Cyber security has evolved into a central board topic and a core business concern. Gone are the days where cyber risk management was avoidable. Today, companies are more informed security buyers, looking for efficient and effective investments rather than mere silver bullets.
In a constantly-evolving world of cyber threat, what is the role of the private sector? A panel of experts addressed the topic at the US Chamber of Commerce 5th Annual Cybersecurity Summit in Washington, DC. The panel agreed that businesses of all sizes must take on the challenges of ransomware, third party risk, and security complacency. They must also recognize the increasing attention regulators are placing on private sector cyber practices and safeguards, according to panelist Natalie Lehr, Vice President of Analytics at Secure Halo.
Cyber Now A Board Responsibility
While board members have always held a traditional role of fiduciary responsibility, cyber security risks now fit within this realm. Having become more proactively engaged, boards demand better cyber insights than basic, one-size-fits-all checklists. Cyber research indicates that reactive and uncoordinated governance of risk functions ultimately leaves staff members unprepared to stem losses – corporate harm is therefore dictated by the capability of the attacker rather than the strength of a safeguard.
In addition to establishing a proper defense, organizations are subject to federal regulations concerning the status of their security and their compliance with said regulations. The impact of the recent LabMD, Inc. case (in which the Federal Trade Commission determined in August that a medical testing lab’s data security practices could be considered “unfair or deceptive” and were “likely to cause substantial injury to consumers”) is clear: companies should assess and improve their cyber hygiene in advance of any allegation, to produce artifacts consistent with reasonable security protection of “consumers’ personal data,” according to the Federal Trade Commission (FTC).
Proactive Defense Requires Going on the Offense
As the number and sophistication of threats has increased over time, the conversation around cybersecurity has changed from educating business leaders on why it’s important, to identifying their priority security needs and providing them with solutions that offer the greatest return on their security investment dollar.
Lehr recommended four ways to start.
1. Harmonize Technology, Processes and People
Security is neither a single act, nor sensor. Technology is crucial to any risk management discussion, but it cannot be relied upon at the expense of other considerations, such as developing a mature cybersecurity culture and synchronizing third party vendor security. In its years of performing Enterprise Risk Assessments on organizations of varying sizes and sectors, TSC has found that those that invest in complementary cyber security efforts across their enterprise are more resilient when confronting a cyber attack or breach.
2. Transfer Risk!
Since there is no technical silver bullet that eliminates economic risks in an increasingly digital ecosystem, corporate risk strategies leveraging cyber insurance can help businesses assure their operational integrity, maintain customer privacy and defend corporate value. The potential benefits of cyber insurance were noted by other Chamber conference speakers, such as General Michael Hayden, USAF (Ret.) and Chris Inglis, former Deputy Director, National Security Agency. Hayden suggested insurance could be a good motivator for improving private sector cybersecurity, likening pre- or post-binding insurance assessments to requiring a physical. As breaches continue to abound, insurers are placing more emphasis on assessment performed by independent security firms, which review the maturity of a company’s practices, the security of vendors, sensitivity of corporate data, and ability to maintain business continuity and recover from an attack.
In more than three years performing such assessments for insurers on the Lloyd’s of London underwriter market, TSC has provided analysis that underwriters use to determine an entity’s insurability and craft a fair and accurate policy. More importantly, detailed recommendations provide a road map for continued security improvements. Among the keys to successful cyber insurance, notes Lehr, are to understand both exposure and risk (including potential physical damage and third-party exposures), and to understand your policies (including exclusions and limits).
3. Share Information
The Federal Bureau of Investigations (FBI) and the U.S. Department of Homeland Security (DHS) both have robust threat intelligence sharing and public/private sector outreach programs covering critical infrastructure, white-collar crime, economic espionage, terrorism and more. These additional resources should be included as part of your organization’s cyber toolkit. Depending on your specific industry, there are also numerous member-driven Information Sharing and Analysis Centers (ISACs) which collect, analyze and share threat information. Join one to maintain sector-specific situational-awareness.
4. Get Back to Basics
Surprisingly, some enterprises overlook basic security controls such as complex passwords, multi-factor authentication, and use of a virtual private network (VPN), but basics should go beyond that. Secure Halo has found that only half of the organizations it has assessed had fully documented external crisis communication plans for disasters or breaches, and very few organizations have identified, classified, and monitored their critical and valuable assets. While this is not an easy undertaking, it makes the job of protecting those assets virtually impossible if you are unaware of what exists or where the assets are located.
The private sector has a responsibility to proactively mitigate cyber risk rather than react only when an attack occurs, and also to remain compliant with regulators. Only analyzing one aspect of a business is a surefire way to grant unwanted intruders easy access and face potentially disastrous results, hence the need for a panoramic view of cybersecurity, says Lehr. Cyber resilience, just like personal grit, requires both resource investments and an emphasis on outcomes and improvement.
