Equifax is not just another organization that was breached. The company was named one of Forbes’ “World’s 100 Most Innovative Companies” for three years straight, from 2015 to 2017. The recent breach of the company’s U.S. online dispute portal web application has raised serious questions about whether boards of directors and senior management are asking the right questions about actions their organizations are taking to protect themselves from cyberthreats. Are boards probing to discover what they don’t know?
In September, Equifax announced a massive breach exposing the personal information of over 40 percent of the U.S. population. The company’s stock declined almost 14 percent after the announcement, and heads rolled over the ensuing three weeks—first the chief information officer (CIO) and chief information security officer (CISO), and then the CEO. The pervasive headline effect of this incident has been as persistent as any in memory.
There are many important aspects of cybersecurity that the board is expected to tend to, including understanding what the organization’s “crown jewels” are, business outcomes management seeks to avoid, understanding the ever-changing threat landscape, and having in place an effective incident response program, to name a few.
But this discussion is more specifically about the systems vulnerabilities we know about. That’s the elephant in the room.
The sage advice—if your flank is exposed, fortify it before you get overrun—seems to apply here. Even noncombatants understand the value of protecting exposed flanks in desperate battle. A known vulnerability is most certainly an exposed flank, particularly when sensitive data is involved.
Enter the role of software patches.
A patch is a software update installed into an existing program to fix new security vulnerabilities and bugs, address software stability issues, or add a new feature to improve usability or performance. Often a temporary fix, a patch is essentially a quick repair. While it’s not necessarily the best solution to address the problem, it gets the job done until product developers design a better solution for a subsequent product release.
The Equifax incident raises the question as to why the company didn’t implement the appropriate patch to its systems when the vulnerability was first identified. To be fair, other companies have suffered a cybersecurity event because they failed to implement a patch in a timely manner, and we have no insights into the unique circumstances at Equifax. Admittedly, patching software at a large organization with multiple, complex systems takes a considerable amount of time. But, for boards and executive teams everywhere, the Equifax episode serves as a stark reminder of the importance of understanding the company’s cybersecurity strategy and tactics to pinpoint whether they know what they need to know.
Often, in our security and privacy consulting business at Protiviti, we see companies implementing patches within 60 to 90 days of discovering a systems vulnerability. We have seen some high-risk patches not applied at all for fear of breaking legacy applications; in effect, the organization simply accepts the risk of not applying these patches and, as an alternative, works to mitigate it. Based on our experience, 30 days from release to deployment is typically the “gold standard” for the time it takes apply a patch.
Is the gold standard enough? Companies are essentially leaving themselves exposed for 30 days. Meanwhile, they may lack the advanced detection and response capabilities to detect unauthorized activity occurring during that time. Organizations with a well-designed vulnerability management program quickly patch known vulnerabilities for critical public-facing services. For example, we see companies setting service level agreement targets of 72 hours, with some striving for 24 hours or less to limit the damage of an attack.
Simply stated, boards need to inquire as to the target duration from release to deployment to shore up cybersecurity vulnerabilities and, if it’s 30 days (or more), question whether that is timely enough, especially when public-facing systems are involved and sensitive personal information is exposed. Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image cry out for this oversight.
It is vitally important to scan public-facing systems immediately upon notification of critical vulnerabilities; “same day” should be the target. In addition, patch deployment should be tracked and verified as part of a comprehensive information technology (IT) governance process. It’s not enough to merely push out a patch. A comprehensive IT governance process should confirm that the risk truly has been mitigated on a timely basis.
Directors and executives should also be concerned with the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Given the increasing sophistication of perpetrators, simulations of likely attack activity should be performed periodically to ensure that defenses can detect a breach and security teams can respond timely.
We know that an organization’s preparedness to reduce an incident’s impact and proliferation after it begins is an issue (i.e., the lapsed time between the inauguration of an attack and its detection is too long). Often, it takes over 100 days until suspicious activity is discovered; about 50 percent of the time, organizations learn of breaches through a third party.
In nearly every penetration test Protiviti conducts, the client authorizing the test fails to detect our test activity. Many organizations seem to think that if they outsource to a managed security service provider (MSSP), the problem will be solved —as if a box has been checked. However, we see time and again that this is not the case. Often, there are breakdowns in the processes and coordination between the company and the MSSP that result in attack activity occurring unnoticed. Not many organizations are focusing enough on this failure of detective controls to identify breach activity in a timely manner.
These two fronts—how long it takes to implement a patch, as well as detect a breach—inform the board’s cyber-risk oversight. Every organization should take a fresh look at the impact specific cybersecurity events can have and whether management’s response plan is properly oriented and sufficiently supported. For starters, directors should ensure they are satisfied with the elapsed time:
For patching identified system vulnerabilities;
Between the initiation of an attack and its ultimate discovery;
Between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact; and
Between the discovery of a significant breach and the undertaking of the required disclosures to the public, regulators, and law enforcement in accordance with applicable laws and regulations.
Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image beg for careful oversight.
My introduction to cybercrime came seven years ago as a bolt from the blue. I Googled myself and found that four of the top five search results showed I was on the Federal Bureau of Investigation’s (FBI) Top Ten Most Wanted List.
The attack came as a bolt from the blue.
After checking outside my front door to make sure no FBI agents were lining up to arrest me, I researched what had happened. I was the victim of an Internet stalker—a previous business associate looking to mar reputations of people this person had had no contact with for nearly two decades.
This experience personally taught me the harm that could be done through the Internet and the unique nature of the risks involved, and sparked my commitment to practicing sound cyber-risk oversight.
Cybersecurity as a Risk
Cyber risks have unique characteristics that not many of the more than 60 different risks reported in public companies’ 10-K reporting share. Most other risks and the damage they cause, although highly detrimental to a company, can be assessed and quantified (consider, for example, the cost of rebuilding after a fire). Cyber risk is different because a victim of a cyberattack may never be able to find out who attacked the company or person, where the attack came from, what was taken, or how long the attack had been going on for.
The most striking feature of cyberattacks is their anonymity. It is very difficult to trace an attacker who wants to stay anonymous. An attacker can create dummy corporations, hijack e-mail accounts, and use multiple servers to become virtually untraceable. Another method that hackers use to hide themselves is the virtual private network, which make it very challenging to track where the attack originated. Say the intrusion appears to have come through a server in Singapore. The attacker actually could be in Estonia. Even if you can trace the perpetrator, getting redress would mean international ligation.
What are they taking? Unless the attacker is confronting you with a ransom demand for your data, you may not know what is being taken or corrupted without extensive and time-consuming forensics.
Lastly, how long has this been going on? For the same reasons that it is difficult to identify what is being stolen, the time of the origination of the attack is hard to assess. Often known as “Logic Bombs,” malicious software can lie dormant for long periods, and sometimes years, before it is activated. The classic example is the disgruntled employee who leaves malware that activates itself on the anniversary of his firing.
You Are Not Invulnerable
One of the worse mistakes a board can make is to assume that they are at a lower state of cyber risk, as their corporation is not a bank or does not store credit card information. If the company transfers money and is connected to the Internet, which means just about every company in the United States and many around the world, the company is at high risk for being attacked. Banks and retailers are at extremely high risk. Low risk simply does not exist in the cyber-risk spectrum.
For most companies, the principal vulnerability is economic. Simply put, attackers are trying to make money. Besides stealing information such as employee health care data, or social security numbers that can be sold on the black market, an increasingly popular form of attack is to lock out the company from its data, or encrypt it and charge a ransom to release it or decrypt it.
Brand and reputation attacks are another vulnerability done more to discredit a company’s reputation for either competitive or political motives. To take an obvious example, imagine the damage to a cybersecurity company’s reputation if its own firewalls were breached. Such an attack would deeply harm the core promise that a cybersecurity company makes to its customers to secure its enterprise.
Hacktivism, as the name connotes, is an attack launched based on the attacker’s beliefs and ideologies. For instance, a company that tests its products on animals could find itself as a hacktivism target. Typically, the attacker will post messages about the cause on the company’s website or contact its customers and suppliers.
Lastly, malicious attacks can be launched to inconvenience and disrupt the company such as in the Logic Bomb attack described above. There is usually no economic effect—vengeance is the principal motive.
Since her “arrival” on the FBI’s Top Ten Most Wanted list, Wendy Luscombe has led a real estate investment trust as CEO, served as a director on European and American boards, and studied cybersecurity and cyber-reputation management. All views and opinions expressed here are the author’s own.
Cyber risk, which is among the top five risks for organizations across many industries, presents a moving target. As innovative information technology (IT) transformation initiatives expand the digital footprint, they outpace the security protections companies have in place. Security and privacy internal control structures that reduce risk to an acceptable level today will inevitably become inadequate in the future—and even sooner than many may realize.
As companies continue the battle to protect their resources, boards remain concerned with the security and availability of information systems and the protection of confidential, sensitive data. Many executives think their risk tolerance is low, yet act as though it is relatively high, thus necessitating board engagement with cybersecurity.
Our research indicates that board engagement in information security matters is improving. In the spirit of further improvement, following are eight business realities directors should consider as they oversee cybersecurity risk.
1. The organization must be prepared for success. Managing cybersecurity is not just about managing the risk of bad things happening—it’s also about handling the upside of a company’s successful digital initiatives. As companies harvest new sources of value through digitization and business model innovation, the wise course is to plan for incredible success. Directors should ensure that the organization’s cybersecurity systems are resilient enough to handle that success.
