Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
Buying Cyber – Consider Carefully
The threat arising from cyber security is real. If it is not already, I suspect this threat will shortly be one of the most significant risks that companies face.
Given its significance, the cyber threat needs a comprehensive integrated response with risk transfer being just one element.
As a risk manager I cringed when I heard another risk manager declare at a RIMS annual conference session, “Yep, I bought cyber risk insurance last year. I did so because everybody else is doing it and also because my director thought it was a good idea. To be honest, I must admit that I am not really sure exactly what I bought.”
That risk manager may have done the right thing but definitely for the wrong reasons.
Some risk managers adopt a “risk flavor of the month” approach when considering, indeed purchasing new insurance products.
When you purchase an insurance product you are, as we all know, actually engaged in the practice, or should I say, sometimes the art form of transferring risk to the marketplace. This seems pretty clear, or is it? You should only engage in the practice of risk transfer after you have:
1. Carried out a thorough investigation of your business in order to identify all relevant original or “raw” risk(s).
2 Identified the controls that exist within your business to mitigate the risks identified. In doing so, you also need to assess the effectiveness of the controls in place to treat the identified risks.
3. Considered what other new or augmented existing controls could be established to deal with the risks on a cost effective basis.
4. Assessed the residual risks arising after applying steps 1 – 3 above and determined whether they are within your risk appetite or not.
Some risk managers adopt a “risk flavor of the month” approach when considering, indeed purchasing new insurance products. Cyber risk insurance is one such product that has been flavor of the month for quite some time.
The social/peer pressure to buy “cyber” is unrelenting. It is egged on by the myriad of studies that for example state, x percent of entities now buy cyber insurance and that this will grow to y percent within 12 months.
Do you want to be the brave insurance manager who bucks this trend? I am not suggesting that you be that person; what I do suggest is that you go about the process of evaluating whether or not this risk in your company needs to be insured against in a very disciplined, dispassionate manner.
The advantage of adopting the above is that you will end up with:
1) A very detailed description of the risks you face.
2) A comprehensive assessment of your suite of controls.
3) Absolute clarity as to which element of your risk you will seek to transfer to the insurance marketplace because by doing so, and if you do buy you will end up with a product that precisely fits your needs.
When you make that decision to buy cyber you will feel better as a risk management professional for having done so after following the above.
5 & 5: Rewards and Risks of Cloud Computing
Cloud computing lowers costs, increases capacity and provides security that companies would be hard-pressed to deliver on their own. Utilizing the cloud allows companies to “rent” hardware and software as a service and store data on a series of servers with unlimited availability and space. But the risks loom large, such as unforgiving contracts, hidden fees and sophisticated criminal attacks.
ACE’s recently published whitepaper, “Cloud Computing: Is Your Company Weighing Both Benefits and Risks?”, focuses on educating risk managers about the risks and rewards of this ever-evolving technology. Key issues raised in the paper include:
5 benefits of cloud computing
1. Lower infrastructure costs
The days of investing in standalone servers are over. For far less investment, a company can store data in the cloud with much greater capacity. Cloud technology reduces or eliminates management costs associated with IT personnel, data storage and real estate. Cloud providers can also absorb the expenses of software upgrades, hardware upgrades and the replacement of obsolete network and security devices.
2. Capacity when you need it … not when you don’t
Cloud computing enables businesses to ramp up their capacity during peak times, then ramp back down during the year, rather than wastefully buying capacity they don’t need. Take the retail sector, for example. During the holiday season, online traffic increases substantially as consumers shop for gifts. Now, companies in the retail sector can pay for the capacity they need only when they need it.
3. Security and speed increase
Cloud providers invest big dollars in securing data with the latest technology — striving for cutting-edge speed and security. In fact, they provide redundancy data that’s replicated and encrypted so it can be delivered quickly and securely. Companies that utilize the cloud would find it difficult to get such results on their own.
4. Anything, anytime, anywhere
With cloud technology, companies can access data from anywhere, at any time. Take Dropbox for example. Its popularity has grown because people want to share large files that exceed the capacity of their email inboxes. Now it’s expanded the way we share data. As time goes on, other cloud companies will surely be looking to improve upon that technology.
5. Regulatory compliance comes more easily
The data security and technology that regulators require typically come standard from cloud providers. They routinely test their networks and systems. They provide data backups and power redundancy. Some even overtly assist customers with regulatory compliance such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS).
1. Cloud contracts are unforgiving
Typically, risk managers and legal departments create contracts that mitigate losses caused by service providers. But cloud providers decline such stringent contracts, saying they hinder their ability to keep prices down. Instead, cloud contracts don’t include traditional indemnification or limitations of liability, particularly pertaining to privacy and data security. If a cloud provider suffers a data breach of customer information or sustains a network outage, risk managers are less likely to have the same contractual protection they are accustomed to seeing from traditional service providers.
2. Control is lost
In the cloud, companies are often forced to give up control of data and network availability. This can make staying compliant with regulations a challenge. For example cloud providers use data warehouses located in multiple jurisdictions, often transferring data across servers globally. While a company would be compliant in one location, it could be non-compliant when that data is transferred to a different location — and worst of all, the company may have no idea that it even happened.
3. High-level security threats loom
Higher levels of security attract sophisticated hackers. While a data thief may not be interested in your company’s information by itself, a large collection of data is a prime target. Advanced Persistent Threat (APT) attacks by highly skilled criminals continue to increase — putting your data at increased risk.
4. Hidden costs can hurt
Nobody can dispute the up-front cost savings provided by the cloud. But moving from one cloud to another can be expensive. Plus, one cloud is often not enough because of congestion and outages. More cloud providers equals more cost. Also, regulatory compliance again becomes a challenge since you can never outsource the risk to a third party. That leaves the burden of conducting vendor due diligence in a company’s hands.
5. Data security is actually your responsibility
Yes, security in the cloud is often more sophisticated than what a company can provide on its own. However, many organizations fail to realize that it’s their responsibility to secure their data before sending it to the cloud. In fact, cloud providers often won’t ensure the security of the data in their clouds and, legally, most jurisdictions hold the data owner accountable for security.
Risk managers can’t just take cloud computing at face value. Yes, it’s a great alternative for cost, speed and security, but hidden fees and unexpected threats can make utilization much riskier than anticipated.
Managing the risks requires a deeper understanding of the technology, careful due diligence and constant vigilance — and ACE can help guide an organization through the process.
To learn more about how to manage cloud risks, read the ACE whitepaper: Cloud Computing: Is Your Company Weighing Both Benefits and Risks?