Taking the Offense Against Cyber Risk
Third Quarter 2014
Corporate Board Member by Charles Keenan
Companies have stepped up efforts to address cyber risk in recent years, but the increasing speed and growing sophistication of attacks raises the question of how well management and boards can keep up.
Within corporate America, there’s a growing realization that large consumer databases and intellectual property are up for grabs if assets aren’t protected correctly. Nearly every organization is vulnerable, especially at a time when companies are using technology to adapt to changing markets and take advantage of new opportunities. Cincinnati Bell Inc., for example, spent $123 million in 2013 to expand fiber-based content and IT solutions in its customer base, which brought new growth—but also new risks.
“We are extremely concerned that we be really locked up and as secure as technology can enable us to be,” says Ted Schell, a director for Ohio-based Cincinnati Bell and managing director of Associated Partners, a private equity firm. “It’s the kind of company that cannot be too vigilant and must hold its people accountable.”
For Schell and thousands of other directors, when it comes to cybersecurity, there has been a recent shift to high alert. A seemingly never-ending series of breaches announced by U.S. companies, universities, and governments has catapulted cybersecurity to the top of the list of concerns. Cybersecurity rose to third place on board agendas in 2013, up from 12th place two years earlier, according to Lloyd’s of London’s biennial Risk Index, an assessment of risk priorities and attitudes among business leaders globally.
Management is worried too. About 69% of executives say they expect cyber threats will impact growth, according to a May report on cybercrime by PwC. And the anxiety is only increasing. About 59% of respondents—500 executives of U.S. businesses, law enforcement services, and government agencies—said they were more concerned about cyber threats in 2014 than in the past.
The new world of mobility, collaboration, and globalization means companies as a whole have some work to do securitywise, says Aaron Levie, chief executive officer of Box Inc., a cloud storage and file sharing service based in Los Altos, California. Companies are having to deal with a very different IT model, one that is cloud based, rather than being centered on an infrastructure secured by a perimeter. “You have this very significant gap between the IT of yesterday and the work of today and tomorrow,” he says.
The gap involves an array of sophisticated tools being used by a range of threat makers, from criminal rings in Eastern Europe, to nation-states such as Russia, China, and Iran, to hactivists looking to make a statement or steal secrets, and even to the National Security Agency doing its own snooping abroad. One such tool, malware (or malicious software), is used to steal information. Botnets—networks of infected computers—help carry out criminal intrusions. Rootkits are stealthy types of software used to hide processes or programs from typical detection methods.
These tools aren’t new, but they are being used with greater speed and in greater numbers. With zero-day attacks, referring to when programmers have zero days to fix a software vulnerability after detection, hackers can have malware ready to exploit weak points within hours. Whatever the attempt to infiltrate a system, if the perpetrators are unsuccessful, they can come back quickly with another try, perhaps at a different entry point.
“They continue to use the same approaches,” says Steve Martino, vice president of Information Security at Cisco Systems Inc., based in San Jose, California. “They adapt and modify what they are doing. But the speed at which they are coming is faster and faster.”
It will only get riskier since the Internet and the interconnected business world bring so many new opportunities. Mergers and acquisitions, entry into new markets, and adoption of new technology bring on additional risks. Companies are moving into new markets overseas, adopting new technologies to innovate, and bringing more vendors into the fold because these third parties can deliver efficiencies at a reduced cost while enhancing business performance. Further, as employees increasingly do their work on mobile devices and become more connected among themselves and to the outside world through social media, risks will continue to escalate.
To date, the biggest breaches span all types of organizations. Most notable of late was the breach of Target Corp. last holiday season, with the credit cards and addresses of up to 70 million customers compromised. But Target was just part of a long list of major attacks. Last year featured compromises of companies such as Adobe (38 million accounts) and Vodafone (2 million), according to a 2014 data breach investigation report by Verizon. Less publicized events included a breach of Harbor Freight, a U.S. tool vendor, affecting up to 200 million accounts, and the Twitter accounts of CNN, the Washington Post, Time Magazine, and the New York Times and New York Post, the reported noted. One incident that got much less attention occurred at the University of Maryland, which reported in February the compromise of more than 300,000 records— including social security numbers—for students, staff, and faculty dating back to 1998.
