Category Archives: risk assessment

Board Directors Can’t Afford to Ignore Cybersecurity Risk

As organizations rush to adopt new digital channels, big data, advanced analytics, and emerging technologies such as blockchain, artificial intelligence (AI) and quantum computing, they face new risks that may be difficult to quantify today.

The obvious challenge with emerging risk is the lack of historical perspective and measurement. Position credit risk against cyber, for example, and you’ll realize that credit professionals have the benefit of leveraging time-tested practices and numerous economic cycles as a basis for understanding risk quantification in familiar metrics. Credits that score a 6.2 (expected frequency of default) will, on average, lose a greater percentage of principle balance as compared to credits scoring 3.2, and this is a known quantity.

Now consider cyber risk in light of the imperative to embrace new technologies to remain competitive and the gradual emergence of risk mitigation strategies to match new technologies. Put simply, the unmanaged cybersecurity risk of tomorrow is the unintended consequence of today’s revolution.

Weighing the Benefits of Technology Against Cybersecurity Risk

New technology enables value creation, generates process efficiencies, and allows companies to assimilate and analyze information at an unprecedented speed. This creates numerous opportunities to drive substantive improvement for the public good. For instance, AI tools enable health care professionals to quickly and accurately assist doctors in their diagnosis and treatment of serious illnesses. Similarly, AI applications in the financial industry help mitigate bank fraud and other financial crimes and combat cyber risk.

However, cybercriminals have access to this same technology, which they use to launch attacks and breach corporate networks to steal or damage information. This, combined with the mass digitization of data, growth of internet of things (IoT) deployments and widespread adoption of AI, is straining security resources like nothing we’ve ever seen. Juniper Research forecast the number of records stolen by cybercriminals to reach 5 billion in 2020, and Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.

Continuous improvement has never been more crucial to cybersecurity risk management. The worst thing you can do is remain static or get comfortable with the status quo. The failure to reassess and invest in your strategy, evolve your practices, educate leaders and employees, and advance risk technology in lockstep with new business applications puts companies and even national economies at risk.

Cybercrime has evolved into a well-organized, well-funded industry that focuses all its attention on penetrating enterprise networks to disrupt, steal, extort and exploit sensitive data. That said, many of the incidents that have made the news have nothing to do with threat actors; instead, they are the result of human error or malicious insiders, which presents a unique type of risk management challenge.

Either way, a reactive and siloed approach to cyber risk management limits effectiveness. The increasing volume and spectrum of threats necessitates detection, management and mitigation strategies that are proactive, adaptable and offensive in nature. Most importantly, these strategies must engage all elements of senior leadership.

Part of the problem is that technology has advanced faster than risk mitigation practices and investments. In many instances, cyber risk management is compartmentalized with technology functions, not widely understood by senior leadership or overtly linked to business strategy. Confronting this new risk means that every member of the senior leadership team, board of directors and company staff must make an investment in understanding and managing cyber risk.

Do You Understand the Risks Facing Your Business?

The more aggressive a firm’s digital and data-driven business strategies are, the greater the need to ensure that cyber risk is understood at the senior executive and board levels. This is the only way to facilitate a healthy and informed dialogue about business strategies and technology deployments with the appropriate risk appetite, safety considerations and governance. Of course, this task becomes more complicated as more technologies are adopted and integrated into the IT environment.

The widespread adoption of big data and advanced analytics will make it increasingly difficult for companies to manage or govern the volume of data they are trying to utilize. This is already a problem for some regulated financial market data providers; datasets and the products derived from them have outrun firms’ ability to map, manage and quality-control the data.

Cloud is another notable example. Many firms are rushing to move workloads to a hybrid cloud environment, which introduces new risks in multiple forms and raises myriad questions, including:

  • Where is the data?
  • What controls will be provided by each cloud service provider (CSP) and what must be provided by the firm?
  • How can the firm risk-assess and performance-manage each CSP?
  • How can the firm implement an effective risk dashboard across data types and providers, both on and off premises?
  • How can the firm demonstrate regulatory compliance effectively amid rapid change in the industry?

