Five principles for improving your cyber security

Drive Your Business
Five Principles
for Improving
Your Cyber
Security

2 ©2015 WGroup. ThinkWGroup.com
Corporate assets have been shifting from physical assets to virtual assets over the past 20
years. This trend has been accompanied by a corresponding increase in the vulnerability of
intangible assets, leading to a greater general awareness of corporate cyber security risks.
The alteration or destruction of a company’s data can result in harm to reputation, loss of
public confidence, disruption to infrastructure, and legal sanctions. The security risk can
adversely impact a company’s stock price and competitive position in the marketplace.
Many companies have viewed security risks in terms of
a risk/reward tradeoff, which is especially challenging
for cyber security threats. The complexity of these
threats has increased dramatically in recent years,
which often results in businesses facing security
incidents that overwhelm traditional defenses. The
CIOs and CISOs of midsize companies typically face
the same security challenges as larger corporations,
but with far fewer resources at their disposal.
The effects of a security breach can go well
beyond the mere loss of information to include actual financial loss. Furthermore, the pressure
to deploy cost-effective technologies continues to increase, significantly affecting resource
investments for midsize firms. The combination of these pressures on executives and staff
members means that the comprehensive oversight of cyber security is now essential.
Introduction
• Risk identification
• Risk management
• Legal implications
• Technical expertise
• Expectations
The following five principles will
help to improve your cyber security:

Overview
Until just a few years ago, cyber attacks were primarily carried out by technically sophisticated
individuals. While frustrating, businesses could often treat these incidents as just a business
expense. Today’s cyber attackers, however, are more likely to be part of a large team that uses
malware to target a system in a multi-stage strategy known as an advanced persistent threat
(APT). These threats have migrated down the economy, placing companies of all sizes at risk.
One of the defining characteristics of an APT attack is its ability to
penetrate virtually any perimeter defense, including intrusion
detection systems and firewalls. An APT intruder uses multiple
means to penetrate the security layers. A sophisticated
attacker who targets a specific company with an APT will
almost certainly penetrate its defenses eventually. However,
insiders such as disgruntled staff members often present
at least as great a threat to a company’s cyber security as
external attackers. This situation emphasizes the need for an
adaptable security program that’s balanced between internal and
external threats and effective against low- and high-end attacks.
Government agencies are concerned with protecting critical infrastructure from cyber attacks
motivated by political aims, although most of these attacks have a financial motive. A 2014
report estimates that 95 percent of all such attacks are economically motivated. Company data
that’s potentially valuable to an attacker includes credit card information, trade secrets, and
business plans. The surreptitious nature of cyber attacks makes their specific cost difficult to
estimate, but recent sources consistently place it in the hundreds of billions of dollars each year.
A 2013 study estimates that the global economic value of assets at risk from cyber threats could
rise to between $9 trillion and $21 trillion by 2020. Governments and large corporations have
traditionally been at the greatest risk from cyber attacks, since small and medium-sized companies
were often too small to be a significant target. However, smaller organizations are often at greater
risk today because they have fewer resources to dedicate to cyber security. In addition to being
targets in their own right, these organizations also provide a pathway of attack to more attractive
targets. A business’s relationships with its customers, partners and suppliers are common
attack pathways, making partner and vendor management critical functions in cyber security.

A 2012 study by the Ponemon Institute found that attackers had a significant advantage
over defenders, and this disparity is expected to increase. Effective cyber attacks can be
performed at a relatively low cost, since the necessary skills and resources are easy to obtain.
Furthermore, the potential profit is extremely high, providing strong motive to conduct such an
attack. Many experts believe that cyber defenders are a full generation behind their attackers.
This discrepancy has two primary causes.
First, it’s difficult to justify the return on
investment (ROI) for defending against a
cyber attack that may never occur. Second,
the legal enforcement against these
attackers is virtually nonexistent. Current
estimates place the rate of successful
prosecution against these attackers at less than
1 percent. This situation doesn’t mean that defenses are impractical. However, it does
mean that business executives must be fully engaged in implementing sophisticated
plans for their cyber defenses to avoid placing their company’s core assets at risk.
Business executives must
be fully engaged in
implementing sophisticated
cyber defense plans to avoid
placing their company’s
core assets at risk.


