Cybersecurity: An Increasingly Emergent Thought
In light of recent events, the thought of cybersecurity and vulnerability across enterprises are now becoming forefront in the minds of the leaders of many organizations.
In recent history, the threat of cyberattacks has spread wide across industries victimizing companies such as JP Morgan, Sony, Target, Saudi Aramco, and Statoil, to name a few. The depth of the attacks are also increasing in intensity; in 2016 the total cost of a breach was $4 million, up 29% from 2013. With the increasing probability of an attack, coupled with the rising costs of recovery, organizations are strategically investing more and more resources into cybersecurity.
The Cyberattack Epidemic
“We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true - even inevitable - then cyber-crime, by definition, is the greatest threat to every profession, every industry, and every company in the world.”
– Ginni Rometty, IBM Corporation Chairman, President, and CEO
Attacks across Industries
Over the past few years, the landscape of cyberattacks has shifted greatly; however, it is clear that no industry is safe from the threat of a cyberattack. As seen in Figure 1, between 2014 and 2015, the most targeted industry in the US shifted from Financial Services to Healthcare. As seen in Figure 2, the diversity of industries attacked over the past 3 years continues to increase.
Increasing Source of Threats
As the landscape of cyberattacks continues to expand and diversify across industries, so does the variety of the source of attacks.
Threats that originate externally of an organization, whether or not there is a direct affiliation with the business directly, are called outsider threats. Such threats include:
- Cybercriminals: May target financial and personnel information
- Nation state-sponsored attackers: May target trade secrets, business information, critical infrastructure, employee/customer personal information
- Competition-sponsored attackers: May target trade secrets and business plans/strategies
- Hacktivists: May target corporate secrets and information about a business.
Outsider threats may have a variety of motives including economic gain, corporate or nation state-sponsored espionage, political or military advantage, and/or political or social change.
Insider threats originate internally within a business and can include unintentional or malicious threats. Such threats include:
- Business Partners
- Compromised Internal Accounts.
Insider threats may also have a variety of motives including financial gain, personal advantage, professional revenge, and outsider influence. Insider threats may target different items including intellectual property and trade secrets, business plans and corporate secrets, products and R&D information, source code, personnel information, and financial information. In 2015, 59% of insider incidents were motivated by finance or espionage.
Trends of Increasing Threats
While most organizations greatly consider and attempt to mitigate outside, malicious threats, we believe that insider risks, whether malicious or inadvertent, are becoming a prominent source of risks. In addition, malicious insider attacks are becoming much more costly to resolve than outsider attacks.
Complexity of Consequences & Recoveries Leading to more Investment and Emerging Standards
Climbing Cost of a Breach
Per IBM’s 2016 Cost of Data Breach Study, the total cost of a security breach is $4 million, which is up 29% since 2013. The average cost per record breached is $158, with costs ranching per industry:
- Healthcare - $355 per record breached
- Retail - $172 per record breached
- Transportation - $129 per record breached
The climb in these costs are attributed to the fact that 48% of breaches are malicious attacks, which cost more to remediate. In addition, in today’s market, costs due to lost business are higher and churn rates have increased by 2.9%, while the costs of detection a cyberattack continues to grow.
Growing Complexity of Consequences
In addition to financial costs, there can also be severe consequences in:
- Company Reputation
- Market Fraud
- Personal Safety and Security
- Manufacturing Process Safety
These consequences can occur because cyber threats are not only applicable to software, but also to hardware and to the people operating the software or hardware. Take for instance an attack on planes, cars, or a manufacturing facility; the possible implications of these attacks can be much more serious and result in human fatalities. Because of these implications, a number of standards are emerging throughout industries.
In 2013, President Obama announced an Executive Order on “Improving Critical Infrastructure Cybersecurity”. From this Executive Order, the National Institute of Standards and Technology (NIST) developed the NIST Cybersecurity Framework, which provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. In addition to this standard, industry specific standards have emerged to address the specific needs of an industry. Such as:
- International Organization for Standardization (IOS) and International Electro technical Commission (IEC) - released a family of standards around information security management system (ISMS).