In addition, digital channels, bots and robo-advisors are being used at an accelerating pace. Like other emerging technologies, these expose consumers to new risks, and providers face scrutiny for poor outcomes. Understandably, consumers are not ready for these risks, and they simply do not know how to protect themselves in a world of connected devices, smart appliances and mobile banking. In response to this demand for open banking, and to stimulate competition in payments, the European Union (EU) issued a new Payment Service Directive (PSD2), which requires all financial institutions to share their customer and payment data in a standardized format. This open banking era introduces new obstacles to effective implementation and meeting both regulators’ and customers’ expectations of availability and ease of use.

Finally, the IoT brings countless new endpoints — and countless new microvulnerabilities — to the enterprise. It also exponentially multiplies the volume of data to be handled, complicates operating models, and makes it hard to map concerning data and risks. Consider technologies such as smart homes, connected cars and power grids; attacks on these systems could have physical, even life-threatening consequences that go far beyond the cost of noncompliance and disruption.

The New Regulatory Landscape Demands More of Leadership

The level of regulatory scrutiny and public awareness of cyber risk is rising and, along with it, expectations that companies will appropriately address these risks. Consider the General Data Protection Regulation (GDPR), which gives consumers more control over their personal data, mandates that vendors build data protection safeguards into products and services, and places strict requirements on companies that manage EU citizens’ personal data. Failure to comply could carry fines up to 20 million euros or 4 percent of total worldwide turnover.

Another example is the New York State Department of Financial Services (NYDFS) regulation 23 NYCRR Part 500, which holds the board responsible for overseeing and certifying compliance with appropriate security standards. As mentioned above, PSD2 addressed payment systems and their security requirements for registration under a new set of conditions and other criteria enacted by member states on Jan. 13, 2018. Finally, the California Legislature recently approved the California Consumer Privacy Act (CCPA), which will take effect in 2020. This new legislation, the strictest in the U.S., gives consumers rights related to how their data is managed and sold and imposes obligations on the holders of this data.

As you can see, cybersecurity risk is a real business risk and must be managed holistically as enterprise risk rather than delegated to technical functions. Chief information security officers (CISOs), risk and compliance officers, technology managers and line-of-business leaders must own risk collectively, and it must be built into and considered a crucial component of the business strategy.

To accomplish this, top management and the board must engage in regular dialogue around cyber risks and business strategy and recognize them as inextricably linked. Investment in one necessitates investment in the other. This approach enables business and security leaders to replace defensive strategies with offensive capabilities and maintain an open, honest and direct dialogue about risk. Most importantly, it helps these leaders coordinate and prepare to play their roles when a security incident strikes.

The post Board Directors Can’t Afford to Ignore Cybersecurity Risk appeared first on Security Intelligence.

The Dark Overlord Claims to Have Stolen Secrets of 9/11 Attacks in Law Firm Data Breach

The threat group known as The Dark Overlord has claimed responsibility for a law firm data breach involving files allegedly related to the 9/11 terrorist attacks.

The Dark Overlord first announced on New Year’s Eve that it had stolen files belonging to Llyod’s of London, Silverstein Properties and Hiscox Syndicates Ltd., according to Motherboard. Although the group’s announcement on the Pastebin messaging service has been deleted, Motherboard confirmed the hack with Hiscox.

The stolen information reportedly includes email and voicemail messages as well as legal files such as non-disclosure strategies and expert witness testimonies.

9/11 Data Held for Ransom

In a Dec. 31 tweet, The Dark Overlord claimed it had managed to steal more than 18,000 secret documents that would provide answers about 9/11 conspiracy theories. Twitter has since suspended the group’s account.

SC Magazine reported that the law firm paid an initial ransom, but then violated terms of agreement by reporting the incident to law enforcement. The threat group is now demanding a second ransom be paid in bitcoin and said it will also sell information obtained in the breach to interested third parties on the dark web.

According to a post on Engadget, The Dark Overlord also attempted to prove it had committed the data breach by publishing nonsensitive material from other law firms as well as organizations such as the U.S. Transportation Security Administration (TSA) and Federal Aviation Authority (FAA).

