Managing Cyber Risk: A Multidisciplinary Challenge

Who owns cyber-security in your organization? Do you know? In many organizations, the risk of cyber breaches falls squarely into the IT department. But is that sufficient? 

We think about cyber attacks as being direct hits on our databases, but that is so 2010. Today, sophisticated criminal attacks rarely come through the front door.  Instead, they use third party entry points both directly and indirectly. Even worse, our employees – wittingly or unwittingly – sometimes walk our data out of the virtual building and into the hands of others. 

The New York Times recently reported on risk posed by bank tellers who wire funds without authorization, create fake debit cards, and sell off personal information of customers. Other articles have highlighted the risk of downloading software apps that contain malware. 

Over the past couple of years, a number of more interesting cyber-security tactics have surfaced. Here are a few: 

1. WATERING HOLE ATTACKS

One example is the Chinese Restaurant caper reported on by Nicole Perlroth of the New York Times - Back in the day, before it was considered politically incorrect, we used to talk about building a “Chinese Wall” to prevent access to information by those who shouldn’t be allowed to see it.  So, the part of the article that really caught my eye was the lead about hackers who got into the data systems of a large oil company by installing malware in the online menu of a Chinese restaurant that was frequently browsed by the company’s employees. The malevolent code was downloaded by the employees onto their workplace computers and then it created a window into the previously secure information the company had worked hard to protect.

2. HIDING IN PLAIN SITE

Infiltration through third party vendors who are allowed behind system firewalls is on the rise. Whether its software for heating and cooling systems as in the Target breach, vending machine inventory systems, printers or videoconferencing equipment – third party operators who often have older operating systems without their own sufficient security, provide a place to sit and view entire customer networks to which they are attached. Even worse, these entry points may allow for tampering beyond theft of information; creating risks for physical security and operation disruption.

3. RANSOMWARE

Several experts predict growth in the use and sophistication of ransomware and cyber-blackmail in 2016.  By taking systems hostage and threatening to release customer data unless paid several million dollars (as in the recent case of the UAE’s Sharjah Bank) or locking access to needed files (as in the case of Angler ransomware that netted $60 million before being stopped.) cyber criminals were just beginning. In January, suspected hackers shut down parts of the Ukraine power grid and experts report the U.S. power system is highly vulnerable to attack. 

So, how do these examples relate to the question posed at the start, about who owns cyber-security in your organization? Let’s break it down.  

In the first example, the Chinese Restaurant caper, policies and procedures for use of company computers (or lack thereof) comes into play. Maybe saying that employees can’t use any company device for any personal use is extreme, but if all devices connect to systems with sensitive information, that may be necessary or at least should be considered. Who makes that call? Those responsible for risk assessments might start the process of evaluating the risk of what is connected where. Those responsible for compliance might draft policies and procedures to follow. Those responsible for training and employee conduct might be part of the process as well. And, of course, IT security has a critical role to put the best controls in place to detect and block malware coming in from employee computers. 

In the second example, risk and compliance and IT continue to be involved, but now let’s add in procurement and third party management roles, as well as the Legal department which drafts third party contracts. Even beyond IT architecture decisions that might better separate systems, third party due diligence will help to identify those service providers who fail to have sufficient security or operating systems vulnerable to attack. 

In the third example, operational managers get engaged to assist in identifying the most critical systems to be protected and work with business continuity teams to ensure back up plans in case of attack. Physical security experts also need to be engaged to plan for and prevent safety failures. 

It seems obvious that cyber-security requires a multi-disciplinary approach with management participation from many parts of the organization and development of a strong workforce culture. 

Start by Using the GRC Capability Model 

Using OCEG’s GRC Capability Model for defining the risks and establishing protections against them is helpful.

 This enables you to:

• identify and monitor internal and external factors that are relevant to the risk,
• rank the impact of various cyber-threats to data, physical property, operations, the environment and people
• establish a layered approach with management actions and controls -- not just technological, but also physical, human resource and process controls
• continuously evaluate design and operation of key controls

 So who owns cyber-security in your organization? The cliché answer, but also the true one, is everyone. Everyone affects your level of protection from threat by their day to day actions, so empower them to own it.