Point-of-sale systems of consumerfacing businesses remain a popular source for attacks. P.F. Chang’s, a restaurant chain, was revealed in June to have had credit and debit card data stolen. Other big retailers that have been hacked include Sally Beauty and Neiman Marcus. In these cases, along with Target, the credit and debit card information often ends up on reseller websites. For Sally Beauty, for example, the data was sold for $18 to $140 per file on rescator[dot]so, as reported by security blogger Brian Krebs. Buyers then can encode magnetic stripe cards with the data to fraudulently buy goods and services.
All the bad news for retailers might give some outside the retailing industry a false sense of comfort, but just about any organization—and its customers— is susceptible, experts warn. In fact, just 14% of reported breaches were attacks on the point of sale, according to the Verizon report.
The Heartbleed bug, a vulnerability first reported in April involving the encryption of website data and transactions, affected almost every end-user of the Internet, forcing people to change passwords. Many federal government agencies have been hacked, including the departments of Commerce, Defense, Energy, Homeland Security, and Labor, plus the Environmental Protection Agency, the Food and Drug Administration, Internal Revenue Service, NASA, National Weather Service, Nuclear Regulatory Commission, and others, according to a recent U.S. Senate report.
“There is truly greater risk out there today than even just a few years ago,” says Steve Phillips, chief information officer of Avnet Inc., a Phoenix-based technology distributor and solutions provider with $27 billion in annual sales spanning 80 countries. “We just see very well-organized groups of individuals that are very tech savvy.”
Along with loss of intellectual property, companies also can face financial risk from fraudulent transactions and compliance risk from having to pay fines to regulators. But the greatest risk might be to a company’s stature in the eyes of its customers and investors, Phillips adds. “Perhaps most importantly, it’s the reputational risk that companies have when there is a very visible breach,” he says.
It’s an indictment of sorts of the failings, though not so much in technology as human error, says William Beer, a managing director at Alvarez & Marsal, a New York-based consulting firm. “Even the most advanced technologies that a lot of the large organizations have invested heavily in are not going to be sufficient,” he says. “Those technologies are not being triggered, partially because the internal processes and the internal teams are weak.”
In fact, about 42% of data breaches were due to a malicious or criminal attack, according to a May 2014 study of 314 companies by the Ponemon Institute. Another 30% were a result of a human error, and 29% were due to “system glitches,” which involves both IT and business process lapses.
CO ST O F B R E A C H E S ON T H E R I S E
All of these breaches are adding up for companies. The cost of data breaches alone rose to an average of $3.5 million, up 15% from a year earlier, according to the Ponemon report. The average cost paid for each lost or stolen record with sensitive and confidential information rose to $145, up 9% over the same period, according to the study, which spanned 10 countries. Costs were highest for companies in the United States, at $5.9 million for the average breach.
Ponemon defines the costs of breaches to include direct expenses such as forensic experts, hotline support, provision of free credit monitoring subscriptions, and discounts for future products and services. Indirect costs include in-house investigations and communication, customer loss as a result of turnover, and diminished sales.
Companies must also spend money to prepare for attacks in terms of compliance, with every industry and asset class facing its own unique set of regulators. The Securities and Exchange Commission, for example, has stepped up oversight by implementing Regulation S-ID, which requires certain regulated financial institutions and creditors to adopt and implement identity theft programs.
T H E A C H I L L E S ’ H E E L : T H I RD PA RT I E S AND INS I D E R S
Cyberattacks have also become much more sophisticated, with third-party risk now seen as a major security vulnerability and a popular choice of entry. The Target breach resulted from hackers accessing the retailer’s network via a third-party heating and air-conditioning vendor. The ways of exploiting third-party suppliers seem endless. Perpetrators have gained access to company networks via Chinese takeout menus on bogus PDFs, or just by leaving behind USB devices in public places. They’ve also infiltrated networks via videoconferencing systems, thermostats, and printers.
In fact, third-party risks mean there are now a lot more holes for companies to plug up. Malware can get implanted in systems and stay dormant for extended periods. For example, 85% of intrusions at the point of sale took weeks to discover, while another 13% took months, according to the Verizon report. “Do you know your entry points?” says James Lafond, chairman of the audit committee for VSE Corp., a systems and equipment supplier based in Alexandria, Virginia, and director for WGL Holdings Inc., a gas utility company in Washington, D.C. “Sometimes these things such as malware are planted in the system and not implemented right away.”