Balancing security against profitability
Many factors must be considered to determine the resources that may be allocated for cyber
security. Business executives must always balance security level against the potential losses from
an attack, while still remaining profitable in a competitive environment. Conversely, many profitable
business practices and technical innovations can reduce security.
For example, business practices such as bring your own
device (BYOD) provide employees with easy access
to data at any time and from any location. Many
businesses must use international supply chains
to remain competitive. Both of these practices can
dramatically reduce an organization’s security.
Furthermore, cloud computing, mobile technology,
and smart devices yield significant savings by
increasing business efficiency, but they can create
significant security risks when implemented haphazardly.
A smaller business must use several strategies to obtain
adequate defenses while maintaining profitability. Most importantly,
cyber security must be an integral component of the business process, rather than
bolting it on at the end. Businesses must implement specific security controls to
maximize the cost-effectiveness of their cyber security. For example, a 2013 study
shows that the following four controls can prevent 85 percent of all cyber attacks:
• Restricting the installation of applications by users
• Updating the operating system (OS) regularly
• Updating software applications regularly
• Restricting administrative privileges

This study also showed that these controls generated an immediate ROI by
improving business efficiency, a benefit that was exclusive of the economic
advantage of reducing security breaches. Effective security threat management
also can provide your company with the confidence needed to take reported risks in
information technology (IT), such as migrating to a cloud-computing platform.
The five principles presented in this white paper are relatively general, providing the
opportunity for executives to discuss strategies for implementing them. The best way
to adopt these principles depends on a company’s unique characteristics, including
business plan, culture, geographic footprint, lifecycle stage, and industry sector.

The identification of security risks includes a determination of the best course of action
to take for each risk. These actions may include acceptance, avoidance, mitigation, or
transferring your risk through insurance, with each action requiring a specific plan for
implementation. Complete security is never a realistic goal, so a company’s tolerance for
cyber risk must be consistent with its resource allocation and overall business strategy.
Executive management needs to answer specific questions relating to risk tolerance.
This process generally involves selecting the level of security risk that an organization
is willing to accept. Risk tolerance requires executives to differentiate between
data that’s mission-critical and data that’s important but not as essential.
1. Risk identification
Resource allocation
Resource allocation involves deciding which resources to allocate for each security threat.
Management should devote the greatest resources toward the most sophisticated defenses,
which are typically designed to protect the most critical assets. However, research from the
Armed Forces Communications and Electronics Association (AFCEA) shows that companies
often apply resources to protect all data and functions equally. This study also indicates that
the protection of low-impact assets may require a greater investment than the expected
benefits warrant. Companies should therefore consider accepting a higher level of risk for
these assets based on their projected ROI. The ROI of IT assets should be reassessed
on a periodic basis, to account for changes in asset priorities and protection costs.

Transfer options
All businesses have access to endpoint solutions that help to transfer some part of their security
risk, regardless of their size or industry sector. Some endpoint solutions add an additional
layer of security by providing access to resources such as IT security services, employee
training, and proactive tools. These value-added services emphasize the benefits of moving
discussions on security risk from the IT department to executive management. While endpoint
solutions assist in reducing the risk of property damage or loss due to a security breach, some
companies will need to transfer their risk to
an insurance carrier. A cyber-insurance
carrier should have global capabilities with
the capacity to tailor an insurance policy
to fit each company’s specific needs. This
type of carrier should have experience
and expertise within your industry sector.
Impact assessment
An assessment of a security breach’s impact typically requires the consideration of many
factors, especially when the breach becomes public knowledge. The stakeholders in such a
breach include customers, employees, investors, suppliers, and the press. Many stakeholders
see little distinction in the severity of security breaches. This tendency often means that the
loss in share price and reputation have little to do with a breach’s actual severity. Executive
management must therefore consider this possibility when establishing risk priorities.
A cyber-insurance carrier
should have global capabilities
with the capacity to tailor
each policy to fit a company’s
specific needs.


