TIPS FOR MANAGING RISK
Life is full of risk. As an executive, one of your primary responsibilities is to manage risk to protect your business and create an environment for it to grow and thrive.
The risk is managed at every level of your business, yet it is owned in the boardroom and C-suite. Responsibility to lead and manage your business is vested in you by the owners of the business: your shareholders. While activities are delegated in hierarchical organizations, responsibility never can be.
It is critically important that you create and maintain a risk management program owned at the most senior levels and designed to cascade throughout the business to where each employee knows they are valued and essential stakeholders in the risk management program.
A formal and disciplined risk management program best postures you for successful identification of risk, management, and control over risk factors and sustained risk awareness.
The best risk management programs have well-defined processes, well-trained and motivated employees who understand and implement the program, and active leadership who maintain ownership over the risk management program.
You need to “know your enemy” and “know yourself” in order to have a successful risk management program.
When addressing your cybersecurity risk, it is imperative that you understand your threats, threat sources, and vulnerabilities and have as accurate a measure of the likelihood of an incident as possible.
You must consider all vulnerabilities including those presented by technical means, procedural or material defects, or human failures or deficiencies.
It is possible to measure and estimate cybersecurity risk. While cybersecurity risk estimation processes generally are not as mature as traditional risk estimations used by most corporations, cybersecurity risk can be quantified in monetary terms using the quantitative risk assessment technique.
This technique is difficult to employ due to the difficulty in assessing precise value to information and even greater difficulty in determining the likelihood of loss.
We believe that with prudent analysis and management judgment and oversight, reasonable estimates on the valuation of information are possible. Moreover, it is feasible to carefully analyze threat stream and statistical information to make informed estimates on the likelihood of events.
When these conditions exist, we believe the quantitative risk analysis methodology can be used to assess cybersecurity risk.
(We have cited examples to amplify upon our contention.) We believe you should incorporate quantitative risk assessments into your corporate business processes, wherever possible.
If you said no, you aren’t alone.
The sad state of affairs today is that most companies do not have a clue as to what their cyber risk profile is nor do they know how to calculate it. There are many who believe that there is no means to calculate your cybersecurity risk.
We do not agree. We believe that cybersecurity risk can be calculated using some of the same techniques you use to calculate risk in other sectors.
We will show you some examples demonstrating cybersecurity risk calculations, but before we get to the formulas, let’s review with you areas that commonly are exploited by the top five sources of cyber threats.
Threats to Your Intellectual Property and Trade Secrets
Next, to your treasured workforce, your intellectual property and trade secrets are arguably your most valued assets. These are the most common targets for nation-states, organized crime, and insider threats.
Why? For the same reason, you retain ownership of your intellectual property and keep secret the special (proprietary) tools of the trade that make your business a success, because possession of intellectual property and trade secrets yields a competitive advantage.
Some nation-states and many criminals actively probe the net, looking to steal intellectual property and trade secrets. This is a lucrative market for the end consumer of the information, be it state-owned businesses or those who purchase such information.
It permits them to avoid costly research and development activities, moves to production faster, and potentially muscle you out of the market.
Recall the Interpol estimate that cyber espionage is responsible for the theft of intellectual property from businesses worldwide worth up to the US $1 trillion.1 This is a serious threat to you and your business.
So, what is the risk that your intellectual property and trade secrets may be exploited? Let’s use the following checklist to see if you are vulnerable to cyber espionage, theft, or exploitation:
Vulnerability Checklist (Cyber Espionage, Theft, and Exploitation)
1. Do you have intellectual property and trade secrets you need to protect?
2. Do you currently or in the future have market competitors who would benefit by having access to your intellectual property and trade secrets?
3. Do you store your intellectual property and trade secrets on computer systems?
4. Are your computer systems connected to the Internet?
5. Do your computer systems have Universal Serial Bus (USB) connections that enable thumb drives to be connected?
6. Do your computers have read-write DVD/compact disk drives?
7. Do you have frequent and regularly scheduled backups of your information?
8. Do you store your backup information in an off-site location?
9. Do you use any data feeds from other sources into your network?
10. Do you contract your system administration, maintenance, or software support?
How many “yes” answers did you have? If you had one or more, then you are susceptible to cyber-based risk.
“Wait!” you might ask, “Why do I have a cyber-based risk if I answered even one of the questions with a yes?” Here’s a quick rundown of how a “yes” to any of the following questions could lead to a cyber-based risk.
1.Intellectual property and trade secrets:
If you have them, you need to protect them, you are diligent in protecting your critical information. You do not have it stored on a computer, only maintain hard copies of your classified documents, and limit physical access to the documents.
Unfortunately, one of your employees has been recruited by one of your competitors to acquire your information.
They gain access to your files, photograph them with their cell phone camera, and upload the images from their phone onto a destination selected by your competitor. Fiction?
Regrettably no, as this type of exploitation has occurred multiple times around the world. If you have sensitive information, protect it. We recommend you keep cell phones and similar devices away from it.
Don’t forget meetings where you discuss sensitive information either. If someone has a phone in the room, your meeting may be broadcast to people and places you don’t want to include.
Your competitors want to have a competitive advantage over you. Most are honorable and exercise fair and open competition; however, a rare few employ agents who seek access to your information (unauthorized, of course).
Nation-states, organized crime, and unscrupulous businesses all have been known to actively use cyber-based resources to steal or tamper with sensitive intellectual property and trade secrets.
Cyber espionage is a growing problem in the market-place with complaints to law enforcement officials continuing to rise. You and your business are at risk. Additionally, the better you are and the bigger you are, the bigger and more lucrative target you present.
If you store your information on a computer, you are like most other entities. Computers and their storage devices have become the preferred storage media for the world’s information, far surpassing paper copies.
This is because computer-based storage is less expensive, provides much faster search and retrieval capability, and enables near-instantaneous transmission of information to multiple locations.
The advantages of computer-based storage are many, yet this mode of storage comes with risks as well. Computers rely on electrical power and therefore must have a reliable, uninterruptible power source. They are machines that require maintenance and have components that sometimes fail.
They require software to operate effectively and software requires maintenance, regular updates, and most often licensing fees. There are ample possible points of failure that can deny you access to your critical information or present weaknesses that could be exploited by potential adversaries. This presents a risk.
4. Internet access:
If your information is on a computer connected to the Internet, it is potentially exposed to anyone else on the Internet.
Certainly you can and should implement prudent security measures such as boundary protection (i.e., firewalls, proxy servers, access control lists, etc.), encryption, and other technical measures.
But if your critical intellectual property and trade secrets reside on a system connected to the Internet, there is a risk that someone smarter than your IT team will gain access to that information.
USB ports add great convenience and transportability for information. You can plug in an inexpensive high-capacity thumb drive to transfer files between the computer and the thumb drive and even launch programs from the thumb drive.
How many times have you used a thumb drive to transport a business presentation, sensitive data, or even pictures of your family?
Like us, you likely have done so. Regrettably, bad actors have taken note of the proliferation of thumb drives and other devices that connect to USB ports (such as smartphones, digital cameras, and even the author’s watch!) and are now using them for malicious purposes.
An example is the recent Stuxnet attack, where the destructive code is said to have been inserted into the isolated Iranian nuclear control systems by using an infected thumb drive. Any device connected to your computers via a USB port has the potential to insert or retrieve information. There is a risk.
6.DVD/CD read-write drives:
These older media devices pose similar risks as do USB devices. They could be the entry point for malicious code or the egress point for your critical information.
U.S. Army Private Bradley Manning confessed to having used a compact disk with read-write capabilities to exfiltrate 1.6 gigabytes of classified information that he later uploaded to WikiLeaks.
As the U.S. Army painfully discovered, any time you have the ability to download information from your computer or the network it is connected to, you have a risk that the information may lead to unauthorized personnel.
7. Data backups:
This is considered a routine maintenance and risk avoidance activity in most professionally run IT departments.
Ensuring that you have duplicates of your information helps insulate you from hardware failures like crashed hard drives, software faults that occasionally corrupt files, and even “stupid users” who inadvertently delete critical information.
While many backups now are done through automated routines, it is important to find the right frequency and time to execute your backups lest you adversely affect business operations.
Because of the volume of data many businesses have, data backup often is done incrementally on a prescribed basis. Many businesses run a risk that a system failure can occur that can erase any data since the last backup. Do you know how often your IT shop backs up your data? You have a risk—do you know what it is?
8. Off-site storage:
This is a best practice within the IT community and entails maintaining backup copies of critical information at a location other than the primary location. This is designed to ensure that the data survives in the event of a catastrophe at the primary location.
As a result of the terrorist attacks on New York in 2001, many companies recognized the risk to their continuity of operations when their information was inaccessible.
Now, most businesses have robust off-site storage and data recovery plans designed to facilitate rapid restoration or capabilities from secured locations.4 They are reducing their risk by doing this. How are you addressing your storage risk?
9. Data Feeds:
Many, if not most, businesses rely on data from other sources to execute their operations. Financial institutions exchange transaction information at the speed of light. Similarly, electronic commerce flows through the Internet at ever-increasing volumes every day.
Business partners place orders through electronic data interchange (EDI) formats that are standardized around the globe. Data feeds fuel the business world and enable fast transactions at lower cost and greater precision. They also present a risk. What happens when your feeds are unavailable?
What happens if one of your data feeds is corrupted and is feeding your system with bad information? How would you know? How long would it take to fix? How much would it cost?
The integrity of your business depends on the accuracy of your information. You need to address your data feeds in your risk management planning.
10. Contracted system administration, maintenance, and software support:
Anyone who has access to your information, especially your intellectual property and trade secrets, poses a potential risk to steal or tamper with that information.
Your business likely vets each of its employees, but what provisions do you have to ensure that your contracted support is equally trustworthy?
What provisions do you have to ensure their competence? As with your own employees, be mindful that your intellectual property and trade secrets are vulnerable to theft, tampering, or destruction by contracted personnel. That is a risk worth protecting against.
We anticipate your intellectual property and trade secrets are potentially vulnerable. You want to protect them from the many cyber-based threats confronting you and your business, but what of other threats? How well do you “know yourself” and your vulnerabilities to other threats?
Technical risks are those risks presented through the operations and maintenance of the technical systems used by your business, for example, computers, processors, monitors, controllers, timers, alarms, etc. They are plentiful and can be catastrophic to your business.
If your chief information officer (CIO) is telling you that the IT staff is a crackerjack team and you don’t face a cybersecurity risk, we submit that it is time to begin your search for a new CIO.
How do you know you and your business have technical risks? They are there. Do you know what they are and have a plan to address them?
Let’s use the following checklist of questions to see if you are vulnerable to some of the most common technical risks found in organizations.
Vulnerability Checklist (Common Technical Risks)
1. Have you or your business ever been hacked?
2. Have you ever found the malicious code (such as viruses, trojans, or worms) or unauthorized software on your systems?
3. Is your network being probed by outside entities?
4. Do any of the members of your IT staff fail to maintain current industry certifications in their specialties?
5. Are there more current software versions, including patches, available for your system?
6. Do you store data “in the cloud”?
7. Does your workforce use mobile devices such as smartphones, tablet computers, and laptops to conduct your corporate business?
8. Does your business solely rely on passwords to control access to the network and information?
9. Does the business conduct annual vulnerability scans of your network?
10. Do you allow remote access to your network?
If you answered “yes” to any of these questions, you have technical risks that need to be addressed.
We recognize that most executives have neither time nor inclination to become IT experts (although we have met many executives who mistakenly thought they were already!) Nonetheless, it is important to understand the basics and how they affect you and your business.
Let’s expand a bit on the aforementioned technical risk assessment (vulnerability checklist) so you can see where you and your business may have cyber security risks that ought to be addressed:
Previous incidents of hacking:
Organizations that have been hacked before are more likely to face other hacking attempts. Hackers like the challenge of breaking into systems and often post their results on Internet message boards to show off before their peers.
This invites others to try to get into your system as well because you have been identified as vulnerable.
Additionally, many hackers who successfully penetrate into systems will create “backdoors” that will permit them to come back whenever they want, undetected by you and your security personnel.
They are very careful to cover their tracks and try to leave no trace behind that will lead law enforcement and your security personnel to them or their backdoor capabilities.
If you have been hacked before, you are at great risk of being targeted again!
Malicious code includes such things as viruses, trojans, worms, and remote access trojan (RAT) kits.
Our glossary of technical terms explains them in greater detail. Suffice to say, however, malicious code can get into your system and cause significant damage to you and your business.
There are numerous ways malicious code can enter your system. Malicious code can enter through an email message with an attachment or self-extracting file.
It can enter your system through a mobile device connecting with a poisoned connection point, such as a Wi-Fi spot, that has been compromised by a hacker.
It can enter through contaminated media like the thumb drives cited in the Stuxnet example. It can even enter your system when you visit websites that have been infected with the malicious code and pass it on to your system.
Even if you have the best antivirus detection software on the planet, once the malicious code gets into your system, eradicating it often is expensive and difficult.
If you’ve been infected before, there is a chance that the malicious code may have opened up your system for the planting of even more insidious and undetectable code. This is a significant cybersecurity risk!
If you are being told you aren’t being probed, you aren’t connected to the Internet or you have an incompetent IT staff. The Internet is chock-full of people scanning the net looking for vulnerabilities.
In fact, there is a cottage industry evolving where hackers look for corporate networks that are improperly configured, find the vulnerabilities, and exploit them, leaving behind RAT kits that give them remote access into the corporate networks.
They then advertise they have control of the networks and sell their services to the highest bidders, which occasionally includes the affected company, who pays to rid them of their network.
The lesson is that you will always be subject to probes looking for vulnerabilities. Ensure your defenses are adequate, properly configured, and technically current to minimize your risk.
Would you fly on a jet airliner piloted by an individual who only had flown a single-engine propeller airplane a couple of years ago?
Who would do that? You expect the pilots to maintain their commercial pilot certifications, which includes the requisite qualification training, physical and mental wellness, continuing education, simulator currency training, and actual flight time, to maintain their proficiency. You should expect the same from your IT staff.
