To reduce the negative impact of cyber threats on the business, all employees should understand how the organisation's commitment to security translates into specific policies and required procedures, avoid risky behaviour and respond quickly once an incident has been detected.

Employees across the organisation should have at least some foundational training that covers the purpose and importance of cyber security. In addition employees should also have an understanding or appreciation of how they can be tricked by unauthorised users or cyber criminals. This will help them to understand the benefits of implementing cyber security controls that are not technical in nature.

Cyber resilience

Once organisations and agencies accept that cyber attacks will be made against their organisations and will be successful, they can move to the next step: becoming more cyber resilient. As stated by APRA: "Cyber resilience is the ability to prepare for, respond to and recover from a cyber attack. Resilience is more than just preventing or responding to an attack, it also takes into account the ability to operate during, and to adapt and recover, from such an event"[6]

Although this is targeted at APRA's regulated population, to support investor and financial consumer trust and confidence, AISA feels that similar basic cyber hygiene should be applied by all organisations and agencies and the right place to start is in the boardroom.

In conclusion

Managing cyber security risk requires informed decision making throughout the organisation or agency, based on reliable insights and intelligence. The tone of cyber security has to be set by the Board and Executive Management. Unfortunately, as in a majority of cases, speed of change has taken place in technology and cyber security risks are commonly least understood by the Board and Executive Management.

Cyber security will continue to pose a serious risk that executives (chairs of boards, board directors and councillors alike) need to actively measure and continuously monitor as part of the organisation's overall strategy.

The questions outlined in this article should be used to initiate discussions with management as the onus is on the executives to take its strategic role seriously in providing oversight, implementing a robust cyber security resilience plan and ensuring that plan becomes a necessary line of defence in cybersecurity governance.

Arno Brok
AISA CEO