The cyber stakes changed for the C-suite in 2017. Cyber attacks saw nation states targeting private companies and corporations losing billions in market capital, with the attacks even leading to dismissals of senior executives. In 2018, two emerging trends show that things may get even worse - tough new regulations and new vectors of attack, but executives can tap on five measures to combat cyber threats, says a new report from Marsh and cybersecurity firm FireEye.
2017 can be said to be the worst year in cybersecurity history, seeing WannaCry ransomware attacks, the NotPetya virus’ wiper malware and Equifax suffer a massive data breach that led to the resignations of several senior executives.
In 2018, the report noted that the cyber threat dynamic becomes far more challenging, with an array of new cyber laws, particularly the European Union General Data Protection Regulation (GDPR) which will take effect in May and the effects of sweeping cyber laws that were recently adopted in China, Japan, Australia and Singapore. Meanwhile, a second major new trend that will accelerate is the emergence of new vectors of attack, particularly against critical infrastructure and industrial safety control systems. This is troubling, as it means that cyber attacks, which previously occurred in the digital world, have come into the physical, resulting in physical damage and loss of life.
The five mitigation suggestions for the C-suite to consider, as mentioned in the report, are as follows:
Cloud computing is here to stay and offers the advantages of scalability, flexibility, enhanced collaboration, disaster recovery, and reduced IT spending. The relationship with your cloud vendor should be governed by a “cloud service agreement” which defines roles and responsibilities clearly, including where data is located. You should, however, have the right to audit the provider’s security agreement and system of controls either by reviewing independent assessments of the cloud provider or by conducting their own reviews. At a minimum, cloud providers should be required to provide prompt notice to affected clients in the event of a breach.
Most successful cyber attacks, such as WannaCry, exploit vulnerabilities that were not patched with the latest software fixes. Thus, patch known vulnerabilities, even though it can be frustrating and complex, even as the volume and criticality of new patches that are identified every week are on the rise. Also focus on establishing a sound protocol for prioritising and steadily reducing the overall volume of critical patches. IT should track and report to senior management on the progress.
- Rethink the human element
The figures are daunting—91% of ransomware infections reportedly start with staff clicking on a spear-phishing email and 95% of all security incidents involve human error.
Address human vulnerabilities with both the people aspect and technology measures. With a sizeable number of employees clicking on inappropriate attachments or links, think of creative ways to reinvent your employee training, such as using gamification and incentives to reward employees who spot spearphishing emails or social engineering attempts (compared to penalties).
Second, reduce your company’s attack surface by disabling access to personal web mail from company computers, given that hackers are increasingly attempting to penetrate company networks through phishing attacks on the personal email accounts of employees. Because many personal email providers use encryption, it is difficult for companies to detect malicious code that may be entering company networks via this route. Thus companies are precluding employees from accessing personal email accounts from corporate systems.
- Engage with the government
Industry and government need each other more than ever. Good relationships with law enforcement and regulators help as they play an increasingly active role in companies’ compliance with cyber laws.
This should not be a one-sided discussion about what more industry alone should do. Rather, the business community should press governments to develop international norms regarding (1) the identification and prosecution of hackers and (2) the setting of limitations on targeting particularly critical resources like water systems or electric power supply.
To mitigate the severe strain on the dynamics among senior management that comes in a real crisis, there is no substitute for conducting a mock cyber exercise. Senior business, IT, finance, legal, and communications executives should all be in the room together with outside forensic, communications, and legal advisers. Consider questions such as when to make a public disclosure in the event of an incident, whether to immediately shut down systems during a significant breach and whether to reach out affirmatively to law enforcement.
The full report from Marsh and FireEye can be found here.