Category Archives: cybersecurity policy

Overview of the Marsh-Microsoft 2019 Global Cyber Risk Perception survey results

Technology is dramatically transforming the global business environment, with continual advances in areas ranging from artificial intelligence (AI) and the Internet of Things (IoT) to data availability and blockchain. The speed at which digital technologies evolve and disrupt traditional business models keeps increasing. At the same time, cyber risks seem to evolve even faster—moving beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations—costing the economy billions of dollars and affecting companies in every sector.

The hard truth organizations must face is that cyber risk can be mitigated and managed—but it cannot be eliminated. Results from the 2019 Marsh-Microsoft Global Cyber Risk Perception survey reveal several encouraging signs of improvement in the way that organizations view and manage cyber risk. Now that cyber risk is clearly and firmly at the top of corporate risk agendas, we see a positive shift towards the adoption of more rigorous, comprehensive cyber risk management in many areas. However, many organizations still struggle with how to best articulate, approach, and act upon cyber risk within their overall enterprise risk framework—even as the tide of technological change brings new and unanticipated cyber risk complexity.

Highlights from the survey

While companies see cyber events as a top priority, confidence in cyber resilience is declining. Cyber risk became even more firmly entrenched as an organizational priority in the past two years. Yet at the same time, organizations’ confidence in their ability to manage the risk declined.

  • 79 percent of respondents ranked cyber risk as a top five concern for their organization, up from 62 percent in 2017.
  • Confidence declined in each of three critical areas of cyber resilience. Those saying they had “no confidence” increased from:
    • 9 percent to 18 percent for understanding and assessing cyber risks.
    • 12 percent to 19 percent for preventing cyber threats.
    • 15 percent to 22 for responding to and recovering from cyber events.

New technology brings increased cyber exposure

Technology innovation is vital to most businesses, but often adds to the complexity of an organization’s technology footprint, including its cyber risk.

  • 77 percent of the 2019 respondents cited at least one innovative operational technology they adopted or are considering.
  • 50 percent said cyber risk is almost never a barrier to the adoption of new technology, but 23 percent—including many smaller firms—said that for most new technologies, the risk outweighs potential business benefits.
  • 74 percent evaluate technology risks prior to adoption, but just 5 percent said they evaluate risk throughout the technology lifecycle—and 11 percent do not perform any evaluation.

Increasing interdependent digital supply chains brings new cyber risks

The increasing interdependence and digitization of supply chains brings increased cyber risk to all parties, but many firms perceive the risks as one-sided.

  • There was a discrepancy in many organizations’ view of the cyber risk they face from supply chain partners, compared to the level of risk their organization poses to counterparties.
  • 39 percent said the cyber risk posed by their supply chain partners and vendors to their organization was high or somewhat high.
  • Only 16 percent said the cyber risk they themselves pose to their supply chain was high or somewhat high.
  • Respondents were more likely to set a higher bar for their own organization’s cyber risk management actions than they do for their suppliers.

Appetite for government role in managing cyber risks draws mixed views

Organizations generally see government regulation and industry standards as having limited effectiveness in helping manage cyber risk—with the notable exception of nation-state attacks.

  • 28 percent of businesses regard government regulations or laws as being very effective in improving cybersecurity.
  • 37 percent of businesses regard soft industry standards as being very effective in improving cybersecurity.
  • A key area of difference relates to cyberattacks by nation-state actors:
    • 54 percent of respondents said they are highly concerned about nation-state cyberattacks.
    • 55 percent said government needs to do more to protect organizations against nation-state cyberattacks.

Cyber investments focus on prevention, not resilience

Many organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.

  • 88 percent said information technology/information security (IT/InfoSec) is one of the three main owners of cyber risk management, followed by executive leadership/board (65 percent) and risk management (49 percent).
  • Only 17 percent of executives say they spent more than a few days on cyber risk over the past year.
  • 64 percent said a cyberattack on their organization would be the biggest driver of increased cyber risk spending.
  • 30 percent of organizations reported using quantitative methods to express cyber risk exposures, up from 17 percent in 2017.
  • 83 percent have strengthened computer and system security over the past two years, but less than 30 percent have conducted management training or modeled cyber loss scenarios.