While attacks on insiders are nothing new, they have become much more targeted and complex. Perpetrators comb LinkedIn profiles, Facebook profiles, and company web pages for information on executives, then pose as colleagues and craft emails to them. The grammar and writing style in such approaches, considered rather poor a few years ago, has become much better too. The emails increasingly seem as if they were coming from another executive, says Phillips of Avnet. “They look very compelling,” he says. “They come from an email address that is not an Avnet email address but looks like an Avnet email address.”
“Attackers focus on the third parties and the inside,” adds Edward Powers, national managing partner of Deloitte’s Cyber Risk Services practice in New York. “Because if you can compromise a third party or an insider, it makes the attacker’s job infinitely easier.”
TA K ING ON CY B E R
How a business and its board tackle cyber risk depends on the industry, its tolerance for risk, and its business plan, experts note. “There is no silver bullet for cybersecurity,” says Patricia Oelrich, chair of the audit committee for Pepco Holdings Inc., an electric utility based in Washington, D.C. “Every company and industry is different. What the board has to do is make sure there is a rigorous and rational approach to understanding the risks, how to mitigate them, and how to respond to incidents. Directors need to have those processes in place.”
Vigilance is key, adds Lafond. “It’s very hard to say where the bad guys are heading,” he says. “All you can do is make sure you are constantly on the lookout, that the management team and IT are looking closely at how their defenses are being developed, are aware of anything that is coming at them, and recognizing that they are not going to have a 100% success rate. That is impossible.”
Often companies still see cybersecurity as an IT risk, rather than one that should be dealt with over the entire enterprise, notes Timothy Ryan, a managing director with the Cyber Investigations practice for the New York office of Kroll Inc. He says companies need to treat cybersecurity as they would other security lapses. He gives the example of a retailer facing robberies of customers in its parking lots. It would require involving many departments in the company, such as physical security, general counsel, human resources, and others. “It’s the same thing here,” he says. “Just because computers are involved doesn’t mean it is solely the province of the information technology group inside a company.”
To help boards with some proactive measures, Corporate Board Member compiled a short list of recommendations from directors and industry experts. While by no means exhaustive, the list is a starting point of sorts:
MEASURE COMPANY COMMITMENT.
On an enterprisewide scale, companies should evaluate where cybersecurity stands, says Beer of Alvarez & Marsal. How is security being treated on the corporate risk register? “That immediately gives you a pretty clear indication of the level of maturity of cybersecurity in the organization and how they are dealing with it,” Beer says. Another key indicator is whether the company discusses cybersecurity in the annual report, he adds. What losses have already been suffered? What is the impact on the brand? “Putting a hard number on financial impact can be very useful to focus the mind and discussions on cybersecurity,” Beer adds.
FOCUS ON ACTIONS.
“It’s about asking what is being done, as opposed to being an expert,” says Lafond, the director for VSE and WGL. “You are not going to get directors to be experts on the impact of, for example, shutting down the grid. That would be asking too much of any director. But you want a director to at least know that [it] could happen. And [ask] What are we doing about it? Are we talking to the best experts? Are we coordinating with companies and governments? You have got to at least be asking those questions.”
MANAGE THIRD PARTIES.
Companies must put in strong controls for monitoring suppliers. For Pepco Holdings and other electric utilities, Edison Electric Institute, an industry group, serves as a standard bearer. A supply chain integrity subteam of the group has issued a standard of 20 best practices on managing supplier risk. One such best practice includes having a discussion among IT, legal, and procurement before hiring a new supplier. Other practices recommend performing security audits on suppliers, using only approved manufacturer distribution channels, and understanding the end-to-end security practices of the suppliers of the suppliers. “You need to understand your supply chain and what kind of practices you should have in place to ensure you understand the security controls at your vendors,” Pepco’s Oelrich says.
HAVE A POINT PERSON.
Organizations need to appoint someone, such as the chief information security officer (CISO), to manage the process, says Powers of Deloitte. The person chosen needs to be well respected across the organization in order to get various departments working together. “It is extremely important that management has someone in place to oversee cyber risk who is in an appropriate place in the organization to be able to handle an incident,” he says.
REQUIRE DETAILED BRIEFINGS.
Communication is key. Anymore, it’s not just about an annual or semiannual report from IT to the board, but instead it’s about having regular briefings between the board and several people in management. At CoreLogic, a data and analytics provider, that means getting detailed briefings from several people in security, such as the chief of data security and the person in charge of data. It also includes updates from compliance and the general counsel. Furthermore, an internal committee meets separately in addition to reporting to the board. “One of the things we are interested in [is] what are we seeing in terms of attempts to breach the security?” says D. Van Skilling, chairman of the board at CoreLogic and president of Skilling Enterprises, a private investment firm. “What are the lines of defense against [potential intruders]?”