The IT industry has numerous professional certification programs to ensure that your IT staff has the current level of expertise and talent to perform at the high levels your business needs and deserves.
If you have IT personnel who do not have or do not maintain their professional certifications, they may not be capable of adequately defending your information against increasingly sophisticated threats. As such, you may expose yourself and your company to cybersecurity risks.
Moreover, like an airline that has an accident at the hands of a pilot who lacks certification, if your network is managed by technicians who don’t have proper certification and qualifications, you may expose yourself and your company to litigation in the event that your network is breached.
Our recommendation is that whether your IT staff is comprised of direct employees or contracted personnel, you need to ensure they have the right qualifications and certifications to do their jobs properly.
This will reduce your risk of having networks and systems that are not professionally and properly configured and operated. Moreover, it will reduce your liabilities in the event your system or that of one of your customers is compromised.
Did you know that Microsoft releases security patches the second Tuesday of every month? Known as “Patch Tuesday,” it has been a great help to IT staffs around the world and significantly helps improve the security of Microsoft products.
Companies like Microsoft routinely issue patches to their code to improve their products and harden them against vulnerabilities that have been discovered in their code.
Unfortunately, it takes time for the software developers to create patches to counter vulnerabilities, so the time between detection of the vulnerability and fielding of the patch is when you are most vulnerable.
Therefore, when a certified and tested patch emerges from the vendor, it is in your best interest to patch your system quickly to reduce your risk exposure.
Likewise, newer versions of software repeatedly have been found to be better constructed and more secure. Maintaining current software configurations and patches is an IT best practice that minimizes your cybersecurity risk
Storage in the cloud:
The jury is still out when it comes to cloud storage and security. Cloud storage involves storing data on multiple servers often connected to the Internet and generally is hosted by third parties.
Because your data is being handled on devices managed by someone else, likely will traverse across the Internet, and is hosted on “virtual” servers on platforms that host information that belongs to other entities, what could go wrong?
We contend that cloud computing presents an attractive and economical means of storing data yet presents a cybersecurity risk worthy of a thorough risk/benefit analysis before making any commitment to put mission-critical information into “the cloud.”
They are everywhere! You likely have a smartphone and a tablet computer to complement the desktop that graces your office. After all, you need to be connected all day, every day, no matter where you are.
You need to be connected to your workforce as they execute their duties, no matter when and where they are too. It is intoxicating to see how fast the business community works when it employs mobile computing devices. Choices in devices are exploding too.
Employees clamor for the latest and greatest devices, while IT departments struggle to integrate heterogeneous devices powered by disparate operating systems from Apple, Microsoft, Google, and others into the corporate network.
Mobile devices often connect to other networks that may not be protected as well as yours and may serve as a means to introduce malicious code into your network when they “return home.”
Recall Timothy Thomas’s observation in blog 2.0 about business executives traveling in China observing that their mobile devices were exploited. Mobile devices are great tools yet require the policies, procedures, training, and discipline to minimize your cybersecurity risk.
Passwords are getting easier to crack and exploit. The U.S. Department of Defense recognized this fact years ago and invested in a two-factor authentication system using Public Key Infrastructure (PKI) to verify identities prior to granting network access.
The department’s PKI system features identification cards with a chip containing electronic tokens associated with the individual. Defense personnel logging into defense networks slide their identification card into a reader that reads the electronic chip to retrieve the token and queries the user for their password.
Once that is supplied, the network domain controller polls a trusted server on the network to verify that the password and token indeed are appropriately matched before granting the user access to the network.
The commercial sector too is rapidly adopting two-factor authentication in lieu of simple passwords as a means to authenticate and grant access to network and information resources.
For example, the author’s bank offers a similar two-factor authentication system for its electronic banking to reduce its risk of theft. If you do use passwords, there are several best practices you should follow at home as well as in the office.
Password Best Practices
Try to make your password something you can and will remember.
Don’t store your password on a sticky note by your computer, in your wallet, or in your phone. Keep it as secure as the information it protects!
Don’t make your password easy to figure out (e.g., P@$$W0rd), your spouse’s or child’s name (e.g., M0mm@of2), or your favorite sports team (e.g., $t33LeR$#1). Bad actors run password cracking programs that have thousands of passwords like these already stored in their tables.
Passwords of 14 characters or more are statistically most secure. Use the maximum strength password that your system will allow.
Never share your password with anyone.
Never reuse your username and/or password on other accounts.
Make sure your password has two upper cases, two lower cases, two special characters (e.g., @, #, $, %), and two numbers in it.
Avoid using typical character substitution (such as @ for “a,” ! or 1 for “l,” and 0 for “O”) in lieu of letters.
Change your passwords often. We recommend you change your passwords every quarter. Now, with automated reminders you can load in your phone, you have no excuse for forgetting to do it.
Your cybersecurity personnel should be continually scanning your network to detect suspicious behavior and to find and correct vulnerabilities. Scanning is not a once a year event.
Your CIO and chief information security officer (CISO) should have the results of vulnerability scans as one of their primary job performance metrics.
The scans should show how many vulnerabilities are present. The up-to-date software can categorize the severity of the vulnerability to aid in the risk management process.
These are your risks. You own them; they don’t just belong to the CIO and CISO. Ask to see the results regularly and incorporate them into your governance and oversight rhythm.
It is our experience that when vulnerability information makes its way to the directors and officer level, attention is paid and the number of vulnerabilities quickly drops!
This capability provides increased employee productivity and cost savings when implemented efficiently, effectively, and securely.
When it is not properly configured, bad actors may find it to be “the information superhighway” to your corporate secrets. There are several risks that remote access poses to your cybersecurity posture:
First, the device you are using at the distant end may be infected or contaminated. You don’t know what that device has plugged into before it came to your network asking to be connected. It may have a virus just waiting to infect your network!
Second, when you permit that device to connect, you are opening up your security perimeter, making it increasingly difficult to defend against hostile threats.
Third, once you open up that hole in your defenses, you need to ensure it is sealed properly after the remote access session is concluded.
We have found a best practice is to implement a policy establishing a limit on the amount of time for the remote connection.
When the limit is up, the session is terminated unless the legitimate user on the distant end reverifies their identity to the network. Another best practice enabled by technology is to implement a “comply-to-connect” policy.
This means that when a device goes to log in to the network remotely, it is quickly scanned by your network devices to ensure it is properly configured to your standards and is free of malicious codes.
This capability is not inexpensive and slows down the log-in process, but it definitely helps prevent contamination from remote access devices. Remote access is a powerful capability for your mobile workforce, yet we advise caution in granting remote access. Not everyone needs it.
An important reminder about remote access is that it not only applies to your administrative and business computing systems but also to your specialized equipment too.
Many industrial control systems (ICS) such as your heating, ventilating, and air conditioning controls (HVAC), industrial machinery (e.g., pumps, valves, flow and speed regulators, and fuel systems), water and sewage, and power generation all rely on specialized computer controls to operate.
Often referred to as Supervisory Control and Data Acquisition (SCADA—pronounced SKAY-DAH) systems, these embedded computing devices control and regulate the critical systems that support the technology we have grown highly reliant upon.
Many SCADA systems are connected to the Internet and have been fielded without adequate cybersecurity controls. Frankly, when many were fielded years ago, the cybersecurity threat was so small that many people did not notice the threat to SCADA systems.
As we saw with the recent Stuxnet attack, SCADA systems indeed are vulnerable and cyber attacks on them can have a catastrophic effect. Physical security of these systems is important too.
Even if the device is not connected to the Internet, if it is accessible to someone physically connecting to it, you are at risk. We recommend you minimize your risk by only granting access to those who truly need it and only during those times when they need to.
The risks identified earlier are just a few of the technical risks that are out there. Fortunately, technical risks can be reduced significantly by the professional management of your information technologies, regular independent auditing, and prudent investments to maintain system currency.
These are core competencies of your CIO and CISO, yet they need your help and support to ensure that the appropriate mix of plans, policies, and resources is applied to provide the optimum cybersecurity posture to meet your business objectives. It is a team effort!
Because cybersecurity is a team effort, as an executive, you need to recognize the strengths and weaknesses of your team. Not everyone on your team is a superstar when it comes to cybersecurity.
Human risks to your cybersecurity posture are profound. From the top of your organization to the bottom, your workforce presents significant risks that you need to address.
Wonder what kinds of human risks you and your company may face in the cybersecurity realm? Here are a few common ones (and they may look familiar in non cybersecurity settings too) that you need to address deliberately before they yield catastrophic results:
Spear phishing and whaling:
In a spear-phishing attack, a target receives a carefully crafted email that looks like it came from a legitimate source. It has the right look and feels to make the recipient think it is an ordinary email.
The recipient has lured to either download a seemingly harmless file attachment or to click a link to a malware- or an exploit-laden site. The file, often a vulnerability exploit, installs malware in a compromised computer.
The malware then accesses a malicious command and control server to await instructions from a remote user. At the same time, it usually drops a decoy document that will open when the malware or exploit runs to hide malicious activity.
Are you and your workforce susceptible to these email-based attacks? Absolutely! We all are. How can you reduce your risk? Before opening any email, look at the message information in your inbox and ask the following questions.
Relevant: Is this message relevant to me and what I am doing?
Expected: Did I expect this message?
Authenticated: Did this really come from the person that it says it came from? Is it from a different email address than I am used to?
Digitally signed: Is this digitally signed? Digital signatures are increasing in use and help verify the identity of the sender. Look to see if the sender signed it to verify their identity.
If you answer “no” to any of these questions, you need to be on alert that the email may be tainted. Never click on an embedded link without knowing for sure where it is going! Never click to open an attachment that comes from a suspicious source! READ your mail carefully!
Social media is a great means of communicating quickly and effectively to a wide variety of people. When used as part of a well-managed business strategy, it can be a boon to your market presence and give you a decisive advantage over your competitors.
It can also be a huge cybersecurity risk that can sink your reputation and open your business to attack. Don’t believe that your Facebook or Twitter account could open you to attack when not used properly?
Think again. Look up “Koobface” on the Internet (yes, it is an anagram of Facebook.) It is a computer worm that appeared on social media sites including Facebook, MySpace, and Twitter.
It was designed to gather log-in information, set up botnets to do the bidding of the bad actor behind the malicious code, and open the user’s computer up to further exploitation. It originally spread quickly through friend requests on the social network.
When the user clicked a link, it sent them to a poisoned site where the malicious payload was delivered and installed on the user’s system. Despite the strengthening of security at Facebook and other social media sites, Koobface versions still abound in 2013. Koobface is an example of how malicious code promulgated through social media presents a risk.
What about other known cybersecurity risks of using social media? Bad actors have been known to use social media to map organizations by making hierarchical associations using the friend's feature of the social media tool.
It is not unusual for people to “friend” their boss and subordinates on social media sites. Bad actors know that and with a little work are able to ascertain from the social media site, web searches, and other sleuthing who does what in organizations.
They then take that information and invest it into their spear-phishing efforts. Aren’t you more likely to respond when you get an email from your boss correctly referencing his boss as well as members of your workgroup?
Most people would and bad actors seek to leverage this fact to use a variety of technical and social engineering techniques to gain access to your information.
What about instances where employees in your company go onto their social media site and bad-mouth you and your company?
In some instances, employee disclosures of corporate impropriety and trade secrets have occurred over social media outlets, resulting in great embarrassment to the business, dismissals, and temporary loss of value in the marketplace.
Our advice to reduce your social media cybersecurity risk is to regularly and thoroughly train your workforce on how to use the tools safely and responsibly.
Consider conducting internal exercises such as seeing if they are able to identify a potentially malicious email or malicious social media activity.
This will help you fine-tune your training program as you discover where your weaknesses are. Also, don’t be afraid of using social media just because there are threats.
You and your business should not be strangers to social media. Social media enables business growth through market presence and visibility, rapid communication to prospective clients and yields valuable feedback from your customers.
Ensure someone on your team has responsibility for posting your message and monitoring social media sites to ensure your valued brand remains in good stead.
Your employees may inadvertently disclose sensitive information without even realizing it.
Numerous examples abound where unwitting employees post information to websites, send out letters and emails, and even conduct press conferences revealing sensitive material that senior leaders in the organization want to be protected and withheld.
Such sensitive material is not limited to just trade secrets. It can just as easily be personally identifiable information protected under the Privacy Act, or it could be copyrighted material you do not have rights to use. Just the other day, my college-aged son received a note from
Netflix informing him that the next season of “Fringe” would have to be pulled from their site as they did not yet have rights to show it. We already watched the first episode but will have to wait another month to resume the series.
Imagine what happened behind the scenes at Netflix when they found they had a problem. Imagine what the liability implications are behind such an inadvertent disclosure. Training is essential to reduce the likelihood you will have inadvertent disclosures and thus reduce your risk.
Some may argue that inadvertent disclosure and ignorance are one and the same. We disagree. While there is some overlap and they often share common results, ignorance is the result of not knowing something, while inadvertent disclosure is the result of a mistake made contrary to a known policy or procedure.
People often are ignorant of rules, procedures, concepts, and even of the effects of their actions, yet we believe that the vast majority of people try to do the right thing. Take the following cybersecurity incident into account and see if ignorance had a hand in how the situation developed:
In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service.
A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice.
The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker. The supposed invoice actually was a Remote Access Trojan (RAT) that was configured to contact a C2 server located in Ukraine.
Using the RAT, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files.
Would you think that the administrative assistant was ignorant of policy and procedures? Should the administrative assistant have confirmed the call prior to processing the invoice?
Was it unusual for the administrative assistant to receive a phone call from another vice president in the company instructing her to process the invoice?
One certainly can make the case that there were warning signs of a potential cyber-security threat that a well-trained employee could have caught.
Ensuring your employees are well trained, understand and employ policy and procedures, and act as fully empowered members of the team are core attributes of executive leadership.
Look within your own organization with this type of cyber attack in mind. What should you do to train your workforce to ensure something like this never happens to you? How will you change the ignorant to the informed and thus reduce your risk?
Many lawyers will tell you that negligence and liability are often spoken in the same sentence in courtrooms. Here is an important definition to remember: “A person has acted negligently if he or she has departed from the conduct expected of a reasonably prudent person acting under similar circumstances.”