- North American Electric Reliability Corporation (NERC) - developed compliance standards for the electrical power industry such as Cyber Security Standards (CSS) and Critical Infrastructure Protection (CIP).
- Information Security Form (ISF) – Standard of Good Practice (SoGP) to adhere to the NERC CIP Compliance Requirement.
- Internet Engineering Task Force – RFC 2196 provides security policies and procedures for information systems connected to the internet, focusing on day-to-day operations.8
- International Society of Automation (ISA) & American National Standards Institute (ANSI) – developed a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).
- U.S. Banking Regulators- In October 2016, the Office of Comptroller of the Currency and the Federal Deposit Insurance Corporation jointly issued an Advance Notice of Proposed Rulemaking (ANPR) regarding cyber risk management standards for regulated entities
Investing in Recovery Measures
In order to prevent and recover from a cyberattack, companies are investing in cybersecurity and are reaping the benefits. The worldwide cybersecurity market sizing estimates that $77 billion was invested in 2015, with a prediction of $170 billion by 2020.
- Appointing a Chief Information Security Officer has saved $7.00 per record.
- Involving Business Continuity Management has saved $9.00 per record.
- Participation in threat sharing has saved $9.00 per record.
- Extensive use of encryption has saved $13.00 per record.
- An incident response team has saved $16.00 per record.
Sia Partners’ Cybersecurity Offerings and Credentials
We at Sia Partners work with our clients to help them understand and assess the cyber threat landscape, in addition to determining and implementing mitigations against cyberattacks.
Hardware and Software
- Understand – the threat space, threat agents, vulnerabilities, etc.
- Assess – understand the probabilities of threats, severity of impact, etc.
- Plan – define mitigation approaches (in-house, outsource, etc.)
- Design – define sustainable mitigation measure (people, processes, systems, etc.)
- Implement – implement cybersecurity measures (people, processes, systems, etc.)
The human element is an important component, if not the weakest link, as it pertains to cybersecurity. It is paramount to engage your staff in the topic of cyber threats and cybersecurity as well as their responsibility of being vigilant within their roles. Sia Partners can help your organization by:
- Engage – build awareness
- Ready – train and educate
- Adopt – embed cybersecurity work policies and procedures
- Sustain – put mechanisms in place and roles to continuously maintain and develop cybersecurity practices
- 2016 Cost of Data Breach Study: Global Analysis from Ponemon Institute. (n.d.) Retrieved May 22, 2017 from https://www.ibm.com/security/infographics/data-breach/.
- IBM X-Force Research 2016 Cyber Security Intelligence Index. Retrieved May 22, 2017.
- Cyber Attacks on U.S. Companies in 2014. (October 27, 2014). Retrieved May 22, 2017 from http://www.heritage.org/defense/report/cyber-attacks-us-companies-2014.
- Cyber Attacks on U.S. Companies since November 2014. (November 18, 2015). Retrieved May 22, 2017 from http://www.heritage.org/cybersecurity/report/cyber-attacks-us-companies-...
- Cyber Attacks on U.S. Companies in 2016. (December 2, 2016). Retrieved May 22, 2017 from http://www.heritage.org/defense/report/cyber-attacks-us-companies-2016
- INFOGRAPHIC: What is the Greatest Cybersecurity Threat? (January 19, 2017). Retrieved May 22, 2017 from http://riskmanagementguru.com/category/cyber-risk/.
- IBM’s CEO on Hackers: ‘Cyber Crime is the Greatest Threat to Every Company in the World’. (November 24, 2015). Retrieved May 22, 2017 from https://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-hackers-...
- Cyber security standards. (n.d.). Retrieved May 23, 2017 from: http://en.wikipedia.org/wiki/Cyber_security_standards
- The rate of cyberattacks is growing at an alarming rate.
- A cyberattack can happen to any industry at any time.
- Cyber threats are not just applicable to software vulnerabilities, they can also threaten the human element and the hardware pieces.
- Cyberattacks need to be risk assessed, not only from an external view, but also internally, as internal threats continue to rise.
- The rate and cost of remediation from an internal malicious attack is on the rise.
- It is just as important to consider the recovery methods of an attack as it is to prevent the attack.
- Organizations are investing more and more resources to cybersecurity and are reaping the benefits.