Enterprise Cybersecurity in Digital Business
eBook - ePub

Enterprise Cybersecurity in Digital Business

Building a Cyber Resilient Organization

Ariel Evans

Share book
  1. 530 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Enterprise Cybersecurity in Digital Business

Building a Cyber Resilient Organization

Ariel Evans

Book details
Book preview
Table of contents
Citations

About This Book

Cyber risk is the highest perceived business risk according to risk managers and corporate insurance experts. Cybersecurity typically is viewed as the boogeyman: it strikes fear into the hearts of non-technical employees. Enterprise Cybersecurity in Digital Business: Building a Cyber Resilient Organization provides a clear guide for companies to understand cyber from a business perspective rather than a technical perspective, and to build resilience for their business.

Written by a world-renowned expert in the field, the book is based on three years of research with the Fortune 1000 and cyber insurance industry carriers, reinsurers, and brokers. It acts as a roadmap to understand cybersecurity maturity, set goals to increase resiliency, create new roles to fill business gaps related to cybersecurity, and make cyber inclusive for everyone in the business. It is unique since it provides strategies and learnings that have shown to lower risk and demystify cyber for each person. With a clear structure covering the key areas of the Evolution of Cybersecurity, Cybersecurity Basics, Cybersecurity Tools, Cybersecurity Regulation, Cybersecurity Incident Response, Forensics and Audit, GDPR, Cybersecurity Insurance, Cybersecurity Risk Management, Cybersecurity Risk Management Strategy, and Vendor Risk Management Strategy, the book provides a guide for professionals as well as a key text for students studying this field.

The book is essential reading for CEOs, Chief Information Security Officers, Data Protection Officers, Compliance Managers, and other cyber stakeholders, who are looking to get up to speed with the issues surrounding cybersecurity and how they can respond. It is also a strong textbook for postgraduate and executive education students in cybersecurity as it relates to business.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Enterprise Cybersecurity in Digital Business an online PDF/ePUB?
Yes, you can access Enterprise Cybersecurity in Digital Business by Ariel Evans in PDF and/or ePUB format, as well as other popular books in Betriebswirtschaft & Informationsmanagement. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Routledge
Year
2022
ISBN
9781000459371
Edition
1
Topic
Betriebswirtschaft
Subtopic
Informationsmanagement

Part IThe Evolution of Cyber Risk

1CyberA business issue

DOI: 10.4324/9781003052616-2
I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.
Albert Einstein

The internet—welcome to my nightmare

Alice Cooper's debut album featured the title song “Welcome to my Nightmare.” For you millennials, I will save you the google; here are the beginning lyrics: “Welcome to my Nightmare, I think you’re gonna like it, I think you are going to feel like you belong.” The internet makes us feel like we all belong. It provides us with technological superiority that gives us a terrific way of life. We don’t have to go to the bank and wait in line or trudge to the store when we have a headache or drive 60 miles to visit Mom. We can learn, work, talk, and buy things almost all at the same time. We multitask our little hearts out. We are entertained, maintained, and optimized for life.
But what happens when the computer gets a virus, or we get hacked? Computer viruses began to become a serious threat in the late 1980s. Increasing network connectivity meant that viruses could nearly wipe out networks. This spurred the creation of the first commercially available antivirus software, and the cybersecurity industry was born.
Real cyber trouble began to brew in the mid-90s when the internet allowed us to innovate exponentially and optimize the way computers could help companies communicate with each other and with consumers. It changed the fundamental way we manage inventories, supply chains, customer relationships, and the financial world.
Internet users grew from 0.5B to over 4.7B users over the past two decades.1 That's over 900% more attack surface. Cybersecurity Ventures predicts there will be 6 billion internet users by 2022—and more than 7.5 billion internet users by 2030.2
The internet can be our cyber nightmare, or we can take an offensive advantage by utilizing people, processes, and tools to make it more costly for cybercriminals to attack us, thwarting their evil plans. The more we connect and have at stake, the more we need to identify, detect, protect, respond, recover, and be resilient.
In his book, The Fifth Domain, Richard A. Clarke describes cyber resiliency. “Cyber resilience must be built upon, rather than be seen as a replacement for sound security fundamentals. When confidentiality, integrity, and availability are compromised, resilience is about the ability to respond rapidly, return to a good state, manage bad outcomes, and learn from the incident so that future incidents are less likely. Here, it is important to note that thinking of “resilience” as the ability to recover to a previous state or bounce back is too limiting. For resilience to be a useful concept in the field of cybersecurity, it requires that the concept fully embody the idea of returning stronger or better than before.”3
This is where the business comes in to provide the right amount of budget to hire the right people, have the right cyber tools and processes needed to obtain the right amount of resiliency. We will be providing a framework to benchmark and measure cyber resiliency in this book.