Increasingly, lawsuits are emerging in the courts as plaintiffs allege negligence against organizations that fail to protect their personally identifiable information such as social security numbers.
Other lawsuits allege negligence to properly follow their own policies to maintain their cybersecurity posture. Consider the following case:
In Baidu, Inc. v. Register Domain Names at Register.com, Inc., a search-engine operator, Baidu, Inc., sued Register Domain Names at Register.com, its traffic-routing services provider, after a hacker gained access to Baidu’s account and directed its web traffic elsewhere. Imagine the business next door diverting all of your phone calls to it. Baidu sued.
Baidu asserted a breach of contract, negligence and gross negligence claims. Register. commoved to dismiss, arguing that its security policy contained a broad limitation of liability provision.
And it did. But it also contained statements about how Register Domain Names at Register.com protected its customers’ information and employed security measures to guard against data breaches.
Baidu argued that Register Domain Names at Register.com’s failure to follow its own policies constituted a breach of contract and gross negligence. The Southern Distinct of New York agreed.
The court held that the limitation of liability provision barred an ordinary negligence claim, but not the breach of contract and gross negligence claims.
The court stated that if Baidu proved what it had alleged, “then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized intruder, who engaged in cyber vandalism. On these facts, a jury surely could find that Register acted in a grossly negligent or reckless manner.”
A few months later, the case settled for an undisclosed sum.
Can you and your business afford to be negligent when it comes to cybersecurity? What is your liability risk if the information in your care is compromised through the negligence of your employees? What mechanisms do you have to detect and mitigate negligent behavior?
Apathy is a dangerous condition under any circumstance but especially when it comes to cybersecurity. When people have been trained, informed of the threat, understand the impacts, but don’t care, then you have a recipe for cyber disaster. Apathy is a leading (and frustrating) cause of cybersecurity incidents.
For example, hackers and identity thieves increasingly target small businesses, yet only 28% of small businesses consider cybersecurity a priority, according to an AT&T report.
The National Cybersecurity Alliance (NCSA) warns that this “cyber apathy” can be costly to both small businesses and consumers. We agree. The best cure for apathy is prevention and strong positive leadership is essential.
Look for signs of apathy such as failure to follow policy and procedures, resistance and failure to complete cybersecurity training, and other behaviors that point to lack of support for your cybersecurity program.
If you make cybersecurity a priority, reinforce its importance with your words and deeds, and hold employees accountable, apathy likely will fade away.
This is a controversial topic. Calling someone stupid is politically incorrect. Nobody likes to be accused of being stupid, but people do stupid things. Even intelligent people make mistakes, especially in the cybersecurity realm. Nonetheless, this is a discussion of risk and the threat of stupidity is real, making you and your business vulnerable.
You have to address stupidity. Don’t ignore the possibility that you or your people may do stupid things! Penetration testers (the folks who specialize in testing your cyber defenses, also known as Pen-testers).
find that stupidity is a HUGE threat vector they can exploit to gain access to systems. Take for example a recent exercise conducted by the DHS.
They deliberately planted several USB thumb drives and data disks in the parking lots of federal agencies and their contractors.
Despite the requirement for comprehensive cybersecurity training among the workforce at those agencies and their contractors and the known possibility that the drives and disks could be infected, 60% of those drives and disks ended uploaded on government computers in contravention of existing policy and training.
DHS found that if the drive or disk had “official” government markings, the “success rate” for it being inserted in the computer rose to 90%.12.
In the aftermath of the test results’ public release, the usual sniping of the government briefly rose, yet criticism was oddly muted as corporate America found they too were susceptible to similar tests.
We imagine that many who read the stories of the testing were uncomfortable as they thought about how they and their colleagues would react if they were part of the test.
How should a business executive address stupidity to reduce their risk? We think John Verry, principal enterprise consultant of Pivot Point Security, says it best: “You can’t fix stupid. You can only try to make people more aware.”
Curiosity is essential for creativity and is the type of trait we seek in our employees. The curious are the people who find new and better ways of doing things and who develop the new products and services that yield the best profit and growth in your business. They also are the most susceptible to social engineering by cybercriminals.
Cybercriminals can use the simplest of methods and maximum yield by simply exploiting human curiosity. How? The most common method is via email. It doesn’t matter if the email is part of a widespread spam mailing or a targeted spear-phishing message as long as it is well-crafted and interesting.
People tend to click on links that promise to lead them to appealing locations.
Techniques successfully used by cyber criminals include alarming the recipient about problems with their credit or banking information and providing them with a link that alleges to take them to a location where they can learn more about what the problems are and how to resolve them.
When the link is clicked, a remote access toolkit or other malicious code is downloaded onto the recipient’s computer and the criminal now has control.
Other appeals that sucker even the most discerning of users include links that promise imagery of recent catastrophes or sporting events, political controversies, or business insider information.
Emails containing attachments are among the most dangerous to the curious. Recently, after Mandiant Corporation had released its report on Chinese computer espionage, emails containing an attachment alleging to contain a copy of the report made the rounds on the Internet.
Everyone wanted to read the Mandiant report, and here, someone presents it for recipients to open and read without having to search for it.
How convenient! While many people opened the attachments and eagerly read the report, they also exposed themselves and their businesses to danger as the attachment contained hidden malicious code that allowed bad actors to access the recipient’s computer and its information.
The lesson? If you are curious about a topic, get your information directly from the trusted source. How do executives reduce risk by addressing curiosity? Set your policies, explain them, train your employees, test your employees, and stay on message.
Mark Rasch, director of network security and privacy consulting for Computer Sciences Corporation (CSC), advises, “Rule No. 1 is, don’t open suspicious links.” Rasch continues, “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.” We agree. Curiosity killed the cat.
It can also kill your business. While we strongly encourage and foster curiosity in our business, you need to channel it away from activities proven to be deleterious.
Lack of leadership:
Have you ever noticed how leadership sets the tone for an organization? I once had a boss who came to work every morning angry, and that anger spawned fear and angst that rippled throughout the organization.
Fortunately, his boss saw it too and replaced him with a positive leader who rejuvenated and inspired our organization to do great things.
Your leadership makes a difference, both positively and negatively. When it comes to your cybersecurity risk management program, if you aren’t leading it, it will fail. Why?
Because if you don’t make it a corporate priority and delegate it to your technical staff, others in the company will see that it is not one of your priorities and will not support it either.
Many executives exclude themselves from cybersecurity training, citing that. Every time you order an exception to policies for yourself, the word gets out that the boss is not serious about cybersecurity.
As a result, your risk goes up as your cybersecurity posture erodes. Our recommendation is that you make it clear throughout your organization that you feel strong personal ownership in your cybersecurity risk management program. Lead by example. Put it on agendas.
Include cybersecurity messages in your interactions and correspondence with your employees. Take the same training as your employees to ensure it is up-to-snuff and meeting your corporate objectives.
It is expected that you will delegate the administration of your cybersecurity risk management program to subordinates, but you never delegate responsibility and ownership. The moment you delegate responsibility and ownership, you fail—every time.
Lack of accountability:
Lack of accountability is one reason why organizations fail. When things go wrong, what happens if nobody is responsible?
If nobody is responsible, then the wrong things keep happening. How do you handle situations where things go wrong? Do you have guidelines that outline consequences for certain actions? Are they well known to all employees?
Are they published? Are they followed?
Like other critical business functions, cybersecurity must be viewed with the same rigor as traditional profit-generating activities. People need to know what their responsibilities are and be held accountable to deliver upon them.
When they fail, there have to be consequences; otherwise, you risk that others in the organization will see there is no incentive to uphold their own responsibilities.
When this happens, morale wanes, discipline erodes, and you find yourself the captain of a sinking ship. You already know good people make mistakes. Nonetheless, there have to be consequences for improper conduct. The consequences ought to be commensurate with the conduct and the impacts.
When it comes to cybersecurity, the stakes are high as the average cost to clean up a cyber incident in 2013 is reportedly the US $616,000.17 If someone clicks on a link in an email that brings a virus into your network that costs significant amounts of money to remedy, what do you do?
Your directors and officers, your employees, and shareholders expect you to provide decisive leadership and hold people accountable. cybersecurity has evolved into a critical business imperative. You must hold people accountable to manage and control your risk.
CALCULATING YOUR RISK
In the preceding discussion, we raised some questions you should ask as you evaluate your cybersecurity risk. Exposure of your intellectual property and trade secrets, as well as technical and human risks, are all critical items of interest you should factor into your risk analysis.
You should ask your staff tough questions and verify their answers. Your business is at stake!
Average cyber-attack clean-up totals $616K, Infosecurity Magazine, Accessed on September 10, 2013. Author’s note: there are various reports that show a range of costs on cyber incidents that range from a low of near US $300,000 to a high of US $8.9 million per incident.
We selected a contemporary figure from a trusted source that is backed by solid data to represent the costs associated with loss and cleanup generated by cyber incidents.
There is no universally agreed-upon prescriptive formula to calculate risk. Actuarial science has evolved to where several risk specialists are available to help you using some well-researched complex proprietary formulas backed by empirical data.
You are well advised to investigate insurance and actuarial advice when selecting options to address the risks you possess and the costs they might entail. But where do you start when calculating your risk?
Do you call in one of the expensive actuary experts? Perhaps. But before you do, you can begin framing your analysis yourself by doing your own calculations based on “knowing your enemy and knowing yourself.”
Hopefully, previous sections got you thinking about your vulnerabilities and threat sources we’ve discussed thus far. Understanding the threats, from whom and where they may come, and your vulnerabilities are essential to calculating your cybersecurity risk. The next step is determining what is actually at risk.
There are two popular techniques in calculating risk. The first is quantitative risk analysis, which is based on assigning real and meaningful numbers to all elements in your risk analysis. The second, qualitative risk analysis, does not use calculations. It is based on scenarios. We’ll demonstrate how to use both by citing examples.
Quantitative Risk Assessment
Quantitative risk analysis is a mathematically complex subject that is the hallmark of insurance companies and financial institutions, but it is rarely used in the context of information technologies and cybersecurity because of the difficulty in assigning a value to information and even greater difficulty in determining the likelihood of loss.
Both areas, value assessment and the probability of loss, tend to be approached subjectively and do not lend themselves to objective and quantitative analysis.
Nevertheless, we believe that with prudent judgment and management oversight, reasonable estimates on the valuation of information are feasible. Thus, it is possible to carefully analyze threat stream and statistical information to make informed estimates on the likelihood of events.
When these conditions exist, we believe the quantitative risk analysis methodology can be used to assess cybersecurity risk. We believe you should incorporate quantitative risk assessments into your corporate business processes, wherever possible.
Let’s walk through a high-level example calculation to illustrate how you can use the quantitative technique to assess your risk to a cybersecurity threat.
We submit that your intellectual property and trade secrets are your principal valued assets at risk to cyber incidents. Further, we submit that like hard assets, your intellectual property and trade secrets have a value that can be calculated and factored into your risk equations.
Think about it for a moment. If you were contemplating the sale of your company, you would have to estimate the value of all of your assets, and we are certain that you would come up with a number that would be credible both to you and to the potential buyer.
Moreover, in all likelihood, the buyer would require the segmentation of asset valuations in order to turn his “due diligence” accountants loose.
They, in turn, would use accepted accounting techniques to validate (or invalidate) your estimates. What we are suggesting here is that you use the same methodology to establish a value for your intellectual property.
How much is your intellectual property worth to you?
How much is that secret family recipe worth? Often, you’ll hear executives touting that their secrets are priceless, but nobody really believes that. Everything, including information, has value and value is the principal concern when calculating risk and making investment decisions.
We submit that one way to establish the value of your intellectual property and trade secrets is a summation of the following costs:
1. Profit value:
Your intellectual property and trade secrets give you a competitive advantage that translates to increased profits. Do you know the impact that your intellectual property and trade secrets have on your bottom line?
Do you have statistics that indicate before and after effects? Can you put a value on what they mean to your business?
2. The cost to acquire or develop:
How much did the acquisition or development of the information cost? Whether you did an outright purchase or developed it from in-house resources, your information represents an investment with a tangible value. You should know how much you have invested.
3. The cost to maintain:
Maintenance costs for information often are camouflaged in budget sheets yet they are noteworthy. First, you have to store the information you already have. Hardware to host it, software to manage and read it, and staff to maintain it are all costs. Information itself often is perishable and needs to be maintained.
An example is financial data that is continually updated and added to models that calculate opportunities and trends used by investment specialists.
The addition and integration of that data, maintenance of the data feeds, and the periodic addition of additional storage as the volume of information increases all ought to be factored into your cost to maintain figures.
Similarly, the expenses associated with securing the information and providing adequate system redundancy to keep it available should be included in your cost to maintain calculations.
4. The cost to replace:
This is not as straightforward as it may seem. In calculating this cost, don’t forget you need to factor in all the costs to replace your information.
Cost items to consider include the loss you incur while the information is being replaced, the cost to acquire or develop the replacement, and costs associated with any substitutes or proxies used in lieu of the lost information.
For example, suppose that all of the data from your quality control analyses for your main chemical product were lost or completely compromised. How much would it cost to repeat all of the chemical analyses?
5. Cost if unavailable:
This represents the cost to you and your business if the information is unavailable.
For example, if you rely on your information to create or generate business, not having it available through theft, alteration, or other malicious or unintentional activity deprives you and your business of revenue. This is a cost that ought to be factored into your calculations.
6. Liabilities if compromised:
You and your company may find yourself open to liability if your information is compromised.
For example, as a director or senior executive, you likely are familiar with indemnification insurance that protects officers of the corporation against lawsuits from shareholders.
If your intellectual property is stolen by a cybercriminal, it is not unreasonable to expect that a lawsuit may be filed, alleging lack of adequate management controls to protect the business’ vital information.
Other potential liabilities come from lawsuits filed by partners with whom you may share portions of the intellectual property or even clients for whom you were developing the intellectual property.
Once you have summed all of these costs, the result represents what it would cost for you to replace the intellectual asset. It does not represent the true value of the asset. The true value is the cost plus what a buyer would be willing to pay over and above the replacement cost.