HAVE GOOD PROCESSES TO START.
“There are going to be security issues and compromises,” says Chip Tsantes, a principal and cybersecurity leader in the Financial Services office of EY. Even so, he says, “You want to make sure the same one is not happening five times over. You want to learn from each one and be able to update your procedures, systems, and training to not have it happen again.”
RELY ON EXISTING COMPLIANCE STRUCTURES.
Companies can tap their know-how from existing compliance programs to set up processes to monitor cyber risk, such as ethics hotlines and other ways that allow people to anonymously raise issues. “You can take advantage of those things without having to create from whole cloth something that is new and evolving,” says Charles Beard, a principal focused on cybersecurity for the Advisory practice of New York-based PwC.
HAVE A RESPONSE PLAN.
Companies also need to have a response plan in place that includes forensics, legal, and public relations. Just hashing a contract out with a forensics team can take weeks, and companies won’t have that kind of time after a breach. “You have to be very quick, decisive, and ready with the appropriate resources to manage and reduce the negative and reputational impact on the company,” Pepco’s Oelrich says.
EDUCATE, EDUCATE, EDUCATE.
Board members can keep up with the latest developments in a variety of ways, notes Schell, the director for Cincinnati Bell. “You need to sensitize them to the issues with things such as programs, written materials, and peer groups. That really increases awareness and sensitivity that characterizes the range of issues.”
KNOW THE FINE LINE.
Boards must also be comfortable in knowing how far to probe, leaving the minutiae to executives, says Scott Jenkins, president of S.M. Jenkins & Co. and chair of the audit committee of Bryn Mawr Bank Corp., a financial institution based in Bryn Mawr, Pennsylvania. “Senior management always has to be reporting out—what are they doing, what are they thinking about, and what are their concerns,” Jenkins says. “There is a fine line between micromanagement by a board, which is disastrous, and the board standing too far above the fray. It is the biggest challenge of being a board member.”
RECRUIT TECH EXPERTISE.
How much IT savvy a board has depends on the business, but it’s needed nevertheless, Skilling notes. For example, CoreLogic added three independent directors with strong technology backgrounds in 2012: John Dorman and Jaynie Miller Studenmund had experience running online financial services providers; Douglas Curling had worked for a provider of identification and credential verification services. “In this day and age, you have got to have some board members who are at least sufficiently technically sophisticated and up to date so that they can ask the right questions and give the right advice and support,” Skilling says. Levie of Box recommends forming a technology committee on the board. “You need a board that wants to care about this,” he says. “Every board should look around and say, ‘Do we have somebody we can fundamentally trust to dive into this set of issues?’”
KNOW YOUR RISK APPETITE.
As companies have the choice of embracing new technologies, they must balance the benefits and the risks they bring, says Greg Bell, Global Information Protection and Security lead partner at KPMG in Atlanta. In essence, they need to answer questions of how new technology fits into the company’s existing environment and how the company can get control over it. “There is no right answer,” Bell says. “Every organization has got to make that a determination of what is right for their uniqueness. That is where the board should ask the questions to at least ensure management is asking the questions.”
BULK UP ON COMPLIANCE.
Compliance varies widely among industries. For Pepco Holdings, the electric utility, it includes reporting to various regulators such as the North American Electric Reliability Corp. (NERC), the Federal Energy Regulatory Commission (FERC), Homeland Security, and state agencies. “At the end of day, you have to know what the regulatory standards are and make sure from a board perspective that the company understands what they are,” says Oelrich, the Pepco director. “But you should never just be happy with those standards because they are never enough.”
NO GO ING B A C K
In a sense, when it comes to cybersecurity, companies really don’t have a choice in terms of getting a handle on it, given the amount of competitiveness around technology-driven products, says Levie of Box. They must gird for potential breaches and be ready to respond. “You can’t afford to slow down,” Levie says. “The question is, ‘Can you afford to understand and be patient with the nuances of the issues?’”
Simply put, be prepared. “Let’s be realistic,” Beer, of Alvarez & Marsal, adds. “It’s now clear to most organizations they can’t protect everything. They are going to get hit. It’s inevitable. But what they need to do is be ready to respond and have a clear understanding of where the crown jewels are. If you can address those two points, you are in a pretty good place.”