2. It is highly probable that the company is already breached and doesn’t know it. The old thinking of “it’s not a matter of if a cyber risk event might occur, but more a matter of when” is dated. It’s happening—now. Boards should be concerned about the duration of significant breaches before they are finally detected.
Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Tabletop exercises alone are not sufficient to address the increasing sophistication of perpetrators. Simulations of likely attack activity should be performed periodically to ensure that defenses accurately detect breaches and that responses are timely. Boards should focus on the adequacy of the company’s playbook for responding, recovering, and resuming normal business operations after an incident. The playbook should also include responses to customers and employees to minimize reputation damage that could occur in a breach’s wake.
3. The board should focus on adverse business outcomes that must be managed. While most businesses know what their crown jewels are, they forget to focus on the business outcomes they are looking to manage when they assess security. Considering risk outcomes or scenarios leads to enterprise security solutions that are more comprehensive than those developed around specific assets and systems.
For example, if an application is deemed to be key for business processes and is exposed to sensitive data leakage, the security solution is often focused on the source application and implementation of generic security controls. But the risk of an adverse outcome extends beyond the technology perimeter. Employee users have access to data, regularly download it, and might even e-mail it, either ignoring or forgetting the business imperative to protect it. Therefore, controls over what happens to critical data assets once downloaded cannot be ignored. IT leaders must look at information security risks holistically and consider user leakage an integral part of the adverse outcomes to be managed.
4. Cyberthreats are constantly evolving. Because the nature and severity of threats in the cybersecurity environment change incessantly, protection measures must evolve to remain ahead of the threat profile. Boards should inquire as to how the organization’s existing threat management program proactively identifies and responds to new threats to cybersecurity, taking into consideration the company’s crown jewels, the business outcomes it wishes to avoid, the nature of its industry and business model, and its visibility as a potential target. Directors should also insist on an assessment of the related risks resulting from major systems changes.
5. Cybersecurity is like a game of chess, so play it that way. IT security organizations must be steps ahead of adversaries, waiting and ready with an arsenal of technology, people, processes, and prowess. The old game of sole reliance on technology to deliver an effective and sustainable security monitoring solution falls short when combating the ever-changing threats to businesses. Security functions need to change the way they deliver protective services and move far beyond initiatives to create enterprise-wide awareness of cyber risk. Accordingly, boards should expect:
– A clear articulation of the current cyber risks facing all aspects of the business;
– A summary of recent cybersecurity incidents, how they were handled, and lessons learned;
– A short-term and long-term road map outlining how the company will continue to evolve its cybersecurity capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
– Meaningful metrics that provide supporting key performance and risk indicators of successful management of top-priority cyber risks.
6. Cybersecurity must extend beyond the four walls. Notable gaps in knowledge of vendors’ data security management programs and procedures currently exist between top-performing organizations and other companies—particularly in areas that might stand between an organization’s crown jewels and cyberattackers. As companies look upstream to vendors and suppliers (including second tier and third tier), and downstream to channel partners and customers, they are likely to find sources of vulnerability. Directors should expect management to collaborate with third parties to address cyber risk in a cost-effective manner across the value chain. Attention should be paid to assessing insider risk because electronic connectivity and use of cloud-based storage and external data management obfuscates the notion of who constitutes an “insider.”
7. Cybersecurity issues cannot dominate the IT budget. Over the past decade, IT departments have been reducing operations and maintenance costs consistently, funneling those savings to fund other priorities like security. Taking into account other priorities, including compliance and system enhancements, Protiviti’s research indicates that mature businesses are left with only 13 percent of their IT budgets for innovation.
With a strained budget, it becomes critical for IT leaders to target protection investments on the business outcomes that can adversely impact the organization’s crown jewels, understand the changing threat landscape and risk tolerances, and prepare for the inevitable incidents. Without this discipline, cybersecurity will continue to consume larger portions of the IT budget. Innovation will then suffer, and the business could ultimately fail—not because a severe threat is realized, but because the spend on operational risk has distracted the business from the strategic risk of failing to mount a competitive response to new entrants and innovators. Therefore, as important as the imperative for sound cybersecurity practices is, directors should not allow it to stifle innovation.
8. Directors should gauge their confidence in the advice they’re receiving. While there is no one-size-fits-all solution, boards should periodically assess the sufficiency of the expertise they rely on for cybersecurity matters. There may be circumstances where the board should strongly consider adding individuals with technology experience either as members of the board or as advisers to the board.
Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing, and getting close to secure is elusive. Boards of directors need to ensure the organizations they serve are undertaking focused, targeted efforts to improve their cybersecurity capabilities continuously in the face of ever-changing threats.