Your customers are delighted with your product, and word-of-mouth advertising is causing orders to soar. You have three shifts working around the clock and have expanded your facilities twice to keep up with demand. You now are contemplating opening another facility to handle further increases in demand.
Such exceptional growth has caught the eye of investors and competitors alike. Industry associations are praising Thesis_Scientist for revitalizing the regional steel industry.
You are getting a lot of positive media attention too with numerous requests for interviews. University professors have contacted you asking for permission to do case studies analyzing your success.
Competitors have made it known quietly they intend to soon offer special alloys to compete against your product. You aren’t overly concerned as they haven’t been able to duplicate your formula and manufacturing process in three years. You have a big head start and momentum. Life is good!
But you realize the good times may not always be there. You recognize there are many risks facing your business and you need contingency plans.
You mentally walk down some of the risks you face: the reduced market for your steel, someone introduces a better product or undercuts your prices, labor and material shortages or interruptions, and flooding on the Monongahela River (your facility sits along the river).
Are these realistic threats?
Absolutely! You already have plans in place that analyze the risks in each of these areas and how your company would respond. Moreover, you feel comfortable you have the right kind and amount of insurance to cover the greatest threats to your business.
Later that evening, you are sitting at home sipping your Iron City beer watching the KDKA evening news when you see a report of a cyber attack on a local retailer where thousands of credit card numbers were stolen.
You know the CEO of the company from the local chamber of commerce meeting but haven’t shopped at one of his stores, so you blow a sigh of relief at not having your credit card compromised.
You are astonished at the estimated liability and direct loss associated with the incident. Good thing you are not in retail and don’t face the risk of someone using a computer stealing credit cards from you.
But wait, the local reporter interviews a professor from Carnegie Mellon University who is a cybersecurity specialist. The professor says that retail establishments aren’t the only businesses vulnerable to cyber attack.
In fact, she advises, all businesses are vulnerable in one way or another and should take proactive measures to protect themselves. You finish off your beer, planning to look at your cybersecurity risk the next day.
You start by meeting with the head of your IT department. He serves as your de facto chief information officer (CIO). You consider him your resident “geek.”
You haven’t considered him part of your senior executive team, although he has been very effective in integrating new technologies to help accommodate the growing business.
He oversees the operation of business unit networks, the telephone system, web presence, and mobile devices. He manages the electronic data exchange between your procurement department and your suppliers.
He even works with the manufacturers of your milling equipment to ensure your business unit networks get reliable data directly from the milling equipment’s smart controls. You tell him you are concerned about cybersecurity risks and want to know where you are most vulnerable.
“Boss,” he tells you, “You are vulnerable everywhere.”
You bring in your chief financial officer (CFO), your chief operating officer (COO), and your general counsel to continue the discussion. Together, the five of you determine the most damaging threat to your business is someone getting your alloy’s formula and using it in direct competition against you.
You decide you want to know what the cybersecurity risk is of someone taking your alloy’s formula. Because you’ve used it to calculate other risks, such as calculating potential loss of the mill to fire, you order a quantitative risk assessment.
Quantitative risk can be expressed as annualized loss expectancy (ALE), which is the expected monetary loss for an asset due to a risk being realized over a one-year period.
ALE is the product of the impact of the loss (expressed as the single loss expectancy or SLE) and the likelihood of how often the loss occurs (expressed as an annualized rate of occurrence or ARO):
ALE = SLE × ARO
Your team follows a disciplined process to evaluate the cybersecurity risk scenario.
Let’s begin with Step 1: assigning a value to assets.
Assigning Value to Assets.
Recall our discussion earlier that everything has a value, including information. It is important that you have a thorough understanding of the value of your assets. The key valuation figures your team will look at in this scenario are:
PV = profit value
CAD = cost to acquire or develop
CM = cost to maintain
CR = cost to replace
CU = cost if unavailable
L = liabilities if compromised
The team starts with a look at the value of the alloy formulation. It is at the heart of your process and is largely responsible for your profits rising tenfold. There is great debate among the team members as to its value.
Your COO believes it is priceless. After hours of fruitless discussions, your CFO proposes that the value is equal to the difference between your profit before implementing the formula and the current profit level ( $100 million – $10 million = the US $90 million). You and your team accept his proposal and assign PV = US $90 million.
Your CAD is a sunk cost. Your team knows that it took five years of research to develop the formula for your alloy and kept meticulous records. Factoring in materials, equipment, salaries, and other direct and indirect costs, your CFO validates CAD = $20 million.
Compared to CAD, the cost to maintain your formula is relatively low. It is stored on the company’s central server with off-site storage at a commercial vendor facility in West Virginia. A tertiary copy is kept on a drive stored in a safe deposit box in a local bank.
Because the IT staff spreads their time across multiple systems and your software is licensed as part of a corporate licensing agreement, your CFO and the IT chief base their estimates on staff costs, software licensing.
And network and computer hardware on a pro rata basis supporting the storage and use of the formula in the manufacturing process. Based on their analysis, CM = $2 million per year.
The cost to replace (CR) is hotly debated by your team. Given that your team has carefully provisioned for both on- and off-site storage of the formula, it is relatively easy to get a backup copy and reload.
Your CFO argues that auditors could make the case that the cost to replace is zero. Your COO disagrees. He was part of the technical team that developed it and knows all that went into developing it.
He believes that once your formula is revealed, its value plummets to zero as your competitors adopt it and you lose your competitive advantage. He makes the compelling case that it will need to be replaced with a better formula.
Based on his experience and knowledge of the technology, he estimates it will take three years to develop at a CR = $50 million. The team agrees to accept the figure in this calculation.
Determining cost if unavailable (CU) is easier for your team. Your business produces $500 million over the year.
You have 300 production days per year with other days being consumed by holidays and Sundays (you believe the only steel production in Pittsburgh on Sundays should be football at Heinz Field). Given this, your team determines a daily cost of US $1.67 million if the alloy formula is unavailable.
Finally, your team addresses the liabilities (L) issue. Your general counsel and the marketing director advise that you have numerous contracts in place that specify on-time deliveries to customers with significant penalties for delays. Most contracts have a cushion of a mere three days before monetary penalties kick in.
Additionally, your contracts for the transportation of finished products are firm fixed price regardless if you have a delay in production. Your logistics director advises that delays will affect the supply chain of raw materials used to manufacture the steel;
you do not have on-site storage to absorb an interruption of more than six days. You determine if the interruption is less than three days, L = $0. If it between three and six days, L = $1 million per day. If it is over six days, L = $5 million per day.
With values assigned to assets, the team turns its attention to Step 2: estimate the potential loss.
Estimate the Potential Loss.
Estimating your loss is difficult and has to be predicated on making some key assumptions. In this case, the key assumptions you make that drive your next steps include:
Your formula is stolen and gets into the hands of a competitor. The competitor uses your formula to create an identical product to compete against you. It takes the competitor one year from receipt of the formula to bring their copycat alloy to market.
The type and degree of analysis to estimate the potential loss due to an event depends on the types of threats encountered. Analysis of the threat of a massive fire at your facility varies greatly from that of a zombie epidemic, meteor strike, mudslides, or even a cyber-based attack. Each asset faces potential loss based upon the threats that they face.
This is where the mathematics get complicated very quickly, involving complex statistical modeling as you want to evaluate each and every possible scenario.
Regardless of what threat you confront in your risk analysis, remember that it is important to address all the potential courses of actions and impacts.
For the purpose of brevity and to illustrate the methodology, we will only look at one specific line of threat.
To analyze the potential loss from a cybersecurity incident, your team makes additional assumptions to bound the analysis:
You are evaluating the loss associated with a hacker gaining access to your formula. You are still able to operate using your formula and meet your production and delivery objectives.
Your team continues its analysis to calculate the potential loss (SLE). The SLE is expressed as a dollar amount representing the potential loss if a specific threat takes place. It is calculated as
SLE = asset value(AV)× risk exposure (RE)
Your team assumes that in the event a hacker accesses their data to steal the formula, they quickly will use backup software to restore full operations within one day. They determine that in this scenario the asset value is the sum of the aforementioned values:
AV = PV + CAD + CM + CR + CU + L
PV = US $ 90M
CAD = US $ 20M
CM = US $ 2M
CR = US $ 50M
CU = US $ 1.67M
L = US $ 0
Therefore, they determine the value of the company’s secret formula to be
AV = US $163.67million
Risk exposure (RE) represents the percentage of loss the threat will have on a certain asset if it occurs. With many assets, this is fairly straightforward to calculate.
For example, if you are a car dealer with a million dollar inventory of vehicles and a damaging hailstorm hits but 30% of the vehicles are protected by being inside your facility, then you face an exposure factor of 0.70 because 70% of your assets are exposed to the risk of hail damage.
Calculating risk exposure for information regrettably often is a binary data point.
There doesn’t readily appear to be any such thing as a partial loss when it comes to information; either you have a total loss or no loss.
If someone has destroyed your data and you have no backup, then you have a total loss and your RE = 1. If you do have a backup, then you have no loss and your RE = 0.
What’s your risk exposure in this scenario? While you do have solid and reliable backup procedures, because of the impact of the formula ending up in the hands of a competitor, your team believes it would be a total loss where RE = 1.0.
But wait! If your competitor can’t bring their hijacked product to market until a year after receipt of the formula and it will take you three years to replace it with your new formula, can you make the case that your RE actually is a loss of two out of the next three years? Absolutely.
After all, you do not have an expected loss for the first year after the incident but do for the two subsequent years until your expected replacement arrives where you anticipate you will resume your market dominance. Given that assumption, RE = 0.67.
The team accepts that assumption and calculates the expected loss of an incident (SLE):
SLE = asset value (AV)× risk exposure (RE)
AV = US $163.67M
RE = 0.67
Therefore, they determine the expected loss to be:
SLE = US$109.66 million
Estimate Threat Likelihood. The team next evaluated the ARO, which is a measure of how likely the threat will take place in a 12-month period.
In calculating the ARO, the team started by looking at availability rates on their computer systems.
They had been prudent in their planning and implementation of their computer systems and invested well in their production equipment and software. As a result, they maintained a 99.95 operationally ready rate over the last three years.
They also consulted with a cybersecurity intelligence specialist, who conducted a thorough anonymous search of Internet resources to see if there were any indications that an entity was expressing interest in your company on hacker forums or other potentially dangerous venues.
The results surprised you and your team as the specialist found that indeed there had been discussions in a popular forum referring to a company that was a near dead ringer for your business.
Upon deeper digging, your specialist found that the query came from a country where one of your overseas competitors has their headquarters. You are suspicious.
The specialist’s search could have been chalked up to coincidence, but your IT chief comes back with some disturbing news. After seeing the initial report about the hacker forum, he had his boundary protection team check the firewall and router logs to see if there was any unusual traffic hitting your network.
There was! In fact, over the last five months, there had been a growing number of probes and scans against your network with two failed login attempts in the last month.
Many of those scans and probes originated in the country where your competitor is headquartered. Whoever was behind it is executing a “low and slow” strategy. Had you not been looking for the specific evidence, it would have been very difficult to find them. Now, you had evidence that someone was indeed trying to access your network.
Your IT chief advises you that this month’s vulnerability scans indicate there are several software and configuration vulnerabilities that exist on your network. They’ve been there for a couple of months but have been low priorities for correction.
Now, given the increased threat, he recommends they be remedied as soon as possible. He says he needs additional resources to complete the task and will come to you with details the next day after he consults further with his staff.
You have your IT chief contact the professor at Carnegie Mellon to help estimate how many times the threat can take place in a 12-month period.
She is very helpful and points out that data collected by the government and insurance companies indicates that a company like yours with comparable defenses has only been successfully attacked once every two years.
She also refers you to DHS and FBI programs that can help identify threats and tactics bad actors use. You authorize your IT chief to sign your company up for the next FBI InfraGard meeting in Pittsburgh as well as to join the manufacturing sector’s Information Sharing and Analysis Center that partners with the DHS.
Given the information you have, you know that you are at risk, yet the data indicates the estimated frequency of a successful cyber attack is one every two years. Therefore, you and your team calculate the ARO = 1/2 = 0.50.
Calculate the Annual Loss Potential.
Now that you have your SLE and predicted ARO, you calculate the entire equation:
ALE = SLE × ARO = US$109.67 million × 0.50 = $54.83million
This means that you can expect an annual loss of US $54.83 million in the event of a cyber attack that compromises your intellectual property and trade secrets. This is your risk in this scenario.
It is important to note that the quantitative risk assessment method is the standard method of measuring risk in many fields such as insurance and manufacturing, but is not commonly used to measure risk in IT.
As you measure your cybersecurity risks, this method may prove challenging. It is very difficult to measure the value of information, but we submit that it is possible. Moreover, the valuation of shared assets such as networked systems, virtual devices, and software used across an enterprise poses a challenge to actuarial computations.
Additionally, while you can use statistics to determine the anticipated failure rate of an information system, it is nearly impossible to accurately predict the likelihood, frequency, or severity of cyber attacks against your organization.
We believe the vagueness surrounding calculation of the likelihood of a cyber attack drives many to use an alternative method of measuring risk: the qualitative risk assessment.
Nonetheless, you look over the quantitative risk assessment again. You may think, “Holy Smokes! Our cybersecurity risk is huge! What do we do next?”
Before we advance to a discussion of the next steps such as risk mitigation, avoidance, acceptance, and other post analysis decisions, let’s turn our attention to this other method of determining cybersecurity risk: qualitative risk assessment.
Qualitative Risk Assessment
When it comes to IT and cybersecurity risk assessment, the qualitative risk assessment model may be more attractive and useful for you and your business.
Qualitative risk assessments do not utilize detailed calculations to assign monetary values to assets and losses like the quantitative method. Rather, the qualitative risk assessment method recognizes the difficulty present in assigning realistic values to information and the likelihood of risk.
As such, this method provides relative measures of risk and asset value based on ranking specific items into categories such as high, medium, or low or on a numeric scale.
