X
Tech

Cybersecurity: How to devise a winning strategy

Cybersecurity incidents and breaches can seriously damage a company, making it imperative that security risk management is integral to corporate governance.
Written by Charles McLellan, Senior Editor

In 2018, as in previous years, cybersecurity incidents made the news on a regular basis, and there's no shortage of predictions for the ways in which bad actors may grab the headlines in 2019. Behind these prominent incidents and modus operandi is a continuous background level of cyber-activity that is the inevitable result of organisations failing to monitor and protect their networks, and of users neglecting basic security hygiene.

How should businesses respond to the clear, present and ever-evolving threat of cyber-attack? Completely locking down their IT systems isn't an option, but neither is complacency. Vulnerabilities will almost inevitably be discovered and exploited, and once security breaches have happened they're usually expensive and time-consuming to remediate, often resulting in lasting damage to the victim's reputation and bottom line.

The trick is to work out the attacks you're most likely to face, guard against them to the best of your ability, and review this process regularly. Where to start? Well, no military commander would charge headlong into battle without a clear strategic picture of the conflict, and the same applies in the cyber theatre. That's where business risk intelligence (BRI), or cyber threat intelligence (CTI), comes in. Here's BRI company Flashpoint on the subject, for example:

"Having a robust BRI program puts these threats into context for an organization and its risk management efforts. Cybercrime, fraud, insider threats, physical security, M&A security assessments and third-party risk can all be minimized with an adequate handle on intelligence."

Flashpoint's high-level summary of the 2017/18 global threat landscape -- a matrix of threat actors and key verticals -- looked like this (we've yet to see a 2018/19 update):

flashpoint-threat-matrix.png
Image: Flashpoint

Threat actors are ranked on a six-point capability scale and a four-point potential impact scale, with Flashpoint's cast ranging from Tier 2 capability/Negligible potential impact (Jihadi hackers) to Tier 6/Catastrophic (China, Russia and Five Eyes). Cybercriminals -- the main adversary of most businesses -- are ranked as Tier 4/Severe:

Tier 4 capability

"Attackers are part of a larger and well-resourced syndicate with a moderate-to-high level of technical sophistication. The actors are capable of writing custom tools and malware and can conduct targeted reconnaissance and staging prior to conducting attack campaigns. Tier 4 attackers and above will attempt to make use of publicly available tools prior to deploying more sophisticated and valuable toolkits."

Severe potential impact

"Cyber attacks at this level have the capacity to disrupt regular business operations and governmental functions severely. Such incidents may result in the temporary outage of critical services and the compromise of sensitive data."

Looking at the vertical industries targeted by these threat actors, financial services and government/military are the most threatened -- bad actors tend to follow the money or the power, after all. Eight out of the nine categories of 'bad guys' have these sectors in their sights:

flashpoint-verticals-threat.png
Data: Flashpoint / Chart: ZDNet

Flashpoint's mid-2018 update to its BRI Intelligence Decision Report noted that political and social instability around the world is now affecting businesses, which must "contend not only with hackers targeting valuable corporate data, but also how geopolitical conflicts will affect the reliability of digital networks supporting commerce, how policy is formulated and enforced, and how investments are executed."

See: Cyberwar predictions for 2019: The stakes have been raised

centrify-cover.png

Although businesses need a lot more detail before they can create their cybersecurity policies and deploy specific measures, it's essential to have a consistent company-wide view of the threat landscape. However, February 2018 research from security provider Centrify and Dow Jones Customer Intelligence suggested that CEOs and their front-line technical officers (CIOs, CTOs and CISOs) often have different perspectives.

Centrify's report was based on a survey of 800 senior executives in companies with at least 1,500 employees, covering 19 industries in the US and UK. Over 50 percent of the companies represented had over 10,000 employees. The key finding was that CEOs are focused on malware -- perhaps influenced by headline-grabbing cyber-attacks -- while their technical officers (TOs) cited identity breaches as the biggest threat.

A clear majority (62%) of CEOs pointed to malware as the biggest cybersecurity threat, compared with only 35 percent of TOs. Meanwhile, 68 percent of executives from companies that had at least one serious breach said it would likely have been prevented by either privileged user identity and access management or user identity assurance. By contrast, only eight percent of companies said that anti-malware endpoint security would have prevented the breaches.

"The disconnect between CEOs and TOs is resulting in misaligned priorities and strategies, as well as mis-investments in cybersecurity solutions, which are weakening security," the report concluded.

So how can companies avoid such misalignments and mis-investments?

