eBook - ePub

Managing Cyber Risk

Name: Managing Cyber Risk
Author: Ariel Evans

Ariel Evans

Share book

118 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Managing Cyber Risk

Ariel Evans

Book details

Book preview

Table of contents

Citations

About This Book

Cyber risk is the second highest perceived business risk according to U.S. risk managers and corporate insurance experts. Digital assets now represent over 85% of an organization's value. In a survey of Fortune 1000 organizations, 83% surveyed described cyber risk as an organizationally complex topic, with most using only qualitative metrics that provide little, if any insight into an effective cyber strategy.

Written by one of the foremost cyber risk experts in the world and with contributions from other senior professionals in the field, Managing Cyber Risk provides corporate cyber stakeholders – managers, executives, and directors – with context and tools to accomplish several strategic objectives. These include enabling managers to understand and have proper governance oversight of this crucial area and ensuring improved cyber resilience. Managing Cyber Risk helps businesses to understand cyber risk quantification in business terms that lead risk owners to determine how much cyber insurance they should buy based on the size and the scope of policy, the cyber budget required, and how to prioritize risk remediation based on reputational, operational, legal, and financial impacts.

Directors are held to standards of fiduciary duty, loyalty, and care. These insights provide the ability to demonstrate that directors have appropriately discharged their duties, which often dictates the ability to successfully rebut claims made against such individuals. Cyber is a strategic business issue that requires quantitative metrics to ensure cyber resiliency. This handbook acts as a roadmap for executives to understand how to increase cyber resiliency and is unique since it quantifies exposures at the digital asset level.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Managing Cyber Risk an online PDF/ePUB?

Yes, you can access Managing Cyber Risk by Ariel Evans in PDF and/or ePUB format, as well as other popular books in Betriebswirtschaft & Business allgemein. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Routledge

Year

2019

ISBN

9780429614262

Edition

Topic

Betriebswirtschaft

Subtopic

Business allgemein

Part I
Understanding cyber risk

1
Cyber risk at the speed of data

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

– Robert S. Mueller, III Director, FBI RSA Cyber Security Conference, March 1, 2012

Whatever political opinions you have, we have moved to an assumption of breach model, meaning you have been hacked and will be hacked again resulting in business loss and more. This dramatic fact has led the President’s 2019 FY Budget to include $15 billion of budget authority for cybersecurity-related activities, a $583.4 million (4.1%) increase above the FY 2018 Estimate.¹ At the Global Cyber Security Summit in London in October of 2017, Dr. Yoav Intrator, managing director of innovation at JPMorgan Chase, described this phenomenon: “It is interesting to observe that the average corporate growth rate is not as high as the rate of investment in cyber.”

Ninety-nine percent of new information is stored digitally. Facebook collects an average of 15 terabytes daily, or 5000-plus terabytes per year. That’s equivalent to the amount of paper stored in the beds of 15 pickup trucks per day.²

Privacy breaches are occurring more often and increasing at an alarming rate. The average cost, globally, for each lost of stolen record containing sensitive and confidential information is also up from last year, landing at $148 per record. A 4.8 percent increase from 2017. Most recently, the data of 87 million Facebook users was harvested without their explicit permission, by Cambridge Analytica, resulting in Facebook’s CEO Mark Zuckerberg having to testify in front of the United States Senate’s Commerce and Judiciary committees.³

In June of 2017, drug and vaccine maker Merck & Co. Inc. (MRK.N) said it suffered a worldwide disruption of its operations when it was the victim of an international cyberattack, halting production of its drugs, which hurt its profits for the rest of the year. Insurers could pay $275 million to cover the insured portion of drug maker Merck’s loss from the cyberattack, according to a forecast by Verisk Analytics Inc.’s Property Claim Services (PCS) unit.⁴ This would be the biggest cyber insurance payout yet in the history of cyber insurance.