Qualitative risk assessments are a popular method of calculating cybersecurity risk. While not as precise as the quantitative method, they generally are faster, easier, and less expensive to produce and give senior decision-makers actionable information in a more timely manner.
We’ll use the example of another fictitious Western Pennsylvania company to illustrate the qualitative risk assessment methodology of calculating cybersecurity risk to a business.
You are the CEO of BigRX, a large (US $10+ billion) regional medical enterprise with over 20 major hospitals and 400 operating locations. Your business is an industry leader and has a good reputation. You carefully guard your brand.
cybersecurity is on your agenda. Reports from across the medical sector indicate an increase in violations of the Health Insurance Portability and Accountability Act (HIPAA) as systems fall out of compliance with HIPAA standards and disclosures of sensitive patient records have spawned litigation that has cost other similar businesses tens of millions to repair and litigate.
You are concerned about hackers penetrating your systems, which would expose your business to potential disclosures and/or corruption of data that could cost your business tens of millions of dollars and potentially sully your sterling reputation.
BigRX has a large medical information management system called BigMIMS that is the heart of its business operations. BigMIMS has approximately ten million sensitive records in its database.
Medical providers at your remote and contracted facilities love BigMIMS as they can access the records through a convenient web interface that your IT department delivered through a contract with a major software vendor.
BigMIMS cost you the US $20 million to develop and field and costs you the US $5 million to operate and maintain. Your accounting team recently conducted an analysis of BigMIMS’s information and determined that the replacement cost of each record is the US $100.
Yesterday, you attended a chamber of commerce luncheon celebrating the Pittsburgh Pirates’ winning season where you sat next to the CEO of Plano Corporation. As you shared lunch and conversation together, he pointed out the CEO of a major Pittsburgh retailer across the room.
The Thesis_Scientist CEO asked if you had heard about the cyber attack against the retailer that resulted in the loss of thousands of credit card numbers and threats of litigation.
When you said you hadn’t, he advised he was conducting a risk assessment of his cybersecurity posture and recommended you consider doing the same at BigRX, “…if you hadn’t already.” Good advice. Perhaps, these luncheons do have value after all!
When you return to your office, you have your regularly scheduled senior leadership meeting with your COO, CFO, chief medical officer, CIO, and chief risk officer (CRO).
You tell them that you are concerned about reports of cybersecurity incidents and the major retailer incident is hitting “too close to home.” You want a cybersecurity risk assessment conducted, starting with BigMIMS.
Based on their experience with qualitative risk assessments, your staff recommends using this methodology to assess your risk.
The first step of the qualitative risk assessment is to identify your threats and threat sources (know your enemy!)
Your team categorizes the threats and threat sources into the following table,18 which they present as part of their report to you.
Improper data entry
This is an improper entry of data into BigMIMS, either intentional or deliberate, that compromises the integrity of the data in the database
This is the insertion of malicious code into the computer network that compromises the security and integrity of your network and jeopardizes the information residing on it
This is the access of patient information in the BigMIMS database to individuals not authorized to view or handle it
This is an action where a hacker gains access to BigRX networks and information. It may or may not result in malicious activity yet will drive costly remedial activities and notifications in accordance with the HIPAA
This takes into account the possibility that an earthquake could strike, disrupting BigMIMS operations
This takes into account the possibility that a flood could affect the BigMIMS facility and interrupt operations
This takes into account the possibility that a power failure in the BigMIMS facility could damage the system or otherwise interrupt operations
This takes into account the possibility that an HVAC failure in the BigMIMS facility could damage the system or otherwise interrupt operations
This takes into account the possibility that a fire in the BigMIMS facility could damage the system or otherwise interrupt operations You like this format and are comfortable with it as BigRX uses this format across the organization. You standardized the format for risk assessments to improve management oversight, consistency, reliability, and repeatability.
Employees across all operating units are trained to use this format, which was developed as a result of a previous risk management exercise.
Having a standard and repeatable risk assessment process across the organization reduces variance and confusion while enhancing accuracy. You agree that these are reasonable threats but you still want to see your vulnerabilities.
Your team produces numerous tables identifying hundreds of vulnerabilities. Because you are focusing on cybersecurity vulnerabilities to BigMIMS and its data, your team consults with those most familiar with the system: the system developers, the system and database administrators, program managers, and cybersecurity personnel.
Technical teams are a treasure trove of information in identifying potential vulnerabilities. Based on their technical knowledge and their daily interaction with the systems, they know the strengths and weaknesses of the system.
If you want to know where your greatest cybersecurity risks are, they are the best people to ask. They will either have the information you need or know how to get it for you.
Vulnerability scanning results are a prime source of information to identify your cybersecurity vulnerabilities.
Good technical teams routinely run vulnerability scanning software to examine operating systems, network devices, applications, databases, and other critical infrastructure for known flaws by comparing the systems and their responses against databases of known flaws or signature files.
Internal scans are standard procedure for professionally managed networks. Great technical teams not only do regular internal scanning but also do external scanning of your network boundaries as well.
Great technical teams also ask for help and do regular independent penetration testing to find out where their security is weakest and can be exploited. Penetration testing (also known as “Pen-testing”) features specialized security analysts who exercise threats against the system under controlled nonmalicious circumstances.
The best ones don’t just challenge your technical team, they also use social engineering, on-site physical security probes, and other techniques to find ways to penetrate your defenses.
In essence, Pen-testers figure out ways to hack into your system so you can find your weakest links. We highly recommend you include Pen-testing on a regular basis with vulnerability scanning to provide you with the vulnerability information you need to make informed decisions.
Vulnerability scanning and penetration testing are not the only sources of vulnerability analysis. Your organizational and management control program also ought to be used to identify areas of vulnerabilities.
Internal audits and control procedures are used to ensure that your policies and procedures are routinely and accurately adhered to. We believe this is an essential part of your internal control program and a rich source of vulnerability information.
As an example, several years ago, the author found a vulnerability through his internal audit and management control program that is worth sharing.
The author was responsible for the network operations, maintenance, and security supporting a 160,000-person organization with 20 major operating locations around the world.
In order to maintain effective, efficient, and secure network operations, the author ordered standardized procedures to be followed in the installation of software and patches.
Nothing was to be installed on the network or devices until it had been properly tested in the organization’s central cyber test facility. Once software and patches had been cleared by the lab, we used technical means for designated system administrators to automatically push software updates to devices across our network enterprise.
This process saved significant resources by reducing the need for touch labor, reduced the time to patch and install from weeks to minutes, and significantly improved reliability and security.
Key to the process was the system administrators following the process in a disciplined manner. We routinely ran scans looking for unauthorized software appearing on the network as part of our cybersecurity program and saw an alarming rise in the appearance of unauthorized software.
We were concerned because the unauthorized software not only could contain malicious code that could jeopardize our operations but also it could be unlicensed software that could open us to litigation for using copyrighted material without proper permission.
Only a system administrator could install software and the entire technical team had received thorough training; they knew the process and swore they were following it. We had to find out who was installing the unauthorized software, why they did it, and what caused them to do so. Only then could we resolve our problem.
I directed my deputy to lead an internal control audit of the system administrator process and procedures to see if he could find the root cause. Sure enough, he did.
The internal control audit discovered that indeed the system administrators on our technical team were well versed on the policies and procedures.
They were regularly tested and followed the procedures with discipline and rigor. What my deputy discovered through the internal audit, however, surprised us. Not everybody with system administration privileges was on the technical team.
The internal control audit revealed that business unit administrative staff members at one of our operating locations had asked for and been given system administrator level privileges to enable them to assist members of their business units with routine computer problems.
There was no evidence that they had received the requisite training on our software and patching policy nor were they formally trained as system administrators.
Several of them had violated corporate policy and had installed untested and unlicensed software. We quickly moved to remedy the situation by removing the software, implemented very tight access control procedures to centrally manage privileges, and alerted management at the operating location of the issue.
Fortunately, we detected and fixed the problem before the damage occurred, but it highlights the positive impact of internal control and management programs have in helping you find your weaknesses. Do not rely solely on your technology to reveal your problems!
BigRX uses all the techniques cited in the preceding text to expose their list of vulnerabilities to BigMIMS. Their internal and external security scans reveal a list of software and configuration weaknesses that are common to many of the vendor products.
In fact, the technical team tells you that these vulnerabilities are well known and available for anyone to see on the Internet.
Your staff identifies hundred of vulnerabilities, but you zero in on the one below; the same one you heard was used to exploit the Pittsburgh retailer. You have the same vulnerability!
Web page software
SQL injection is a code injection technique, used to attack applications, is vulnerable to in which malicious SQL statements are inserted into an entry field for SQL injection execution (e.g., to dump the database contents to the attacker)
Validating Threat and Vulnerability Matching. Matching threats to vulnerabilities is an important part of your risk management process. The reasoning is straightforward.
A threat without a vulnerability does not produce a risk. Similarly, a vulnerability without a threat does not produce a risk. However, a threat from a legitimate threat source directed toward a vulnerability generates risk, risk that you need to address.
In the case of BigRX, the SQL injection vulnerability has been identified. It can enable an attacker to gain access to the BigMIMS database potentially revealing, altering, or destroying sensitive patient records and opening BigRX up embarrassing litigation, regulatory fines, and damage to its valued brand. The vulnerability is serious.
But is there a threat? How do you know?
There are several methods to determine whether you have a threat directed against a cyber vulnerability. Let’s introduce you to some of the most common:
The threat-source identifies you as a target:
Strange as it seems, some threat sources clearly identify their targets, giving them a heads-up they are the subject of future attack. The previously cited anonymous DDoS attacks on PayPal, MasterCard, and Visa are examples of this type of threat and vulnerability match.
The threat-source performs reconnaissance against you:
Potentially hostile threat sources are continually scanning the Internet looking for vulnerabilities to exploit. Your IT team should be continually reviewing their security logs to see who is scanning you. If there are a lot of repeat visits from the same Internet address, be concerned and block them.
The threat source has a pattern of misconduct indicating “you are next”:
Cybercrime statistics indicate when cybercriminals find a technique that works, they continue to tap it until it runs dry or they are apprehended. Albert Gonzalez had his acolytes execute successful attacks on retailers by hacking in through their Wi-Fi to steal credit card numbers.
Do you think if the other retailers in the area knew about the exploits they would have made the linkage between the threat and their own vulnerabilities? We would have!
BigRX suspects, there is a problem. Nobody has directly communicated a specific threat to the company’s information systems, but the network is constantly being bombarded with scans and probes.
You are not sure that it is part of widespread scanning or is directed toward BigRX, but conclude that regardless of the source it is reconnaissance of your network.
Moreover, your neighbor in retail was just burglarized through a SQL injection exploit that is buffeting their reputation and driving embarrassing litigation and potential losses due to the theft of sensitive customer data.
Does BigRX think there is a threat and vulnerability match? Absolutely! So what’s next? How likely it is that someone will attack you?
Estimate Incident Likelihood.
Before we continue with the BigRX example, let’s use a cyber-related example to highlight how some people look at how to decide that an event is likely (event likelihood).
Some people like to think that it is unlikely Apple products will be hacked. They point out that Microsoft often patches their software to remedy vulnerabilities and most hacking activity is directed against Microsoft products.
They point to Apple as a example of a company that “doesn’t have to do that” and use the software patch metric as a measure of relative quality. Is that true? Not entirely.
The fact of the matter is that Microsoft has become the world’s single largest source of software, making their product set the largest target for hackers. Why? To quote the famous bank robber Willie Sutton, “Because that’s where the money is.”
Because businesses predominantly use software based on the Microsoft architecture, hackers pay great attention to Microsoft products, relentlessly searching for vulnerabilities they can exploit.
Cybercrime is big business and it is logical the widespread use of Microsoft products by businesses, governments, and the public at large would make Microsoft products the huge target it is for hackers.
But just because Microsoft gets a lot of attention from the hacker community doesn’t mean you are safe with your iPad, iPhone or Macbook.
In fact, Apple’s resurgence and an increase in market share have made it an increasingly inviting target for hackers. Don’t believe it? Even Apple itself was recently hacked and had to temporarily shut down its application developer web site.
The lesson is that you have to be careful when you are deciding “event likelihood” to not succumb to bias and tradition. Rather, be strategic in your view and look to multiple diverse sources of trusted information in making your judgments.
BigRX uses their standard corporate model to characterize the likelihood or probability that the threat will be acted upon in the next 12-month period. Like numerous other companies, they use a format familiar to those who have graduated from business schools and other executive development programs.
0–33% chance that the event will occur in a 12-month period
34–66% chance that the event will occur in a 12-month period High 67–100% chance that the event will occur in a 12-month period.
This is the method used by BigRX but there are many other ways you can categorize the likelihood of an event. Some people prefer more categories (e.g., very low, low, medium, high, and very high). Others prefer different ranges for their categories (e.g., high = 90–100%, medium = 60–90%, and low = <60%).
We have found that regardless of which characterization is selected, there is a great benefit in consistency. When your organization and its employees are trained to employ a standardized methodology, are comfortable with it, and use it as designed, the resulting analysis is consistent, reliable, and trusted across the organization.
When considering which likelihood category to select, there are many methods you can use. They include but are not limited to:
Leadership selection: The boss or delegate picks.
Nominative group decision: Everyone involved in the process votes and you (the boss) select the average.
Delphi group technique: Everyone involved in the process presents their recommendation, and the group debates options until a consensus is reached.
Plurality rules! Everyone votes. Whichever category gets the most votes is selected.
Which one your organization selects depends on the culture of the organization and the decision to be made. Those that are time sensitive are more likely to use either the “leadership selection” or “plurality rules!” techniques. Where the decision is potentially very contentious, the “nominative group decision” or “Delphi group technique” often are preferred.
So what did you do at BigRX? You followed your established corporate risk management process. You gathered experts from your IT and financial departments and business operations and even some cybersecurity consultants.
They used the Delphi group technique to make a recommendation to management that the likelihood was HIGH that BigRX would face a successful hacking incident using the SQL vulnerability in a 12-month period. Based on the reports you are seeing in the news about cyber attacks at home and abroad, you are not surprised.