2. Risk management
Businesses have traditionally treated cyber security as a technical issue that should be handled
by the IT department. However, management should handle cyber security as a company-wide
issue, rather than just an IT issue. Existing corporate structures often foster this misperception,
preventing individual business units from taking responsibility over their own data’s security. An
environment in which IT handles all cyber security for the organization can result in inadequate
security, since this department often has a low priority for resources. This practice can also
inhibit communication on security issues and the implementation of effective strategies.
An organization should manage cyber security in the same way that it manages
the physical security of its personnel and facilities, which is typically handled
as a company-wide issue. This change should result in senior executives
addressing risk management from a strategic and economic perspective.
Security risks in a business environment
High-profile security breaches are often the result of non-traditional hacking techniques. For
example, spear phishing is a common method of penetrating a system. This technique involves
targeting a specific individual with malware hidden in an e-mail message. The use of long supply
chains can increase security risks, especially during product launches and changes in product
strategy. Business systems are more vulnerable to
attack during mergers and acquisitions, since they
often require the integration of IT infrastructure. This
risk is especially high with an accelerated timeline,
which may prevent adequate due diligence.
A corporate network also represents a challenge to
cyber security, since this network must connect to many
outside parties such as affiliates, customers, partners,
and suppliers. Several recent high-profile breaches
have originated from the systems of outside parties rather than the target organization’s own
systems. Many organizations are migrating their data to an external network, such as a public
cloud platform. This practice can cause security challenges because the client organization neither
owns nor operates the infrastructure, and therefore has little ability to directly control its security.

Businesses are connected to parts of the national infrastructure in many cases, which
can compromise an organization’s own security. This trend increases the likelihood that
company security could be considered a part of public or even national security. Board
members should therefore ensure that management considers the effects that security
measures will have on the organization’s own networks, as well as the other networks
in which it operates. They should also discuss the various levels of security risk with
management, taking into consideration the appropriate tolerance for each risk.
It’s vital for board members to know which assets to protect most. They must ensure that
management develops a strategy that initially focuses on protecting those assets that have the
highest probability of attack while building outward. Furthermore, the board should also ensure that
management considers low-probability attacks that could have a high impact on the organization.
Cyber-risk oversight
Considerable debate exists on the best approach to managing the oversight of cyber risk. The
National Association of Corporate Directors (NACD) Blue Ribbon Commission on
Risk Governance recommended in 2009 that cyber risk oversight should be a
function of a company’s entire board of directors. However, many boards
still continue to assign most risk oversight tasks to the audit committee.
This practice is common even though most directors believe that the
whole board should be responsible for risk oversight, according to the
NACD. Furthermore, a fourth of directors believe that the audit committee
should be entirely responsible for risk oversight. Directors should therefore
assign full responsibility for risk oversight to the entire board or an individual
committee. The committee with responsibility for risk oversight should receive
briefings at least once each quarter, especially for cyber risks where information
can change quickly. The entire board should receive a briefing at least once every six months.
The NACD recommends that boards and committees address cyber security as a
stand-alone item on their agendas. However, this issue may also be integrated into
discussions by the full board regarding new business plans. Common topics of this
type include mergers and acquisitions, market inquiries, product offerings, and the
deployment of new technologies. Major decisions on capital investment such as system
upgrades and facility expansions may also include a discussion of cyber security.

3. Legal implications
Corporate liability in this area is evolving rapidly, making the specific legal risks to the entire
board and individual directors difficult to determine. Board members must understand
the legal implications of their company’s cyber risks. Board minutes should show when
cyber security was on the agenda of either the entire board or the relevant committee,
depending on where the responsibility for security oversight has been allocated. Specific
items of discussion will typically include updates on specific risks, along with reports
on the overall program and the integration of security into business activities.
Recent high-profile attacks have resulted in lawsuits, including derivative suits by shareholders.
These suits typically allege that the board of directors failed to take the steps needed to adequately
protect the company from breaches of customer data. The most important areas of concern
for directors include maintaining complete records of any discussions on cyber risks. Directors
must also decide on the specific information to release in the event of a security incident.
Public disclosures
The Division of Corporation Finance for the Securities and Exchange Commission’s (SEC)
has issued guidance on the public disclosure of information regarding cyber security incidents.
It noted that businesses are migrating toward greater dependence on digital technologies for
their business operations. The SEC also added that investors are increasingly more likely
to consider cyber security when making investment decisions. Companies should therefore
consider disclosing the details of specific security incidents based on the following criteria:
• Frequency and severity of prior incidents
• Potential costs of the incident
• Risk level of security threats
• Preventative actions taken