Cyber insurance

Cyber insurance coverage is expanding to meet evolving threats, and attitudes toward policies are also shifting.

  • 47 percent of organizations said they have cyber insurance, up from 34 percent in 2017.
  • Larger firms were more likely to have cyber insurance—57 percent of those with annual revenues above $1 billion had a policy, compared to 36 percent of those with revenue under $100 million.
  • Uncertainty about whether available cyber insurance could meet their firm’s needs dropped to 31 percent, down from 44 percent in 2017.
  • 89 percent of those with cyber insurance were highly confident or fairly confident their policies would cover the cost of a cyber event.

Key takeaways

At a practical level, this year’s survey points to a number of best practices that the most cyber resilient firms employ and which all firms should consider adopting:

  • Create a strong organizational cybersecurity culture with clear, shared standards for governance, accountability, resources, and actions.
  • Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
  • Evaluate the cyber risk implications of a new technology as a continual and forward-looking process throughout the lifecycle of the technology.
  • Manage supply chain risk as a collective issue, recognizing the need for trust and shared security standards across the entire network, including the organization’s cyber impact on its partners.
  • Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.

Despite the decline in organizational confidence in the ability to manage cyber risk, we’re optimistic that more organizations are now clearly recognizing the critical nature of the threat and beginning to seek out and embrace best practices.

Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal program will depend on each company’s unique risk profile and tolerance.

Still, these recommendations address many of the common and most urgent aspects of cyber risk that organizations today are challenged with; as such, they should be viewed as signposts along the path to building true cyber resilience.

Learn more

Read the full 2019 Marsh-Microsoft Global Cyber Risk Perception survey or find additional report content on Marsh’s website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Overview of the Marsh-Microsoft 2019 Global Cyber Risk Perception survey results appeared first on Microsoft Security.

Operational resilience begins with your commitment to and investment in cyber resilience

Operational resilience cannot be achieved without a true commitment to and investment in cyber resilience. Global organizations need to reach the state where their core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, and cyber events if they are to weather such events.

To help increase stability and lessen the impact to their citizens, an increasing number of government entities have drafted regulations requiring the largest organizations to achieve a true state of operational resilience: where both individual organizations and their industry absorb and adapt to shocks, rather than contributing to them. There are many phenomena that have led to this increased governance, including high-profile cyberattacks like NotPetya, WannaCrypt, and the proliferation of ransomware.

The rise in nation state and cybercrime attacks focusing on critical infrastructure and financial sectors, and the rapid growth of tech innovation pervading more and more industries, join an alarming increase in severe natural disasters, an unstable global geopolitical environment, and global financial market instability on the list of threats organizations should prepare for.

Potential impact of cybercrime attacks

Taken individually, any of these events can cripple critical business and government operations. A lightning strike this summer caused the UK’s National Grid to suffer the biggest blackout in decades. It affected homes across the country, shut down traffic signals, and closed some of the busiest train stations in the middle of the Friday evening rush hour. With trains needing to be manually rebooted, the rhythm of everyday work life was disrupted. The impact of cybercrime attacks can be as significant, and often longer term.

NotPetya cost businesses more than $10 billion; pharmaceutical giant Merck put its bill at $870 million alone. For more than a week, the malware shut down cranes and security gates at Maersk shipping terminals, as well as most of the company’s IT network—from the booking site to systems handling cargo manifests. It took two months to rebuild all the software systems, and three months before all cargo in transit was tracked down—with recovery dependent on a single server having been accidently offline during the attack due to the power being cut off.

The combination of all these threats will cause disruption to businesses and government services on a scale that hasn’t been seen before. Cyber events will also undermine the ability to respond to other types of events, so they need to be treated holistically as part of planning and response.