Risk assessment is a process. Regardless of whether you are measuring risk from natural disasters, new product launches, or even cybersecurity incidents, you use the process to determine the likelihood (or probability) of a threat occurring against a vulnerability resulting in an impact.
Using the qualitative risk assessment method, you create a matrix to determine the relationship between the likelihood of an event occurring and the impact it will have if it does. You’ve already analyzed likelihood and impact in previous steps, so you can compare them in your matrix to portray the relative risk you have calculated.
Remember that in the qualitative risk assessment, you normally do not use numbers in your risk measurement. Since in this cybersecurity-related example you do not have accurate numbers to estimate the likelihood of the event, using this construct adequately conveys the range of risk to focus management attention to matters of gravest concern.
As the CEO of BigRX, you review the team’s work and conclude you most likely face a high risk of a significant cybersecurity event in the next 12 months. You want options on what to do next.
Life is full of risk. Recall that as an executive, one of your primary responsibilities is to manage risk to protect your business and create an environment for it to grow and thrive.
In our opinion, you have four basic options when confronted by risk: mitigate, transfer, accept, and avoid. Note that the four options also hold for any type of risk encountered in life.
Each one should be supported by the facts and a thoughtful review. During your evaluation of options, remember that you can choose one or more in making your decision. The options are:
This is one of the most common techniques used to address cybersecurity risks as part of your risk management strategy. Mitigation focuses on fixing the deficiency that creates vulnerabilities and/or leveraging some other form of compensation that controls your vulnerability.
For example, mitigation techniques we have used include patching software to close security vulnerabilities, training personnel, installing and configuring new and/or better security apparatus like firewalls and encryption devices, and adding improved physical security controls such as special access control devices.
We cannot overemphasize the importance of the business case analysis as part of your mitigation process.
If you agree it does not make sense for you to spend 10 dollars on a lock to protect a five-cent pencil, you’ll probably also agree that it doesn’t make sense to spend a million dollars on an IT system to protect information valued at US $500,000. Mitigation is a business decision enabled by technology to support business objectives.
Make sure you have a good business case before you invest in any mitigation technique! The right investment should jump out at you as a result of your business case analysis!
As a reminder, after you implement your mitigation steps, make sure you reevaluate your residual risk in light of the new controls and configurations you may have placed into effect.
Whenever you confront a risk, some of your first questions to your subordinates should be, “How can I mitigate this risk?” “How much will it cost?” “How long will it take?”
While you can never transfer responsibilities, you can transfer risk. You do it all the time. You likely have car, property, and life insurance policies in effect right now. You pay premiums to the insurance company who in turn underwrites your liability based on how much coverage you are willing to pay for. Can you underwrite cybersecurity risk?
Absolutely! In fact, there are several insurance companies around the world that now offer insurance for cybersecurity events. It is estimated that the cyber insurance market already has surpassed the US $1 billion.
Often, the cost of fixing a vulnerability is more than the asset you are trying to protect. Sometimes, you don’t have the resources to fix the vulnerability.
Other times, you may decide that the high costs associated with mitigation are too much to pay based on the likelihood of an event and its potential impact. In cases like this, many people decide to accept the risk and allow their systems to operate with the known risk.
Acceptance of risk is a decision reserved for senior leadership and management. As an executive, insist on a formal risk acceptance process for each and every risk acceptance decision.
Ensure that all documentation regarding the risk assessment and decision-making process is complete and accurate. Also, make sure the risk acceptance decision is in writing and accepted by the senior leader making the decision. Remember, with great power comes great responsibility.
Acceptance of cybersecurity risks is a business decision senior executives will be called to make. Be ready. Know your enemy. Know yourself. Know what mitigation and transference options you may have. When you know all of these, your decision will be much easier to make and be auditable and defendable.
Avoidance happens when you stop doing that which exposes you to risk. We exercise the avoidance technique all the time in the cyber environment.
An example of cyber avoidance is the practice of removing or disconnecting the vulnerable component or system to avoid risk. Let’s say you have a faulty old web server configured with antique software that has numerous vulnerabilities.
Rather than spending valuable staff time trying to resurrect the antique equipment and load contemporary software on it (which may or may not work on the older gear), you find it is cheaper and more effective to replace the server and software completely to avoid the risk.
Another simple example addresses the information itself. Many senior executives post their biographies online. Many post information about their spouse, children, and homes in their biographies. (For example, President X is married to the lovely Y of Trenton and they have four lovely children, A, B, C, and D.
They currently reside in Palm Beach.) What a treasure trove of information for criminals! While your business may harden your cyber defenses at work, does your family have the same cyber protection? Could a criminal or hacktivist use that information to threaten your family?
Avoiding the placement of personal and other potentially exploitable information on your website is an important risk management technique. Don’t forget to check your official biography today!
Finally, few companies operate alone. Your organization likely shares information with one or more organizations, often with so-called trust relationships, that permit transparent information sharing with the other organizations.
Opening your network to a less secure partner may impose an undue risk to your organization. Since a risk taken by one is a risk taken by all, make sure you choose your partners well.
You may very well find that you need to avoid entering into a business relationship because your proposed partner does not maintain an effective cybersecurity program.
So, what about Thesis_Scientist Corporation and their risk? What risk decisions does their CEO face? What are his options? What strategy does he adopt?
The CEO and his senior leadership team know they are at risk of losing their intellectual property and trade secret (the alloy formula) to a cybersecurity incident.
Their analysis of threat sources, potential threats, vulnerabilities, and exposure indicates they are at high risk and the estimated loss is over the US $50 million. Their estimates based on available data indicate it is likely they will face an incident soon. They have a new sense of urgency to address this risk.
Based on the scenario provided, we have several risk management strategy suggestions for the Thesis_Scientist CEO and his senior executive team. Perhaps you will find these helpful considerations as you look at your own organization:
Here are our top ten recommended mitigation actions for Thesis_Scientist Corporation. You too can significantly reduce your risk by accomplishing the following mitigation actions:
1. Ensure your cybersecurity policies are well documented, that all personnel is trained on them and that they are regularly tested.
2. Ensure your software configurations and patches are all up to date. This applies to your antimalware software, applications, and operating systems. Only use approved and tested secure software, especially operating systems. This hardens your network against attack.
3. Implement strong boundary connections and intrusion detection systems. Test them regularly through independent third-party penetration testing.
4. Implement a policy of “Deny All, Permit by Exception,” which filters all network traffic and denies all traffic not explicitly allowed. This can stop someone from “walking out the door” with your information.
5. Implement a policy of “least privilege” where users only get the privileges and access to information and services they need. This significantly reduces the risk of someone hijacking the identity of one of your employees and elevating their privileges to gain access to your most sensitive information.
6. Encrypt your data. All of it. Encrypt while it is at rest and while it is in transit. Encrypt your hard drives on your desktops, laptops, and other devices whenever possible. Make sure you have a key management system to assure you retain positive control of the keys to unlock your data.
7. Implement a robust vulnerability management program including internal and external scans. Install and use an intrusion detection system on your network.
This will provide the ability to deploy threat-specific detection signatures that will trigger immediate alarms for traffic of interest. Don’t you want to catch insider threats or external penetrations red-handed and stop them?
8. Make cybersecurity a corporate priority. Disable CD/DVD readers and USB drives by policy, and only provide that capability by the exception under controlled conditions. Make importing and exporting of data a conscious decision. Implement comply-to-connect policies to reduce threats of contamination. Tightly control remote access.
9. Invest in your IT staff commensurate with the value of the information you want to protect. Make sure you have the right team, properly trained and certified, and in the right amount to do the work you need them to do.
10. Disconnect Internet access to all critical and sensitive information that doesn’t need an outside connection. Segment your mission-critical business data from the outside world (who doesn’t need to see it) as well as from administrative functions.
This limits and/or contains the effects of compromises and also speeds recovery. Does your key intellectual property and trade secrets need to reside in the same place as your general correspondence? Generally, no. Prioritize, segment, and secure your information based on risk.
We recommend you investigate your options to ensure your business against loss from a cybersecurity incident. We recommend your discussions should include first- and third-party liability discussions.
Additionally, we believe you should have conversations with multiple insurance firms before you make any decisions on risk transference as the cyber risk insurance market is still developing and wide variances in coverage, premiums, deductibles, and other factors exist.
Be a discerning shopper when it comes to insurance. Ask for quotes. Ask for referrals. Ask a lot of questions and do your business case analysis before you sign up for anything.
Your network readiness rate is at a very high level, indicating your staff is effective at meeting business operation needs, but removing the vulnerabilities indicated by the internal scanning may best be addressed by temporary technically qualified reinforcements rather than hiring additional full-time staff.
Consider accepting the risk of temporary hires of certified professionals to bring your vulnerability posture to an acceptable baseline, look to lean processes to better utilize existing staff, and defer the request for additional manpower for two months after the posture meets objective and processes are controlled.
There is an avoidance option to consider for Thesis_Scientist. Does their production system need to be connected to the Internet? What happens if they pull the plug?
They still would have to address an insider threat and external attacks a la Stuxnet, but they can avoid the threat of hackers if they disconnect external connections.
They still can maintain a connection for their administrative functions but can keep their core intellectual property and business functions insulated from external cyber attack. This is an option worth exploring.
What about BigRX? What recommendations do we have for their CEO?
BigRX appears in pretty good shape. They have disciplined processes for managing risk, and the employees seem to be well trained. Nonetheless, software testing procedures appear to be lacking as the vulnerability analysis indicates the SQL vulnerability.
This should have been caught in the software testing process and fixed before it was put online. This is a significant problem that needs immediate remedial action.
Here are our recommendations to the BigRX CEO as he contemplates his risk decisions:
Frankly, if BigRX had not already implemented the top ten recommendations we gave to Thesis_Scientist, we’d urge them to implement the same controls. We’d also recommend the additional following specific mitigation measures:
1. Fix the SQL injection vulnerability immediately. Test the fix before putting it on the production system.
2. Reinforce your defenses while the new code is being written. Be on the lookout for someone attempting access through a SQL injection technique.
3. Prevent further instances of putting the deficient code on your system by implementing disciplined software acceptance and testing protocols. Never let bad code get on your system again.
4. Implement regular external and internal vulnerability scans to better expose your risk.
We definitely recommend that BigRX consults with insurance brokers to discuss their options for risk transference through insurance.
Unlike Thesis_Scientist Corporation, who operates in a product-based environment, BigRX operates in what many consider a service-based environment. BigRX operates in a market sector where litigation is plentiful.
They likely have very robust insurance packages addressing risks like medical malpractice. They ought to investigate adding insurance for cyber malpractice as well. Clearly, there is a risk. They owe it to their stakeholders to protect the business.
We recommend BigRX fix their SQL injection issue immediately. Unfortunately, it isn’t like flipping a switch and the problem goes away. The code will have to be written, verified, and thoroughly tested before being loaded on to the active production system.
In the meantime, we recommend BigRX consider accepting the risk of keeping the existing configuration online until the new code can make its way through the appropriate repair, testing, and delivery process. Given the urgency to fix the code, we do not believe it would take an inordinate amount of time to receive the fix.
It may be possible to remove the flawed code from BigMIMS and still be able to maintain effective operations until the new code is ready for deployment.
This is an option that may be viable but would have to be explored in greater detail before making a recommendation to implement it. A business case analysis taking into account the technical and business operations considerations is warranted.
We also would recommend to both Plano Corporation and BigRX that they consider investing in a cybersecurity business intelligence capability. Back in the “old days” before computers, such services used to be provided by people who clipped articles from newspapers and magazines.
Now, many companies maintain technically enabled sophisticated in-house business intelligence functions to maintain situational awareness over key items of interest in their business sector, supply chain, and other areas that possibly could affect their business.
Others subscribe to services that provide them tailored information to heighten their awareness of key market trends, threat warnings, etc. Both companies need cybersecurity business intelligence as part of their “know your enemy” early warning capability.
cybersecurity has become a key business component, and both companies need to have the type of information a cybersecurity business intelligence function provides. It can provide information to let you know when you may be targeted for cyber attack, who is doing the targeting, and why.
Business intelligence professionals specializing in cybersecurity issues can provide you with an analysis of current threats that can prove to be invaluable in preparing your risk assessments.
Executives need solid actionable information to make operational and strategic decisions. We recommend both companies secure a cybersecurity business intelligence capability.
Risk must be communicated to be properly managed. Ask any manager whether they understand how to manage risk, and they will tell you they know how to manage what they understand.
If they understand the risk, they can manage it. Therefore, it is important to clearly communicate the risks and risk management strategies, policies, and procedures in a manner that is readily understood by key stakeholders throughout the organization.
It is easy to frighten people when it comes to cybersecurity risk. There are so many vulnerabilities and threats that it can quickly overwhelm even the stoutest heart.
Not everyone understands the lingo that has evolved in the cyber ecosystem, and some people are offended when they believe the technical community is deliberately trying to obfuscate by “speaking in technical tongues.”
Likewise, the technical community is offended when they try to communicate highly complex technical topics in the simplest terms only to be derided for “dumbing down” the conversation. Barriers to effective communication only increase your risk!
Risk needs to be communicated to several constituencies. First, it has to be communicated internally. Every employee has a stake in the business’s risk. It has been said that risk management is a team effort.
Therefore, the team needs to clearly communicate as a team. Second, there are some communications of risk based upon regulatory guidance that have to be considered.
While such communications make many executives uncomfortable, they have become a fact of life. Precision, honesty, and brevity are our three watchwords for this communication requirement. Finally, you have to communicate with your shareholders. They are the owners of your company and expect to know what risks their company faces.
Communicating Risk Internally
We submit that communicating cybersecurity risk is best done when everyone uses the same language. Communicating risk focuses on sharing information about threats, vulnerabilities, and impacts. Management can set the tone by establishing a risk management program that includes the following:
Establish a standardized risk management process:
A disciplined process yields rich dividends as you are more likely to identify threats, threat sources, and vulnerabilities and, thus, predict the likelihood of events with greater precision. Perhaps more importantly, you will have a common understanding of risk among all team members.
Define key terms and procedures on how you identify, characterize, and manage risk. Make it part of your culture and train personnel throughout the organization to follow the process.