Cyber-risk management frameworks

A coherent cybersecurity program requires a template or framework containing all of the important components. Organisations then need to work out which components are most applicable to their particular circumstances, a process that should point them towards the most appropriate security measures.

A number of industry-standard frameworks are available to guide organisations' cybersecurity policies, including AICPA, CIS, COBIT, ENISA, ISO 2700, NIST and -- for those that handle payment card transactions -- PCI DSS. There are also industry-specific frameworks such as those relating to the protection of healthcare data under the US HIPAA legislation.

Using these and other sources, security consultancy Mandiant (a FireEye company) developed a 10-component framework for creating a comprehensive cybersecurity program:

mandiant-fireeye-components.png
Image: Mandiant

Different industries will tend to focus on different framework components, depending on the nature of their business and the particular threat landscape they face. Here's a summary of how Mandiant sees the security priorities for ten vertical industries:


GCODPSRMIAMIRTP/VMHEPADMPNCDCPSAT
Aerospace & defense

✔︎


✔︎






✔︎

Financial services



✔︎


✔︎



✔︎

Governments & agencies

✔︎

✔︎

✔︎

✔︎






Healthcare

✔︎

✔︎



✔︎


✔︎




Information technology

✔︎

✔︎


✔︎


✔︎

✔︎


Legal

✔︎



✔︎

✔︎



✔︎


Media & entertainment

✔︎


✔︎

✔︎






Professional services

✔︎

✔︎



✔︎



✔︎


Retail

✔︎


✔︎

✔︎

✔︎





Utilities

✔︎


✔︎

✔︎

✔︎






GCO = Governance, Compliance and Organization, DP = Data Protection, SRM = Security Risk Management, IAM = Identity and Access Management, IR = Incident Response, TP/VM = Third-Party/Vendor Management, HEP = Host and Endpoint Protection, ADMP = Application, Database and Mobile Protection, NCDCP = Network, Cloud and Data Center Protection, SAT = Security Awareness and Training

As you might expect, the most commonly cited focus areas across these vertical industries are data protection and incident response, closely followed by identity and access management:

mandiant-fireeye-focus-areas.png
Data: Mandiant / Chart: ZDNet

The cost of cybercrime

Cybersecurity has risen ever higher up the corporate agenda for the very good reason that incidents and breaches result in significant costs -- money or intellectual property stolen, valuable data compromised, business disruption, impaired brand reputation, reduced revenue and/or lowered share price. Considerable research effort is expended every year to quantify those costs, a leading example being the IBM/Ponemon Cost of a Data Breach Study.

ibm-ponemon-cost-of-data-breach-2018-cover.png

The 2018 study, published in July, was based on responses from 2,200 IT, data protection and compliance professionals from 477 companies that had experienced a data breach in the previous 12 months; 17 industries were represented, the leading sectors being financial (16%), services (15%), industrial & manufacturing (14%) and technology (13%).

Headline findings were an average total cost per data breach of $3.86 million (up from $3.62m in 2017) with an average cost of $148 per lost or stolen record (up from $141 in 2017). The average number of records per data breach was 24,615 (up 2.2% from 2017), while the estimated probability that an organisation will have a 'material' data breach in the next two years was 27.9 percent (up from 27.7% in 2017).

The mean time to identify (MTTI) a data breach was 197 days (up from 191 days in 2017), while the mean time to contain (MTTC) a breach was 69 days (up from 66 days in 2017). Companies that responded rapidly, containing a breach in less than 30 days, saved over $1 million compared to those that took more than 30 days.

Two new cost factors were introduced in the 2018 report: security automation and the use of IoT devices. Fully deploying security automation lowered the average cost of a data breach by $1.55 million, while the extensive use of IoT devices increased the cost per compromised record by $5.

The 2018 study also quantified the cost of so-called 'mega' breaches involving over 1 million compromised records: a 1m-record breach cost $40m on average, rising to $350m for a 50m-record breach.

Among the many other useful findings in the IBM/Ponemon report is an analysis of the factors that influence the per capita cost of a data breach. A fully functional incident response team reduced the cost by $14 on average (down from $19.3 in 2017), while at the other end of the scale, third-party involvement increased the cost by $13.4 (down from $16.9 in 2017):

ibm-breach-cost-factors.png
Image: IBM & Ponemon Institute

Outlook

Cybersecurity incidents and breaches can seriously damage a company's bottom line and brand image, making it imperative that security risk management is integral to corporate governance.

Detailed analysis of the threat landscape for a company's particular business sector should lead to the adoption of an appropriate framework within which to develop a security policy, which in turn should suggest the best combination of security measures to deploy. Policies must be revisited and updated as the threat landscape evolves. Extensive use of IoT devices increases an organisation's attack surface, increasing the likelihood and level of breach-related costs.