Extending operational resiliency to cover your cybersecurity program should not mean applying different principles to attacks, outages, and third-party failures than you would to physical attacks and natural hazards. In all cases, the emphasis is on having plans in place to deliver essential services whatever the cause of the disruption. Organizations are responding by rushing to purchase cyber-insurance policies and increasing their spending on cybersecurity. I encourage them to take a step back and have a critical understanding of what those policies actually cover, and to target the investment, so the approach supports operational resilience.

As we continue to witness an unparalleled increase in cyber-related attacks, we should take note that a large majority of the attacks have many factors in common. At Microsoft, we’ve written at length on the controls that best position an organization to defend against and respond to a cyber event.

We must not stand still

The adversary is innovating and accelerating. We must continue to be vigilant and thorough in both security posture, which must be based on “defense in depth,” and in sophistication of response.

The cost of data breaches continues to rise; the global average cost of a data breach is $3.92 million according to the 2019 Ponemon Institute report. This is up 1.5 percent from 2018 and 12 percent higher than in 2014. These continually rising costs have helped galvanize global entities around the topic of operational resilience.

The Bank of England, in July 2018, published comprehensive guidelines on operational resilience that set a robust standard for rigorous controls across all key areas: technology, legal, communications, financial solvency, business continuity, redundancy, failover, governmental, and customer impact, as well as full understanding of what systems and processes underlie your business products and services.

This paper leaves very few stones unturned and includes a clear statement of my thesis—dealing with cyber risk is an important element of operational resilience and you cannot achieve operational resilience without achieving cyber resilience.

Imagine for a moment that your entire network, including all your backups, is impacted by a cyberattack, and you cannot complete even a single customer banking transaction. That’s only one target; it’s not hard to extrapolate from here to attacks that shut down stock trades, real estate transactions, fund transfers, even to attacks on critical infrastructure like healthcare, energy, water system operators. In the event of a major attack, all these essential services will be unavailable until IT systems are restored to at least a baseline of operations.

It doesn’t require professional cybersecurity expertise to understand the impact of shutting down critical services, which is why the new paradigm for cybersecurity must begin not with regulations but with a program to build cyber resilience. The long list of public, wide-reaching cyberattacks where the companies were compliant with required regulations, but still were breached, demonstrates why we can no longer afford to use regulatory requirements as the ultimate driver of cybersecurity.

While it will always be necessary to be fully compliant with regulations like GDPR, SOX, HIPAA, MAS, regional banking regulators, and any others that might be relevant to your industry, it simply isn’t sufficient for a mature cyber program to use this compliance as the only standard. Organizations must build a program that incorporates defense in depth and implements fundamental security controls like MFA, encryption, network segmentation, patching, and isolation and reduction of exceptions. We also must consider how our operations will continue after a catastrophic cyberattack and build systems that can both withstand attack and be instantaneously resilient even during such an attack. The Bank of England uses the mnemonic WAR: for withstand, absorb, recover.

The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event. Training is not enough. Operational resilience guidelines call for demonstrating that you have concrete measures in place to deliver resilient services and that both incident management and contingency plans have been tested. You’ll need to invest in scenario planning, tabletop exercises and red/blue team exercises that prove the rigor of your threat modeling and give practice in recovering from catastrophic cyber events.

Importance of a cyber recovery plan

Imagine, if you will, how negligent it would be for your organization to never plan and prepare for a natural disaster. A cyber event is the equivalent: the same physical, legal, operational, technological, human, and communication standards must apply to preparation, response, and recovery. We should all consider it negligence if we do not have a cyber recovery plan in place. Yet, while the majority of firms have a disaster recovery plan on paper, nearly a quarter never test that and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

Cybersecurity often focuses on defending against specific threats and vulnerabilities to mitigate cyber risk, but cyber resilience requires a more strategic and holistic view of what could go wrong and how your organization will address it as whole. The cyber events you’ll face are real threats, and preparing for them must be treated like any other form of continuity and disaster recovery. The challenges to building operational resilience have become more intense in an increasingly hostile cyber environment, and this preparation is a topic we will continue to address.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Operational resilience begins with your commitment to and investment in cyber resilience appeared first on Microsoft Security.