Reinforce that while senior management owns the risk in the business, everyone has a stake in it:
This bears emphasis. As an executive, your leadership is essential to ensure that each employee understands their responsibilities in managing the risk your company faces. Everyone has a stake, if for no other reason than it will have an impact on their wallets and pocketbooks.
Ensure your team is well informed regarding the risk you face and your program to manage it:
Clearly communicate your “Five W’s”: (1) What risk you face, (2)Who has a responsibility to manage risk, (3) Where the risk is, (4) When to look for it, and (5) how to avoid it.
Establish and document a Critical Information Reporting process to maximize leadership’s risk visibility:
Key components of the process include: Identify your key information: It is essential for senior management let subordinates know what information they require. Don’t keep your information needs a secret.
Identify who needs the information:
If the right people don’t know, the right actions will not occur. Management needs to let subordinates know who needs the information.
You get bonus points when you tell them what decisions you make from the information from various sources because everyone wants to know “why.”
People who know why information is needed are more likely to act with greater vigor and precision that those who feel they are just “passing on another report.”
Define the timeline for reporting:
You need to define what is a wake me up in the middle of the night situation versus it can wait until morning event. Don’t torture your staff by making them guess what you want and when you need to know things. Tell them! Give them the leadership and clear direction they deserve!
Define the process for reporting: Does the key information go right to the top? Does it go to a central control center that filters and feeds it out? Does it make its way through the hierarchy to its destination? You need to define the flow of information from detection all the way through to receipt by the person who needs the information.
Define the reporting format: Clearly defining how the reporting message is conveyed beforehand will save time, money, and angst.
Your personnel often will detect threats and vulnerabilities that yield risk well before the C-suite even imagines it.
Empower your employees to sound the alarm and incorporate procedures in your risk management process that employees can use to identify risks.
Most companies already have safety programs to minimize the risk of industrial accidents where employees can identify threats and vulnerabilities to management.
They have been very successful in reducing accidents. Note that when employees identify safety risks and report such risks expeditiously, most employers make a big deal out of it and frequently give awards, sometimes in cash. Do you have a similar program to minimize cybersecurity risk? If not, why not?
Control and monitor your risk with metrics: Let your personnel know how they are doing in managing risk through visible metrics that are shared throughout the organization.
Celebrate risk management successes: Praise and award star performers and teams. “Success breeds success” and positive messages about risk management will encourage your team to perform at high levels.
We submit that your people are your most valued and treasured resource. Successful businesses have great processes. Great businesses have great people who manage great processes.
To make sure you have a great risk management process, ensure that you invest in your workforce and clearly communicate, communicate, communicate, and listen.
On October 13, 2011, the Securities and Exchange Commission (SEC) Division of Corporate Finance issued “CF Disclosure Guidance: cybersecurity” (CF DG 2), which substantively changed the way businesses communicate cybersecurity risks.
As an executive, you are well advised to be aware of the content of this guidance and understand how it affects you and your business.
The mission of the U.S. SEC is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation.
Created in 1934 during the height of the Great Depression, the SEC has a long history of interaction with American business and those foreign firms who do business in the United States. The SEC seeks to foster a competitive climate that will prevent another Great Depression from occurring again.
The SEC is led by five commissioners, appointed by the president and approved by the Senate, who oversee the commission. Its responsibilities include:
Interpret and enforce federal security laws Issue new rules and amend existing rules
Oversee the inspection of security firms, brokers, investment advisers, and ratings agencies
Oversee private regulatory organizations in the security, accounting, and auditing fields
Coordinate U.S. security regulation with federal, state, and foreign authorities
The SEC interprets U. S. law and issues rules and regulations to implement those laws. These rules and regulations go through a deliberate process that often starts with the public release of a rule proposal with a 30–60-day comment period for the public to provide comments.
After the comment period, the commissioners consider the public comments and, after any requisite editing, vote on the proposed rule. Upon agreement of the commissioners, the rule goes into effect and has the force of law.
The SEC CF DG 2 guidance emerged during a period of great national debate regarding cybersecurity and the government’s role in developing a series of laws and policies to address the growing cybersecurity risk environment.
At the time of issuance of the SEC guidelines (and even though today’s writing), there were no national-level regulations backed by the force of law that applied to business reporting of cybersecurity risk to shareholders and potential investors.
While CF DG 2 explicitly states that “This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission…,” evidence points to it being applied as if it were.
CF DG 2 calls for public companies to disclose cybersecurity risks and cyber incidents in the following six areas:
If your company is registered with the SEC, the guidance calls for you to disclose “the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” How do you determine whether these incidents are significant enough to disclose?
The SEC believes you should “consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.” You should also “consider the adequacy of preventative actions.”
This rhetoric is considered highly controversial. Couldn’t the public disclosure of such detailed information serve as an invitation to hackers to visit? We think so, and even the SEC acknowledges that.
They state in the guideline, “We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts…by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security…and we emphasize that disclosures of that nature are not required under federal securities laws” [emphasis added].
Nonetheless, the guideline calls for specific information to be disclosed. The guideline goes on further to state that your disclosure should “avoid generic risk factor disclosure” and you need to be prepared to discuss specific attacks and their “known and potential costs and other consequences.”
They conclude their discussion on risk factor disclosures by stating, “…registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.”
While the SEC is noble in their objective of informing shareholders and potential investors through the disclosure process, we advise great caution when addressing these cyber-related disclosure guidelines.
Advertising your vulnerabilities to potential foes is dangerous and may invite bad actors to see just how vulnerable you are.
We believe the SEC recognizes this and is using its administrative leverage to spur businesses to invest prudently in cyber security so that they, in fact, do not have significant vulnerabilities that can be exploited.
Regardless of the underlying intent, public disclosures of your cybersecurity risk can have a profound influence on your brand reputation, consumer confidence, and (ultimately) your bottom line.
Craft your risk factor disclosure carefully when disclosing cybersecurity risk information. Make sure you have your best lawyers drafting it and have your technical staff review it to advise whether your disclosures present additional risk. Pay close attention to this disclosure!
Management’s Discussion and Analysis (MD&A) of the financial condition and results of operations:
The MD&A is an essential part of your annual report that allows you to provide a narrative explanation of your company’s financial statements. It often is referred to as telling the story “through the eyes of management.”
Your MD&A can improve your overall financial disclosure by providing context to the financial information presented in the rest of the report and presents a venue where you can provide information about your company’s earnings and cash flow (among other important financial disclosures).
Shareholders and potential investors alike use this information to make judgments about the likelihood that past performance is indicative of future performance.
The SEC recognizes the importance of the MD&A in the disclosure process and advises in the guidelines that registrants should address cybersecurity risks and cyber incidents if “the costs associated with one or more incidents.
The risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial conditions.”
Fear not, though, as, in your MD&A, you can use and take advantage of the narrative in this disclosure to inform shareholders and potential investors what bold and strong management controls you have taken to reduce your cybersecurity risk and eliminate vulnerabilities.
Remember, though, that you can only reduce your risk, not entirely eradicate it. We hope that investors recognize this fact of life.
Description of business:
CF DG 2 states, “If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s Description of Business.”
This is tricky and consultation with legal counsel is warranted when you discuss this during your disclosure deliberations.
What if you have a business partner who has a cyber incident and that incident is a consideration contributing to you not renewing your contract with that partner? One could make the argument that you should disclose that under this provision.
Yet, what if you want to leave the door open for a future relationship with that company? Disclosing that you dumped a business partner because of a cyber incident or risk can have positive and negative consequences. Be careful in how you characterize your business and its relationships.
This part of the guideline is fairly straightforward. If you are engaged in litigation due to a cyber incident, you are instructed to disclose it in your “legal proceedings” disclosure.
Financial statement disclosures:
cybersecurity risk management drives financial decisions, and SEC guidelines call for you to appropriately characterize your expenditures associated with cybersecurity in your financial statements. You make investments to prevent cyber incidents.
You may have a cyber incident that results in a loss, diminishes cash flows, or drives you to further investment in response. The guidelines call for you to ensure that your financial statements disclose “the nature of” cyber incidents and an estimate of their financial effects.
Further, registrants must explain any “risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements.”
As with all financial statements, precision and brevity are imperative, but you may find it difficult to accurately characterize all cyber-related costs. For example, how would you determine what loss of cash flow can be directly attributed to a cyber event? The inquisitive minds at the SEC want to know.
Disclosure controls and procedures:
In the aftermath of major corporate and accounting scandals such as at Enron and Tyco International, the U. S. Congress passed the Sarbanes–Oxley (SOX) Act of 2002.
The law was intended to provide greater accountability and oversight over corporate finances to better protect shareholders interests as well as the greater economic health and well-being of the market.
Other nations have adopted similar legislation, and executives have become abundantly familiar with the internal control processes and procedures the act promotes.
Internal control processes often are reliant on automated reporting mechanisms, information contained in computer databases, and other cyber-reliant sources.
Management is required under law to certify the integrity of their internal controls process. Yet, what do you do if a cyber incident affects one of your data sources or internal control processes?
CF DG 2 addresses that and reminds registrants that you must consider any effects of cyber incidents that may cause deficiencies in your disclosure controls and procedures and make appropriate disclosures.
This begs the question, “How do you issue a certification of your disclosure controls and procedures if you had a cyber incident that potentially tainted your information or processes?” While we recommend you consult with your general counsel, our visceral default response is “always be honest.”
Why Disclose? We believe the SEC’s Division of Corporation Finance is strongly encouraging cybersecurity disclosure to accomplish two objectives:
Bring cyber threats to light and prompt companies to invest in adequate cybersecurity controls.
Provide a mechanism to inform shareholders and potential investors about the cyber risk to which companies are exposed.
Are these objectives appropriate? Should government guidelines steer you to disclose your cybersecurity risk information or should you do so voluntarily?
Answers to these questions depend on who you are and where you sit.
Some people will argue that the objectives are appropriate based upon the SEC’s charter from Congress to act “as necessary or appropriate in the public interest or for the protection of investors.”
There certainly is a good case to be made that the public at large and potential investors would want to know whether a business has a significant cyber risk. After all, who wants to put their money into a bank that is likely to fall victim to cyber theft?
On the other hand, some argue that Congress has not enacted laws directing these actions, so the guidelines are presumptive and perhaps representative of government overreach. They argue that the commission is shaping public policy without a warrant from the people’s representatives in Congress.
They contend that if the people really want disclosure requirements, they will direct so through the law. In the meantime, these people believe the SEC should limit their actions to what the law explicitly dictates. Should you disclose in accordance with the guidelines? We leave that determination to you and your advisors.
Reasons to Not Disclose. There are three primary reasons why you may not disclose cybersecurity risk in accordance with the DG CF 2 guidelines:
First, you don’t know what your cybersecurity risks are.
Second, if you do disclose your cybersecurity risk, you may attract hostile bad actors who will try to exploit your vulnerabilities and damage your business.
Third, if you do disclose your cybersecurity risks, you may face multiple negative effects, which could include but are not limited to:
Loss of investor confidence
Increased risk of liability lawsuits
Loss of brand reputation
Loss of share value
These three are all legitimate reasons cited by companies as to why they are reticent to publicly disclose cybersecurity risks and incidents in great detail. Do you and your company share in these concerns?
How to Disclose. SEC regulations direct several reporting mechanisms that should be used to report cybersecurity risk:
Annual report, Form 10-K
Quarterly report, Form 10-Q
The current report, Form 8-K
Both the annual report and the quarterly report are well-established report formats with which companies and their staffs are very familiar. Under provisions of the CF DG 2 guidelines, specific information regarding cybersecurity risk and incidents is now expected to be included in the reports as spelled out in the CF DG 2.
The current report, Form 8-K, is used when any “material events” arise inside the timelines directed for the quarterly and annual reports. Examples include bankruptcies, “material definitive” agreements, amendments to articles of incorporation, and “other events.”
What are “material events”? Lawyers have argued over the definition and interpretation of those words for years and likely will do so for years to come. Let’s use the definition the Supreme Court used, a “…fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote.”
Given the Supreme Court definition of “material,” is it reasonable to assume the expectation of the shareholder is that they want to know if you have cybersecurity incidents and risk as key information as they consider their votes? We believe such an association indeed would be made by a reasonable person.
However, as we discussed earlier, incidents or events can have a broad range of impacts, some inconsequential and others devastating.
Notwithstanding the opinion of the Supreme Court, shareholders expect company management to exercise good judgment in assessing and reporting upon “material” occurrences. It does not appear that the SEC has considered or provided insightful guidance on that subject.
What would we do? We would convene our management and legal counselors and together decide what in our considered judgment serves the best interests of our shareholders. Readers should not lose sight of the fact that the management and the board frequently represent a substantial percentage of ownership.
What If You Don’t Disclose?
Given the reasons not to disclose cited earlier and the CF DG 2 statement that its guidance “is not a rule, regulation, or statement of the Securities and Exchange Commission”.
And that “the Commission has neither approved nor disapproved of its content,” there doesn’t appear to be any statutory or regulatory requirement that demands that you have to disclose your cybersecurity risk information through the annual, quarterly, or current reports.
So why do it? What’s the worst that can happen if you don’t include it in your reporting?
Preparing disclosure reports is not a trivial task and involves noteworthy analysis and production costs, including the use of high cost outside professional services.
As we’ve learned in our discussion of quantitative and qualitative risk assessments, determining cybersecurity risks can be difficult to quantify and characterize.
Moreover, communicating your cybersecurity risk to potentially hostile bad actors may invite further trouble as hackers and other threat sources attempt to exploit your vulnerabilities. At first, blush, withholding detailed cybersecurity risk information from public disclosure may be in your shareholder’s best interest.
The SEC doesn’t see it that way. While they officially maintain a voluntary disclosure program, their staff repeatedly has pushed companies to disclose cyber attacks. There are several reports of SEC using aggressive tactics to encourage companies to disclose cyber attack information. This is not surprising.