As well as covering the basics, companies need to consider deploying advanced security technologies such as AI-driven automation, in order to give themselves the best chance against the ever-nimble 'bad guys'.


Cybersecurity trends in 2018/19

Numerous reports and surveys are published every year, analysing the state of the cybersecurity arms race and allowing interested parties to keep up to date with the changing threat landscape. The table below lists some of the most influential ones, summarising the key content areas and recommendations:

ReportKey subject areas & findingsRecommendations, best practices & predictions
Verizon 2018 Data Breach Investigations Report
verizon-2018-thumb.png
It will probably be you one day
Most cybercriminals are motivated by cold, hard cash. If there's some way they can make money out of you, they will.

So who are you up against?
Almost three-quarters (73%) of cyberattacks were perpetrated by outsiders. Members of organized criminal groups were behind half of all breaches, with nation-state or state-affiliated actors involved in 12%.

People make mistakes
Malicious employees looking to line their pockets aren't the only insider threat you face. Errors were at the heart of almost one in five (17%) breaches.

Don't get held to ransom
Cybercriminals don't have to steal data to make money -- they can just stop you using it.
Be vigilant

Make people your first line of defense

Only keep data on a need-to-know basis

Patch promptly

Encrypt sensitive data

Use two-factor authentication

Don't forget physical security
Booz Allen Hamilton 2019 Cyber Threat Outlook
symantecistr-2018-thumb.png
Companies in the crosshairs of information warfare

IoT devices broaden state espionage operations

Chip and pin may fall short

The weaponization of adware networks

Deepfakes in the wild -- AI in information warfare

State-sponsored threat actors double-down on deception

Water-utility targeting bubbles to the surface
States may use their burgeoning information warfare capabilities to influence consumers and harm companies, just as they already target voters and foment civil strife.

State-linked groups could find new uses for Internet-of-Things (IoT) botnets, such as Tor-like communication infrastructure.

Adversaries might develop novel attack vectors that exploit the growing pervasiveness of non-WiFi wireless protocols, especially among IoT devices.

Adware networks, a long-standing security nuisance, could be leveraged for more harmful targeted attacks.

Increased adversary emphasis on misattribution will likely result in more examples of confident attribution by the private sector later being disproved, further undermining public confidence in attribution.

Government-backed adversaries may increasingly penetrate the industrial control systems (ICS) of water utilities to conduct reconnaissance and generate fear and uncertainty, mirroring their historical focus on frequent intrusions and rare disruptions at energy firms. 
EY Global Information Security Survey 2018-19
ey-2018-report-thumb.png


The future state of cybersecurity

Protect the enterprise

Optimize cybersecurity

Enable growth
Protect
Cybersecurity needs to be in the DNA of the organization / Build awareness around phishing and malware / Focus the security strategy and program on the entire eco-system of the organization / Increase cybersecurity budgets now (instead of after the fact) and focus the spend on threat detection and response.

Optimize
Consider investments in analytical capabilities / It may be difficult to quickly build up forensic capabilities in house / Focus on where investment will be most effective / Be more open around security operations.

Grow
Put cybersecurity at the heart of corporate strategy / Cybersecurity must be an ongoing agenda item for all executive and non-executive boards / Focus on cybersecurity as part of digital transformation strategy / Continue the focus on emerging technologies.

READ MORE ON CYBERSECURITY

These are the worst hacks, cyberattacks, and data breaches of 2018
Millions of records were lost, services were disrupted, and credit card data was stolen as hackers ran amok over the year.

Cybercrime and malware, 2019 predictions
Experts weigh in on what they believe will happen to the world of cybercrime, malware, and botnets in the coming year.

Microsoft: Improved security features are delaying hackers from attacking Windows users
If a vulnerability is exploited, it is most likely going to be exploited as zero-day, or an old security bug for which users and companies have had enough time to patch.  

Two hacker groups responsible for 60 percent of all publicly reported hacks
The two hacker groups suspected of stealing around $1 billion worth of cryptocurrency.

Spectre and Meltdown explained: A comprehensive guide for professionals (TechRepublic)
Staying up to date on Spectre and Meltdown can be challenging. This guide includes in-depth explanations about these uniquely dangerous security vulnerabilities and the best mitigation solutions.  

IoT security: A guide for IT leaders (Tech Pro Research)
The Internet of Things is delivering data and helpful insights to organizations around the world--but it has also introduced new and potentially devastating vulnerabilities. This ebook offers a comprehensive look at the biggest risks, as well as strategies for addressing them. 

Editorial standards