The SEC contacted 50 companies between 2000 and 2013 regarding their disclosure
of their security practices. The results of that survey led the SEC to recommend
that companies release the following information to their prospective investors:
• Potential costs and consequences of specific risks in
internal business operations
• Risks of outsourced functions and how those risks may
be addressed
• Risks of incidents that may be undetected for a
prolonged period
• Relevant insurance coverage
The SEC also stated that its examination priorities for 2014
would include information on cyber security.
The guidance offered by the Division of Corporate Finance isn’t a rule or regulation. However,
the SEC does have broad power to enforce its “books and records” requirements through
audits, investigations, and subpoenas. Compliance with these guidelines may therefore be
advantageous for a company within the context of litigation, especially after a successful
cyber attack. The lack of disclosure regarding security threats may result in lengthy litigation
based on inadequate disclosure, even when the attack
causes a modest drop in stock price.
Directors should therefore request that senior
management solicit counsel’s advice regarding the disclosure
of security risks. The company’s responses to a major
security breach are important issues to consider disclosing.
Directors and management should receive regular updates from counsel on these topics as
company circumstances, disclosure standards, and formal requirements continue to evolve.
Directors should solicit
counsel’s advice regarding
the disclosure of security
risks.


4. Technical expertise
Board members should have ready access to technical expertise on cyber security issues. The
agenda for board meetings should also allow adequate time to discuss the management of cyber
risks on a regular basis. The 2013 NACD Public Company Governance Survey reported that 87
percent of respondents felt that their board members needed a greater understanding of IT risks,
although this is a general term that may include many specific risks. The survey also indicated that
directors generally have a low level of confidence in their members’ understanding of cyber risks.
The NACD hosted a roundtable discussion of directors
regarding cyber security in late 2013. These directors
generally agreed that a lack of technical knowledge
made oversight of management’s security activities a
challenge. The participants in this discussion added that
directors can’t easily distinguish between management
and oversight without adequate knowledge on security.
Furthermore, directors have difficulty in assessing
the board’s appropriate level of involvement in risk
management without the necessary technical expertise.
Improving technical expertise
The lack of technical knowledge among its directors is causing some companies to
consider recruiting additional directors with expertise in cyber security. However, this
expertise is only one of many factors that governance committees must consider when
nominating a replacement on a board of directors. Additional factors include financial
knowledge, global experience, industry expertise, and other specific skill sets.
Directors can still bring technical expertise into the boardroom even they choose not
to add another board member. Common methods of obtaining this capability include
leveraging independent advisors, such as external counsel and auditors. These experts
can provide a perspective on trends in cyber risks across multiple clients and industries.
Board members also can schedule detailed technical briefings from security firms,
industry associations, government agencies, and other subject-matter experts.

Improving management reports
Board members require current information on their company’s security environment to approve
management’s priorities or effectively oversee their priorities. However, a 2012 survey by
Carnegie Mellon University found fewer than 40 percent of responding board members receive
regular reports on cyber security and data privacy. Twenty-six percent of these respondents said
they rarely if ever receive such reports. A 2014 study by Ponemeon Institute found that only 12
percent of responding board members regularly receive briefings specifically on cyber threats.
The NACD’s 2013 Public Company Governance Survey shows that many directors believe
their organizations require more technical expertise at the executive level. The directors
responding to this survey rated IT as the area with the lowest quality of information provided
to senior management by the board. More than a third of the responding board members
reported that their information on their organization’s IT capability was insufficient. Only 13
percent of these respondents said they were satisfied with the quality of their IT information.
Directors should consider the possibility of bias when evaluating management reports
regarding their organization’s security risks. These reports will generally tend to
minimize the severity of these risks. A 2014 study published in International Business
Times found that 60 percent of IT staff members failed to report cyber security risks
to their superiors until they were urgent. These staff members admitted that they
attempted to filter unfavorable information on their organization’s cyber security.