According to Peter Henning, a former SEC lawyer, the SEC can force disclosure without making rules because companies need to stay on good terms with the regulator, which reviews their financial filings and can “make things difficult.” Resisting a letter from the agency can be costly, amounting to the US $250,000 in legal fees, according to Henning, even if the company is found to be fully compliant.
“If it’s complex, your lawyers write drafts in response, you have conference calls with them,” he says. “The SEC knows that’s their power. If you want to litigate with them, it costs millions.”
What if you want to take on the SEC and their aggressive tactics? What is the worst that could happen?
According to the SEC, they are first and foremost a law enforcement agency. They investigate violations of securities and exchange laws and initiate civil and administrative actions to address them.
Common violations that may lead to SEC investigations include:
Misrepresentation or omission of important information about securities
Manipulating the market prices of securities
Stealing customers’ funds or securities
Violating broker-dealers’ responsibility to treat customers fairly
Insider trading (violating a trust relationship by trading on material, nonpublic information about a security)
Selling unregistered securities
If the SEC initiates a civil action against your company, you face the possibility of:
An injunction that will prohibit you from taking further legal action
A monetary penalty
The return of any profits that were deemed to be acquired through illegal means
Barment or suspension of directors and officers of the corporation
In the event you violate the judgment of the court in the civil action, you face contempt charges, with accompanying fines and possible imprisonment.
If the SEC initiates an administrative action against your company, you face the possibility of:
Sanctions including a cease and desist order that freezes your activities
Suspensions or revocation of registrations
Barment from associations
Is “the juice worth the squeeze” to contest the SEC’s CF DG 2 cybersecurity disclosure guidelines? Major companies such as Google and Amazon concluded it wasn’t. After repeated volleys of requests for further cybersecurity information, Google and Amazon relented and edited their disclosures to satisfy SEC staff demands.
Sooner or later, you will need to make decisions on how and what cybersecurity information to publicly disclose. Choose wisely.
Communicating with Shareholders
While the mandatory SEC disclosure requirements mentioned previously arguably could suffice as a means of communicating cybersecurity risk and incidents to shareholder, we don’t believe SEC reports should be the primary means of communicating with your shareholders.
Your shareholders are increasingly sophisticated and appreciative of the risks presented in a cyber-enabled marketplace.
While they may not understand the technical underpinnings behind them, the vast majority of your shareholders understand that cybersecurity risks exist and they expect you, the executive, to properly set conditions to protect their investment by mitigating that risk.
The severity of a cybersecurity incident could range from a very minor event to an existential threat to your business. You need to have a plan on how to communicate regularly with your shareholders so they retain confidence in their business, that their investment is in good hands, and that you are in control.
Here are some suggestions on how to best communicate with your shareholders.
Ask them how they want to hear from you:
Surprisingly, many companies do not even ask their shareholders what their preferred means of communications are. I prefer to receive emails and electronic reports yet still get piles of paper-based prospectus information in the mail that ends up shredded and recycled.
Disposing of the paper products is time-consuming and just increases my frustration. Do you ask your shareholders how they want you to communicate with them? Do they prefer letters?
Email? Phone calls? Web chats? Videos on your website? There are many options. We suggest you let your shareholders pick their preference.
Ask your shareholders what kind of information they want:
Nobody looks forward to receiving spam, even when it is from your company. Don’t waste company resources sending out unsolicited and undesired information. Do shareholders want to know when you have cybersecurity risk?
Do they only want to know when you are attacked? Or do they not care to know at all as long as the company stays safe, under control, well managed, and profitable? You’ll never know unless you ask them!
Solicit communications from your shareholder to you:
Not every shareholder has the means of attending stockholder meetings where they can give you direct feedback. For most shareholders, sending an email or a letter is the primary means they use to communicate with you and your staff.
When you receive aletter or email from a shareholder, make sure you answer it completely and quickly, and by all means, make it warmer and more pertinent than the responses you get back from Congressmen and Senators!
Have a plan to communicate in crisis:
A cyber attack could pose an existential threat to your business, placing your shareholder’s equity at risk. You ought to have a plan on how to communicate during a crisis. Here are some best practices for communication during a crisis:
i.Get yourself a world-class Public Relations consultant:
Believe us, it’s no fun sitting in front of a bank of twelve microphones while TV cameras grind and facing questions from a bunch of hungry reporters who want you to tell their listeners and viewers why you were so damned stupid to let this mess happen to begin with.
Based upon hard experience, immediately consult with an accomplished public relations specialist. We did and defused a couple of situations that, although they were difficult, could have been terminal financially.
ii.Communicate early and often:
It is essential to have open lines of communication with your shareholders and to remember that communication goes both ways. When confronted by a crisis such as a cyber attack, the early hours after the event are critical and set the tone for the duration of the crisis. When communicating with your shareholders, be prepared to answer these questions:
Where did it happen?
When did you find out?
What are you going to do about it?
Who’s to blame?
Were there warning signs?
How will you prevent it from happening again?
What does this mean for us?
iii. Take responsibility:
Don’t beat around the bush. Take responsibility, express regret, apologize as appropriate, and decisively inform your shareholders what your next steps are to address the problem.
iv.Speak with one voice:
Ensure your message is consistent throughout the organization. Centralized control of information and talking points have proven to enhance the accuracy and timeliness of information.
v.Establish a crisis team:
Create and train a crisis team (including your PR specialist) as part of your business continuity planning effort. Operate a command post to coordinate and synchronize response efforts. Establish a scheduled rhythm to share information with your shareholders and other key stakeholders.
vi.Plan for the worst:
While you hope for the best, you need to plan for the worst. Anticipate having to deliver and respond to bad news. Have your script ready. Don’t “wing it” in delivering your message, and by all means, do not deviate from the central message or ad lib or try to be the least bit humorous. You must convey that this is a serious situation and you are acting accordingly.
vii. Get your message out:
Communicate, communicate, and communicate. These are the watchwords of crisis communications. There are plenty of ways to get your message out to your shareholders:
Television and radio commercials
Website postings (including video messages)
Your shareholders trust you to protect their investments. They expect you to professionally manage their company and deliver success. They also expect you to keep them informed. Do so in a manner that retains their trust and confidence in your abilities.
ORGANIZING FOR SUCCESS
Many companies have come to realize that they need disciplined processes and procedures to forecast, measure, and control risk. Great companies do something about it, and more often than not, they implement organizational structures specifically to address risk.
Risk Management Committee
An example of specific organizational structures to manage and control risk is found in the proliferation of risk management committees at the corporate level. It is not unusual for corporate boards of directors to establish committees to address auditing, compensation, and governance.
Now, many companies have added committees to focus on risk management. We believe this is a terrific concept, particularly in regard to improving cybersecurity risk management.
Committees are formally chartered by corporate boards of directors to provide oversight and governance over key functions of the business. Charters include direction regarding board purpose, membership, organization and operations, duties and responsibilities, reporting requirements, resources and authorities, meetings, and other needs of the board.
It is important that the board chart the course for the committee yet recognize that the charter should often be reviewed for any changes or improvements.
Risk management committees usually consist of nonmanagement directors. This is important as nonmanagement directors are more likely to be unfettered by the organizational bias that often accompanies management positions.
Likewise, because it is highly unlikely that the nonmanagement committee members were participants in the detailed decision-making that led up to an emerging risk, they are more likely to focus on the risk rather than the daily running of the business.
Many companies have discovered this alignment to be powerful and one that delivers excellent results.
Risk management committees monitor and control the “material enterprise risk” of the organization. Typically, they are the approval authority for and provide oversight of management proposals, leading to the creation and subsequent assessment of a risk management framework submitted for approval by the board.
The framework includes the definition of the categories of risk, standards in relation to each category, and an approach to risk tolerances adopted by the company.
These standards will be reviewed periodically (and at least annually) to take into account changes in the internal and external environment as well as reports and findings of the audit committee as it relates to the performance of controls.
cybersecurity is increasingly at the top of the agenda for risk management committees. Because it is, the risk management committee must have the resources it needs to posture itself to make informed decisions.
One of these resources is quality information and insight into the business. Quality information yields quality decisions, which yield quality results.
When it comes to cybersecurity risk, in addition to close communication with business unit directors and officers, the risk management committee should have very close communication with the CIO, who should provide the committee with information regarding architectures, performance and expenses, and other information regarding the information systems that drive the business.
Similarly, the committee should be in close communication with the chief information security officer (CISO) who should provide the committee with information on cyber vulnerabilities and threats.
Another critical resource the risk management committee needs is threat awareness. If the organization has a business intelligence function that focuses on external threats, they should be tightly coupled with the committee.
If the organization does not have a function such as this, the committee is urged to recommend that the company should contract or subscribe for such a service to aid in maintaining comprehensive threat awareness.
A third and critical resource for the board is the technical awareness to understand the challenging and complex cyber environment. While members of the risk management committee do not need to be certified technical experts, they need to have a basic understanding of both the business and the technology that supports it in order to make the best decisions.
We are familiar with many boards of directors that have invested in continuing education to ensure their directors, including members of the risk committee, have the requisite contemporary knowledge to stay “on top of their games.”
As an example, a colleague of ours who has been in corporate America for over 50 years and currently serves as a director on several boards says about his continuing education, “I may not be able to see or hear as well as I did, but I can still smell when crap is being shoveled my way!”
The takeaway for you regarding technical awareness is that the committee has to understand cybersecurity to understand its risks. You need to plan to invest in your committee’s continuing education to keep them current!
Corporate risk management committees largely have been very successful in helping to highlight, manage, and control risk.
Board-level oversight of management’s efforts to manage and control risk is appropriate and fosters more disciplined, professional, and complete risk identification, accounting, and control. If your business does not have a risk management committee, we highly recommend you consider creating one.
A closing thought is in order based upon the foregoing discussion of the risk management committee. It is the job of the board of directors to direct, and the job of managers to manage. To forget this aphorism is an invitation to trouble.
Chief Risk Officers
Many companies invest in chief risk officers who support directors and officers in the strategic management of the corporate risk program.
For some firms, the investiture of a senior executive designated with strategic responsibilities over the corporate risk pro-gram yields improvements in compliance, strategic planning, and governance.
Because the chief risk officer (CRO) is a relatively new position, many organizations who have appointed one haven’t yet mastered how to integrate them into their management structure. The successful (and satisfied) ones typically report to the CEO for their daily duties.
They oversee the strategic risk management program, its processes, and its metrics. The CRO ensures that processes are maintained and current and that personnel are trained in accordance with corporate objectives.
The CRO often also oversees compliance programs, working with the general counsel and across business units to ensure that compliance actions and reporting are accomplished. Frequently, the CRO interacts with outside professional, legal, accounting, and public relations (PR) consultants.
While corporate CROs are now emerging as powerful and important senior executives, some boards wisely are asking whether they need both a risk management committee and a CRO.
Many companies who have both reports they intend to keep them. An example is KeyCorp, a US $87 billion asset regional bank headquartered in Cleveland. They have had a board-level risk management committee and a CRO for several years.
According to the bank’s senior executive vice president and CRO, the risk committee’s primary role is to establish the “risk appetite level” for the bank’s various business lines, expressed in the form of measurable data like nonperforming loans or customer service complaints, and “it’s part of my job to translate that appetite into a risk control structure for the company.”
That control structure includes a risk reporting process where the CRO regularly provides the committee with a variety of forward-looking metrics that will not only tell the committee what the bank’s risk profile is today but also where it might be trending in the future.
KeyCorp’s risk committee meets six times a year, “so every other month we’re also having face time with the [committee members],” says the CRO.
How you organize to manage your risk successfully depends on your company, its goals, and the threats it faces. If you haven’t already done so, we strongly urge you to consider establishing a risk management committee as part of your corporate board structure.
The committee should be chartered to provide strategic oversight and governance over management’s risk management program and should determine a “risk appetite” measure for the board’s consideration and approval.
If your company is complex, faces significant risks across many business functions, and has the means, you may want to consider investing in a CRO to provide the strategic and operational management of your company’s formal risk management program. Those companies that have made that type of investment generally reap positive rewards.
Qualitative risk assessments are a popular method of calculating cybersecurity risk and present potentially preferable means of determining cybersecurity risk for businesses, in contrast with quantitative risk assessments.
Qualitative risk assessments do not utilize detailed calculations to assign monetary values to assets and losses like the quantitative method.
Rather, the qualitative risk assessment method recognizes the difficulty present in assigning realistic values to information and the likelihood of risk. As such, this qualitative method provides relative measures of risk and asset value based on ranking specific items into categories such as high, medium, or low or on a numeric scale.
While not as precise as the quantitative method, they generally are faster, easier, and less expensive to produce and give senior decision-makers actionable information in a timelier manner. Moreover, in most respects, results are easier to understand.
We recommend you consider investing in a cybersecurity business intelligence capability. Many companies maintain in-house business intelligence functions to maintain situational awareness over key items of interest in their business sector, supply chain, and other areas that possibly could affect their business.
Others subscribe to services that provide them tailored information to heighten their awareness of key market trends, threat warnings, etc. Your business needs cybersecurity business intelligence as part of your “know your enemy” early warning capability.
You can manage risk through mitigation, transference, acceptance, or avoidance. Whatever technique you decide to implement to manage risk ought to be influenced by a business case analysis. If you do your business case analysis well, the right decision should jump out to you!
Risk must be communicated to be properly managed. It is important to clearly communicate the risks and risk management strategies, policies, and procedures in a manner that is readily understood by key stakeholders throughout the organization.
You must communicate risk internally within the company to its employees and those who manage and control the risk. You must consider disclosing risk through channels identified by regulatory rules and guidelines. You also must regularly communicate risk to your shareholders, both in times of calm and times of crisis.
Organizing well can lead you to success when addressing cybersecurity risk. We recommend the charter of a risk management committee at the corporate board level to produce strategic governance and oversight over your corporate risk management program.
We believe it is imperative that your risk management committee establish the “risk appetite” level for your business and work with senior management to ensure that the requisite processes and controls are in place and used to minimize your corporate risk.
If your company is complex, faces significant risks across many business functions, and has the means, you also may want to consider investing in a CRO to provide the strategic and operational management of your company’s formal risk management program. Those companies that have made that type of investment generally reap positive rewards.