Fortune 1000 companies are twice as prone to a cyberattack than small and medium-sized enterprises. At least one out of every 20 Fortune 1000 companies has experienced a publicly disclosed breach.⁵

Cybercriminals, nation-states, hacktivists, organized criminals, insiders, and others want our data. This includes our intellectual property, our trade secrets, our money, and in some cases our political or financial ruination. The cost of cyber-crime is growing at an unprecedented rate. The cyber insurance industry sees cybersecurity as the “biggest, most systemic risk in history,” says Adam Cottini, Managing Director of Gallagher’s Cyber Liability practice (one of the world’s largest insurance brokerages). When it comes to cyber threats and how they continue to evolve, Adam offers a chilling assessment: “You have the known and the massive unknown.”⁶ Over 1 billion records were compromised in 2014, making it the year of the data breach according to Forbes Magazine.⁷ Since everything is interconnected, we can see cascading impacts if one large company is attacked – the attack can impact the entire economy. Our ecosystem is dependent on the relationships we have with suppliers, vendors, customers, and government. Any cascading failure in cyber can have a direct and dramatic impact on each one of us. These facts require a shift in priorities for organizations to treat cyber as a boardroom initiative.

This chapter provides the background and history on why cyber risk is now one of the most important business risks in today’s innovative, interconnected, data-driven, complex world. It concludes by making the business case to have cyber treated not as an IT issue but as a business issue by measuring cyber resiliency using a digital asset approach to cyber risk quantification.

Cyber across the ages

Cybersecurity began as a research project. An experimental mobile program, written in 1971 by Bob Thomas at Bolt, Beranek and Newman Inc., led to a computer program to move across a network, leaving breadcrumbs wherever it went. He called the program Creeper. It traveled between Tenex terminals on the early ARPANET (Advanced Research Projects Agency Network), printing the message, “I’M THE CREEPER: CATCH ME IF YOU CAN.”⁸

The inventor of email Ray Tomlinson saw this, fiddled with the program, and made it self-replicating – creating the first computer worm. Then he wrote the first antivirus software named Reaper that would track Creeper and delete the “crumbs.”

It’s interesting to look back in academia retrospectively, in this era of ransom-ware, advanced threats, and nation-state attacks, and realize that the precursors to this problem were intended to be harmless. In the 1970s and 1980s, computer threats were primarily in the form of malicious insiders getting access to things they did not have authority to. In the late 1980s, Markus Hess, a German national, hacked into the networks of military and industrial computers based in the United States, Europe, and East Asia and sold the information to the Soviet KGB for $54,000. During his time working for the KGB, Hess is estimated to have broken into 400 U.S. military computers. The hacked material included sensitive semiconductor, satellite, space, and aircraft technologies. Hess’s hacking activities were discovered in 1986 by Clifford Stoll, who is an astronomer turned systems administrator of the computer center of the Lawrence Berkeley Laboratory (LBL) in California. Hess was eventually tracked down, prosecuted for espionage, and received a 20-month suspended jail sentence.⁹

Shortly afterward, computer viruses began to become a serious threat. Increasing network connectivity meant that viruses could nearly wipe out networks, spurring the creation of the first commercially available antivirus software.

In 1988, Robert Morris wrote a program designed to propagate across networks, infiltrate Unix terminals using a known bug, and then replicate itself. This became known as the Morris worm, and it replicated so aggressively that the early Internet availability was seriously damaged due to the scale of the DOS attacks. Robert Morris became the first person successfully convicted under the Computer Fraud and Abuse Act, leading to the formation of the Computer Emergency Response Team (the precursor to US-CERT).¹⁰