5. Expectations
Technology is useful for keeping an organization well-integrated, even when its workers
are physically separated. However, many organizations still have siloed structures
that were established when the organization wasn’t well-integrated. Furthermore,
individual departments often make decisions that are relatively independent of
each other. This decision-making process often fails to account for the high degree
of digital interdependency that typically exists in modern businesses.
Directors should therefore expect senior management to establish a
framework for managing cyber risk across the entire organization. They
should ensure that this process has an adequate budget and staff.
In order to account for the high degree of
digital interdependency that typically exists
in modern businesses, there must be a
framework for managing cyber risk across
an entire organization.


Security framework
President Obama signed Executive Order 13636 into law in February 2013. This order,
entitled Improving Critical Infrastructure Cybersecurity, instructed the National Institute
of Standards and Technology (NIST) to develop a framework for cyber security that
organizations in the private sector can adopt. The NIST framework
includes standards, procedures, methodologies, and other
processes that can help an organization to ensure that its
policies and business practices align with cyber security.
This framework provides senior management with a common
language for use in developing a strategy for cyber-risk
management that will cover the entire organization. It recommends
that the first step in this process should be a review of the
organization’s security practices to determine where it currently stands
in terms of risk management. This review should result in the assignment
of a number from 1 to 4, with 4 representing the highest level of risk management.
This rating system is as follows:
1 – partial 2 – risk-informed 3 – repeatable 4 – adaptive
It may not be practical for a particular organization to achieve the highest level
of risk management, although all organizations can achieve some of these
levels. However, directors should still expect management to consider the NIST
framework when developing an organization’s plans for managing cyber risk.

Summary
Cyber risk is ultimately a human issue that affects almost all activities in a modern
business. The impact of a successful attack can be very high due to a combination of
factors, especially the potential damage to a business’s competitive advantage, finances
and reputation. The complexity of modern cyber attacks and the speed at which they’re
evolving make it challenging to develop a strong defensive strategy. The current business
environment favors attackers despite the dramatic increase in spending on cyber security.
Business innovations often increase an organization’s vulnerability to cyber threats and
make risk management more challenging, especially innovations that facilitate access
to an organization’s data. Additional obstacles to strong cyber security include the
traditional view of IT as an expense rather than an investment. Executives must continually
assess the level of their organization’s cyber security to ensure adequate oversight
over management’s activities without compromising their fiduciary responsibilities. This
assessment also should identify opportunities for improving the organization’s security.
This white paper provides principles for selecting a starting point and establishing benchmarks for
cyber security, although many specific approaches exist. Executives should strive to implement
a company-wide strategy for managing cyber risk, as opposed to the traditional approach of
assigning sole responsibility to the IT department. Additional principles of cyber-risk management
include an understanding of the legal implications of cyber risk, both for the board members and the
company as a whole. Finally, executives must have access to expert information and enough time
on the agenda to conduct well-informed discussions with management on cyber security issues.
Senior executives must provide the guidance that management needs to develop an
effective strategy for an organization’s cyber security. This strategy must be sufficiently
flexible to handle the frequent changes in business process that are common with
many small and medium organizations. Executives also must ensure that their
cyber risk strategy is an integral part of their company’s overall risk strategy.
Many IT security advisory firms will conduct complimentary security scans to
determine your firm’s current situation and create a baseline for recommending
action. Contact one now, before a breach puts you into recovery mode.

Drive Your Business
Founded in 1995, WGroup is a boutique management consulting firm that provides Strategy,
Management and Execution Services to optimize business performance, minimize cost and create
value. Our consultants have years of experience both as industry executives and trusted advisors
to help clients think through complicated and pressing challenges to drive their business forward.
Visit us at www.thinkwgroup.com or give us a call at (610) 854-2700 to learn how we can help you.
301 Lindenwood Drive, Suite 301
Malvern, PA 19355
610-854-2700
ThinkWGroup.com

Five principles for improving your cyber security

More Related Content

What's hot

Viewers also liked

Similar to Five principles for improving your cyber security

More from WGroup

Recently uploaded

Five principles for improving your cyber security