The suggestion was made at a security round table for media and analysts hosted by WatchGuard’s ANZ country manager, David Higgins, with fellow panellists Monica Schlesinger, principal of Advisory Boards Group, and David Cohen, founder of SystemNet, an IT and managed services company specialising in the small to medium enterprise market.
Higgins recounted WatchGuard’s seven potential security threats released in December 2016. Of the seven it got most right or there was no empirical evidence to support some of them – yet. To paraphrase:
We will see the first ever Ransomworm, causing ransomware to spread faster – exactly what WannaCry was;
Attackers will exploit infrastructure-as-a-service (IaaS) as both an attack platform and attack surface – no evidence yet as cloud providers are trying very hard to secure their offerings;
We’ll see civilian “casualties” in the cyber cold war – well, not physical bodily harm but business has suffered;
Under siege by cyber criminals, SMBs turn to small MSSPs for cyber security – yes, with an amazing 25% growth of MSSPs on its books;
Increased biometrics usage hides continued credential insecurity; passwords aren’t really gone. WatchGuard has seen a massive explosion in the use of biometrics but the underlying issue of needing a password first leaves a gaping security hole;
Attackers start leveraging machine learning and AI to improve malware and attacks – cyber crime is a well-oiled business with substantial resources including AI and machine learning.
Higgins said the biggest change at WatchGuard had been to move from its hardware “red boxes” to software – virtual devices protecting on and off premise networks.
Schlesinger presented a “board members'” view and cited the Ponemon Institute Research. In 2016 the average cost of a data breach was US$4 million and the likelihood of a material data breach was 26%. In Australia, 60% of larger businesses had experienced cyber attacks and the loss was calculated at A$17 billion.
She presented a case for a chief cyber security officer as a C-level board member, rather than leave it to the IT department. “As a director, you need to know the regulatory environment as well as what you are doing – respect the duty of care, skill and due diligence.”
Schlesinger presented board level research from ASX listed companies on attitudes to cyber security. One result was that 87% of board members had no idea about cyber security issues let alone the new governance regime that would be forced on them in the next eight months. An edited version of her report is attached at end of this article.
Cohen focused on small business. “The biggest issue is the trust between the managed security services provider and the client. Clients need to realise that 100% trust is needed to help the relationship work to help prevent breaches”
He made several points. “97% of Australian business is small business — no board and worse no in-house IT support — where the owner makes the decisions. Frankly, they are not equipped to make cyber security decisions.”
He said that humans were still the weakest link in the security chain. “Too many will blindly click on a malware link.”
Small business was largely characterised by a lack of IT knowledge, lack of effective backup and restore systems, no understanding of what the “logs” meant, and being too trusting by opening data access to all.
He said that SystemNet tried to educate users that, “you don’t automatically win prizes (spam) or inherit millions from a long-lost family member.” His company monitored logs generated by WatchGuard firewalls, and tried to be proactive but security spending was a very low priority compared to making money and the “won’t happen to us” mentality.
On the other hand, Australian SMBs were well placed to have good security if they really wanted to – more so than the major enterprises that may lack flexibility to respond. “Run Windows 10 and its self-patching, install a good firewall, and use an outside firm to check security.”
Schlesinger reminded all that cyber crime was a business and it had excellent tools. “It is easy money for hackers so make it hard for them. The drivers behind security need to expand – it will happen to you.”
Higgins said that it was not a matter of if but when and the likely collateral damage could be the business goes out of business after a hack. The rise of MSSPs was evidence of the growing extent of the issue. “Cast your mind back five years – there has been a huge growth in MSSPs. Cyber security must be an integral part of your budget just as marketing is.”
The panel all agreed that there was a drought of cyber talent to manage the issues.
Edited results from Monica Schlesinger's presentation.
The regulatory environment is reacting to the increased intensity and consequences of cyber attacks and new laws have come into play with higher penalties and harsher conditions.
Organisations, large and small, that are under the Privacy Act must comply and implement measures before February 2018, when it penalties and requirements will be enforced.
At the board level the cyber security conversation is non-existent or difficult. In December 2016, a survey of Board members showed showed there was an immediate need to act and educate directors about the consequences of the threats, about their duties and how to best take action. And at board level, this means creating a Cyber Strategy.
Q1: What has your experience of cyber security been like at the Board level?
Responses could be sorted into three categories:
- No idea (87%) even though 3 of them had already suffered breaches or ransomware attacks
- Some discussion or had heard about it 8%
- Stated they talk about it or consider this in the risk register 4%
One of the respondents had been attacked a few times and after the last attack, they needed six months to recover. Unfortunately, none of them stated they are well informed and they have a cyber security strategy in place.
Q2: What do you believe is your greatest risk related to cyber security?
Over 12% of the respondents candidly admitted they did not know or understand.
Around 30% referred to the loss of reputation and branding, 40% to a loss of sensitive information, with some specifying Privacy breaches, and 40% mentioned the operational and financial loss, even going out of business.
Q3: What are your top two questions about cyber security that the Board needs to continually consider?
Again, 12% of the respondents gave no answer or admitted they don’t know. 20% referred to risk management, with 20% talking about policies. Directors also thought of bringing an expert on the board (a “Cyber Director”). Around 25% felt that the responsibility lies with the IT department and they must do something to defend the organisation.
What should directors do at board level?
- Directors must understand and approach cyber security as an enterprise risk and elevate it as it can have a devastating impact within a short span of time
- They must undertake cyber governance assessments and understand the legal implications of cyber attacks
- If they don’t have a director with cyber expertise, they must either try to acquire one or bring in experts to help them
- They must set expectations for management to implement cyber risk management across the entire organisation
- They must create a cyber strategy and task management to create a framework that stems from it
A few of the main questions directors should ask:
- Where does our data reside?
- Do we have a 3rd party (contractors) HR policy?
- Do we have a contractual clause for breaches via a 3rd party?
- What is our security framework (which includes Cyber Strategy, Regulators and regulatory compliance, standards, plans, audits and risk management)?
- What are our top five cyber risks? (BYOD, cloud, outsourcing/3rd parties, DR & BCP, Backups, FW, Access, IDS, IPS, Antivirus)?
- Is there cyber education at all levels in the organisation?
- What is our crisis management plan in a cyber security breach scenario?
- What is our data breach response plan?
- Whom do we notify?
- What are the short, medium and long-term actions?
Where to start and how?
- Involve management, understand the regulatory obligations, understand the current cyber posture – and this does not mean another penetration test.
- Classify assets, calculate the risk exposure and how much to invest in protecting the organisation, decide mitigation strategies and look at all areas – HR, IT, Partners, Contractors, Facilities
- Request management creates plans that Board can understand, scrutinise, monitor and manage extreme risks.
If you are on a board or in a senior position you should start the cyber conversation with your board immediately. Start by educating yourself by undertaking a course that gives you a structure for what you need to do.
As the FBI director Robert Mueller put it: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”