More importantly, cybersecurity started as an information technology issue. The first commercially available security tools, such as antivirus software and firewalls, appeared in late 1980s and early 1990s. What followed was the need to implement these technology-point solutions, and the system administrator or information technology manager was the logical person of choice. He or she was asked to read the manual and implement the technology based on the directions. After firewalls came other cybersecurity-point solutions, including intrusion detection systems (IDS), data loss prevention (DLP), vulnerability management scanners (VMS), security incident event management systems (SIEM), and, more recently, advanced threat prevention (ATP), and cyber threat intelligence (CTI) tools, all providing some level of identification, detection, or prevention. IT persons gained more and more power as they were the sole source of information security. Everything was technically oriented, and risk management was not a part of the conversation. IT persons isolated the business and were emboldened by their new power, resulting in a complete disconnect between the risk of the business assets and how cyber was being managed. Today, a Chief Information Security Officer (CISO) walks into a board meeting with a list of 300 vulnerabilities, and the board is mystified. They have no idea what an MITM (man in the middle attack) or SQL injection means in terms of business risk. This leaves the risk owners at a serious disadvantage with a complete reliance on the CISO (who usually has only a technology background) to set strategy. This is a colossal mistake. Cyber must be understood in terms of the risk to the business, not only at a technical level.

Twenty-first-century cyber

As reported earlier, the usage of the Internet grew from 0.5 billion to over 4.1 billion users over the past two decades, expanding the threat surface exponentially. Cybersecurity Ventures predicts there will be 6 billion Internet users by 2022 – and more than 7.5 billion Internet users by 2030. This increase in the attack surface, coupled with IoT usage, is very concerning. Most IoT devices have no security baked in. Adoption of IoT at the current rate with security as an afterthought will have us coping with impacts for generations to come. Simultaneously, only 10% of a company’s business assets were digital in 2000, and now we see that number topping 85%. Couple all this with the popular strategy of outsourcing not only people but infrastructure, and you have the perfect storm for cyber attackers – a ginormous attack surface and business strategies that promote an “assumed” risk transference to vendors with businesses reliant on their digital security.

The purpose of IT is to keep things up and running, ensuring operations, and delivering new digital products to market. It is in direct opposition to cybersecurity agendas, which ask for more controls and for slowing things down. Furthermore, this is an organizational issue; today we have the majority of organizations with ineffective reporting structures where the CISO reports to the Chief Information Officer (CIO) who runs IT, not the business risk owners at the C-level, such as the board, Chief Executive Officer (CEO), Chief Financial Officer (CFO), or Chief Risk Officer (CRO). These diametrically opposing agendas are not the best approach to maximizing cyber resilience. Perceiving the need to reorganize to a commonsense approach is woefully lacking in most companies.

This lopsided organizational structure also has another severe drawback. Security budgets are historically a percentage of IT spend, and IT spend has less than zero to do with the cyber resiliency of the business. This type of budgeting is a stopgap method that is not seen in any other aspect of an organization. All budgets are composed of capital and operational expenditures that are fixed and variable in nature. But not cyber. The cyber budget should be aligned to the fixed operational costs (the security team personnel) and the capital fixed costs (the tools and their licensing costs) and the variable costs. The variable costs are the real-time incidents, findings, and vulnerabilities that need to be fixed. Incidents are any malicious acts that compromise a digital asset, causing data exfiltration or business interruption. Findings are from security assessments (such as National Institute of Standards and Technology [NIST], International Standards Organization [ISO], etc.). Vulnerabilities are weaknesses in systems that can lead to a cyber incident. However, in general, these costs are not measured or estimated properly. This must be addressed from a risk perspective. We are resource deficient in cyber. The exponential growth in risk cannot be matched in exponential growth in expenditure. Some figures include an International Information Systems Security Certification Consortium (ISC²) survey, which underreports the number of cybersecurity job openings compared to Information Systems Audit and Control Association’s (ISACA) estimate of 2 million openings by 2019 and Cybersecurity Ventures’ estimate of 3.5 million openings by 2021 in the United States alone.¹¹ There is no such thing as 100% secure. Risk remediation must be done in the context of business loss to be effective. This can easily be addressed using cyber risk quantification....