Cyber gets real for businesses

Regulators put their money where their mouth is

The first big shot across the bow for American companies was felt in 2013 when Target was breached by cyber attackers who gained access to Target's computer gateway with credentials stolen from a third-party vendor. Using the credentials to exploit weaknesses in Target's system, the attackers gained access to a customer service database, installed malware on the system, and captured full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data.4 As of early 2019, Target has settled over US$206 million in lawsuits in relationship to over US$457 million in damages filed by Visa, Mastercard, the State of Minnesota, and several banks, according to Advisen. Additionally, seven out of the ten board members were ousted, and the Chief Executive Officer (CEO) was fired.
At the same time this was happening, other nation-states were redefining how their data would be used, collected, and secured. The European Union crafted new regulations after five years of thoughtful consideration and implemented a rigorous privacy law. The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. The first enforcement action was enacted against Hospital do Barreiro in Portugal for 400,000 EUR. The fine was due to insufficient access policies, which allowed technicians and physicians to consult patients’ clinical files without proper authorization.5 Coming full circle to 2019, the largest fine to date was levied for 183 million GBP to British Airways for the use of poor security controls that resulted in a 2018 Web skimming attack affecting 500,000 consumers.6 The 183 million GBP is equivalent approximately to 200 million EUR and US$225 million. As of May 2020, the British Airways fine is almost 55% of all the fines levied to date by the European Union for privacy data breaches and misuse of data, which is total approximately 350 million EUR.
The European Union's stepped-up privacy laws can be compared with the unprecedented move by the United States Federal Trade Commission (FTC) to fine Facebook US$5 billion. Facebook failed to protect the business assets of their customers. The FTC's bold move fined Facebook for its role in the Cambridge Analytica data breach. Specifically, the FTC fined Facebook because it violated the law by failing to protect data from third parties, serving ads through the use of phone numbers provided for security, and lying to users that its facial recognition software was turned off by default.7
The US enforcement landscape for data privacy and data security changed as a result of the US$5 billion FTC Facebook settlement, coming on the heels of the US$575 million FTC Equifax settlement and the fines by the UK Information Commissioner's Office (ICO) on British Airways and Marriott following significant data breaches. These actions indicate a new era of aggressive data privacy and data security enforcement on both sides of the pond.
Figure 1.1 Highest Penalties in Privacy Enforcement Actions
In addition to the fines, the FTC has mandated a privacy program for Facebook.8 The order lays out provisions for a privacy program which Facebook must implement within 180 days, including requirements but not limited to the following:
  • Document the program. Document the “content, implementation, and maintenance of the Privacy Program” and provide that description to the Principal Executive Officer (Mark Zuckerberg) and an Independent Privacy Committee that reports to the board at least once a year.
  • Hire an independent privacy chief. Designate an employee as a “Chief Privacy Officer for Product” (CPO) to run the program. The CPO's hiring and removal must be approved by the Independent Privacy Committee.
  • Conduct risk assessments. Assess and document, at least annually, both internal and external risks in each area of operations, including, within 30 days, risks relating to a Covered Incident. A Covered Incident is a verified incident where data from 500 or more users was accessed, collected, used, or shared by a third party in violation of Facebook's terms.
  • Implement safeguards which include the following:
    • Annual third-party certifications, monitoring, and enforcement against third parties that violate contract terms.
    • Privacy review of new products, services, or practices, with documentation and a detailed written report about any privacy risks and safeguards, and a quarterly report from the CPO to the Principal Executive Officer (Mark Zuckerberg) of these reviews and all privacy decisions, in advance of meetings of the Independent Privacy Commission.
    • Controls that limit employee access to information and that protect information shared with affiliates.
    • Disclosure and consent for facial recognition.
  • Test safeguards. Safeguards must be tested, assessed, and monitored annually and within 30 days after a cyber incident.
  • Implement training. Establish regular privacy training programs.
  • Ensure the performance of service providers. Retain providers capable of safeguarding information and contractually require them to safeguard it.
  • Use outside experts. Seek guidance from independent third parties on implementing, maintaining, and updating the program.
  • Evaluate the program. Evaluate the program at least annually, taking into account cyber incidents.
The cost of this effort will be substantial. In February of 2019, Mark Zuckerberg vowed to spend more than US$3.7 billion on safety and security on the company's platform that year.9
Although Facebook is making substantial investments to improve its data security and privacy practices, the long-term cost of those investments and impact on the bottom-line spooked investors after the breach, leading to a US$120 billion loss in market value at the end of July 2019. This was the largest one-day loss of value for a US publicly traded company.10 This loss is an example of a reputational amplification that we will discuss in detail in a later chapter.
As of August 2019, Mark Zuckerberg's net worth is about US$68.2 billion, making him the fifth-richest person in the world. After news of Facebook's FTC fine broke in July, Zuckerberg's 410 million shares of Facebook stock appreciated by more than US$1 billion. When grilled by the Senate Commerce and Judiciary Committees on privacy, data mining, and regulations about his cyber program, Zuckerberg said, “One of my greatest regrets in running the company is that we were slow in identifying the Russian information operations in 2016. As long as there are people sitting in Russia whose job is to try to interfere in elections around the world, this will be an ongoing conflict.”11
The FTC's message is clear—it is time for adequate investment in cybersecurity and data privacy. Directors and officers have the fiduciary duty to protect the assets of the business. Most data breaches result in mass firings of CEOs and Chief Information Security Officers (CISOs). Good cyber equals job security. Just ask Yahoo's former CEO Marissa Mayer, Uber's former CEO Travis Kalanick, SONY's former CEO Amy Pascal, Equifax's former CEO Richard Smith, and CIO David Webb and Target's former CEO Gregg Steinhafel. All were dismissed after data breaches.
On top of that, in 2018, Aon reported: “Cyber events are now among the top three triggers of Directors and Officers (D&O) derivative actions.”12 This indicates that Directors and Officers are now personally liable for data breaches. In addition, 32% of data breaches lead to C-level executives being fired and 31% of global data breaches led to employees getting laid off.13

Digitization—the explosion in cybercrime

Digitization is the process of converting information into a digital (i.e., computer-readable) format, in which the information is organized into bits.14 For our purposes, digitization produces digital data, which in computer science is the discrete, discontinuous representation of information se...

Table of contents