How to Limit the Threat of Groups Like The Dark Overlord

This latest attack from The Dark Overlord is further proof that data breaches can not only create a PR nightmare, but also put organizations’ survival and, in some cases, national security at risk.

Unfortunately, the exact details around how The Dark Overload accessed the law firm’s network are unknown. Security experts recommend conducting a short but comprehensive 15-minute self-assessment to gauge the organization’s IT security strengths and weaknesses. The results can be benchmarked against similar firms, and security leaders can gain access to the expertise they need to keep groups like The Dark Overlord away from their data.

The post The Dark Overlord Claims to Have Stolen Secrets of 9/11 Attacks in Law Firm Data Breach appeared first on Security Intelligence.

NIST Issues Guidance for Medical IoT Device Security

As the popularity of medical IoT devices grows, so do security vulnerabilities. There are more connected devices than there are humans on Earth. Organizations have been as quick to embrace the Internet of Things as consumers have, and the healthcare industry is no exception. Medical IoT devices have exploded in popularity and grown in complexity.… Read More

The post NIST Issues Guidance for Medical IoT Device Security appeared first on .

Tackling 3rd Party Risk Assessments Through a 3rd Party

In the enterprise, sometimes absurd is the order of the day.

Earlier this week I ended up in a conversation with a colleague about 3rd party risk. We started talking about the kinds of challenges his organization faced, and as the leader of the 3rd party risk program what he's up against. As it turns out when the organization set out to tackle 3rd party risk a slight mis-calculation was made. Long story short, his group has over 100+ vendors to manage in terms of 3rd party risk. That's 100+ vendors that interact with the network, the data, the applications, the people, and the facilities his enterprise has.

His team is staffed by a whopping 3 people, including him. To put this into perspective, and given that there are 250 business days a year, it means his team needs to complete 50 reviews per analyst. With 250 total days to work with, that means that they can spend a maximum of 5 days per 3rd party. Of course, we're not counting vacation days, sick days, or snow days. We're also not counting travel to/from sites to actually do investigative work, or the time it takes to do an analysis, debrief, or any of that.

This started to unravel in my mind, pretty quickly. I pressed my colleague for an answer to how he could possibly achieve any measure of compliance and completeness, to which he answered: "We outsource the evidence gathering to a 3rd party".

My head exploded.

I'm not saying it doesn't make sense, or that there are very many real alternatives - but you have to know how crazy this sounds. They've outsourced the fact-finding portion of 3rd party risk assessments to a 3rd party. BOOM

The truth is that there is a lot that he was doing behind the scenes here which made this a little easier to swallow. For example, a standard questionnaire was developed based on a framework they developed and approved internally which minimized the amount of 'thinking' a 3rd party assessor had to do. Each category of required controls had a gradient on which the 3rd party being assessed was graded, and there was really very little room for interpretation. Mostly.

If you think about it, I'm confident that there are many, many enterprises out there with this minor challenge. Every enterprise does business with at least dozens, on average with hundreds of 3rd parties to varying degrees. From your outsourced payroll provider, to the company that shreds your documents once a week, to the company who sends the administrative assistant who sits at their desk and answers calls and surfs Facebook all day. Every enterprise has a vast number of 3rd parties which need to be assessed - and risks identified.

While I'm definitely not crazy enough to think companies should only handle this with internal, trusted employees, I'm not completely convinced hiring out to a 3rd party is that fantastic of an idea either. There is so much to consider. For example, if that 3rd party assessor misses something, are they liable, or does that fall to your company? Ultimately in the court of public opinion - this is a trick question. The answer is always you.

I suppose the long and short of it is that enterprises have little choice but to use a 3rd party to help them manage 3rd party risk. But then the only question is - do they assess that 3rd party which will be doing the 3rd party risk assessments for unnecessary risk? It's enough to make your head spin, I know it gave me a headache just thinking about it.

What do you think the mature 3rd party risk assessment looks like? Do you have leading practices you could share? Contact me as I'd like to share them with our peers, and others who are struggling with this task right now.