IT SECURITY IS BROKEN 25%
Only 25% EMEA business leaders are confident about their cyber security
Why are businesses losing confidence in cyber hygiene?
76%
business leaders and IT security practitioners believe the security solutions their organisation is working with are outdated.
21%
IT teams consider their business leaders (C-suite executives) to be highly collaborative when it comes to cyber security.
27%
executives say they are collaborating in a significant way to address cyber security issues, versus only 16% of IT security practitioners.
Is investing more money the only answer?
83%
42%
admit they plan to increase the purchase or installation of new security products in the next three years.
say they have acquired new security tools over the past year.
31%
IT security respondents say it takes up to a week to address a cyber security issue.
54%
plan to spend more on detecting and identifying attacks, and 29% report having 26 or more security products installed across their enterprises.
So, how do you fix IT security?
1.
Build intrinsic security into everything - the application, the network, essentially everything that connects and carries data.
2.
Encourage a collaborative culture of cyber security awareness.
3.
Invest in the right people to drive cyber security awareness forward.
Download the VMware | Forbes Insights EMEA Report to learn more
contents
cybersecurityeurope
INDEX Cyber security governance in European organisations is changing: senior executives now assume greater responsibility in the strategic cyber decision-making. 08 editor’s view
A new report has revealed how the financial impacts of insider threats have gone stellar. The need to maintain a much closer security watch on employee behaviours must now be faced-up to by the c-suite.
10 HEADS-UP TO CLOUD & CYBER SECURITY EXPo 2020
Tom Vine, Group Event Director for this year’s show, introduces the key themes of the 2020 Expo, and explains what’s in store for Cyber Security Europe readers visiting ExCel London on 11-12 March.
SECTOR NEWS
12 news round-up
‘Missed’ cyber targets to hit senior execs. Leaders in dark over data ownership. Lack of c-suite support adds to CISOs’ stress, Zero Trust regimes are lacking... Patch delays are down to ‘poor co-ordination’... Oil and gas industry executives urged to prioritise cyber security.
19 DEEPER FOCUS: 25 TOP DATA BREACH EXPOSURES OF 2019
While data exposures continue to be caused by malicious cyber criminal activity, many other incidents stem from lackadaisical security practices and unintentional human error, a new study finds.
20 Insider threat: the new generation
TARGETS
Digital upheavals, Software-as-a-Service flaws, workers who say the data they create actually belongs to them – some of the factors that drive the new generation insider threats. Now everyone’s under scrutiny.
HIT LIST: THE NEW DECADE OF RISKS 28 We are now into a new decade, and cyber security specialists have buffed-up their crystal balls to provide precognisance of the 10 top cyber challenges you should expect to encounter in the 2020s. They range from deepfake BEC attacks to connected car hacks.
O4
6˙0˙ 5˙6˙ 5˙0˙ 4˙6˙ 30 cloud cyber SECURITY models
Public clouds may well be harder to hack these days (arguably) – but do shared responsibility models actually introduce fresh security risks?
38 NEW data economics
Do cyber threats see a value in your enterprise data that you’ve missed? And can that value go up as well as down? If so, who takes the credit? Calculating minds now want to understand the data economy rules.
48 reputational damage control
Warren Buffet said it takes “20 years to build a reputation, five minutes to ruin it”. Reputations tarnished by a data breach can make a bigger financial impact on an organisation than filched funds or stolen assets. So how can organisations prepare to preserve their brand propriety when their good names are dragged through the digital dirt?
INTERVIEW
ANJOS NIJK, ENCS 42 An exclusive Q&A with the Managing Director of industry association the European Network for Cyber Security (ENCS): Nijk explains how the continent’s power grid operators are counteracting the risks to national infrastucture now posed by cyber threats.
O5
contents
cybersecurityeurope
Director Alexander Collis Managing Editor James Hayes Creative Director – Digital/Print Lee Gavigan Operations and Production Alena Veasey Accounts Controller Martin Reece Project Services Helen Sinclair, Alex David
Cyber Security Europe is produced and published by World Show Media Ltd Tel: +44 (0) 208 106 6464 Fax: +44 (0) 845 862 3433 Website: worldshowmedia.net For all sales enquiries: alex.david@worldshowmedia.net For all corporate enquiries: corporate@worldshowmedia.net
52 COMBATING ‘CARD NOT PRESENT’ CRIME
This excerpt from Europol’s latest Internet Organised Crime Threat Assessment report report focuses on the economic damage incurred by Card Not Present crime – the main priority for payment card fraud investigators in EU states.
54 euroFOCUS: IRELAND
BEST PRACTICES
As one of the European Union’s most digitally-developed states, Ireland’s sound economic status depends on its government’s punch-above weight IT security strategy.
58 business continuity PLANNING
Understanding the stakeholder shifts in enterprise cyber resilience and Business Continuity planning will be key to how senior company leaders will gain better control of the changing nature of enterprise cyber risk in the turbulent 2020s. The governing executives have to become the facilitators, not the barriers, to fast-pace information flow.
62 buy-in from cyber-committed c-suites
How should the cyber-committed c-suite define its value proposition to the cyber governance of the organisation? And what more can senior executives do to maximise their role value? We explain how security and risk management leaders can become ‘engaged – not just involved’.
66 cloud & cyber security EXPO 2020 EDITOR’S picks
O6
Highlighting two notable speakers who will present at Cloud & Cyber Security Expo 2020: topics covered include the disinformation fightback and DevOps for security.
Cyber Security Europe is published by World Show Media Ltd. It provides business and government executives with the intelligence and insight required to prepare their organisations for the ever-changing cyber threat landscape. Copyright © 2020 World Show Media. All rights reserved. No part of this publication may be reproduced, stored in any retrieval system or transmitted in any form or by any means, electronic, photographic, recording or otherwise, without the prior permission of CloserStill and World Show Media. The ‘Cloud & Cyber Security Expo’ trademark is owned and protected by CloserStill. While every effort is made to ensure information is correct at the time of going to press, neither the publisher nor event organiser can be held responsible for any errors, omissions and changes to the event programme and publication content.
viewpoint
cybersecurityeurope
The financial impacts of insider threats have gone stellar. The need to maintain a much closer watch on workplace behaviours must be faced. ONE OF THE MOST ILLUMINATING OF THE MANY CYBER SECURITY SECTOR reports I have read so far this year brings into stark focus an issue that seems destined to cause organisations to review their cyber security strategies, if they have not already done so. The Cost of Insider Threats Global Report was researched by Ponemon Institute and sponsored by ObserveIT and IBM Security. The study’s headline revelation is that the overall cost of insider threats is rising sharply: a 31% increase from €7.91m in 2018 to €10.34m in 2020. In addition, the total number of incidents has increased by a whopping 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. The figures show that insider threats are a persistent, often under-addressed menace within organisations, compared to external threats. It corroborates previous incident polls of IT security chiefs already convinced that the internal actors are overtaking external ones as biggest security foe. The cost of insider threat varies significantly based on the type of incident. Criminal and malicious insiders have cost the organisations surveyed in the research an average of €688,315 per incident. But though malicious insider incidents are often the most publicised, they comprise less than a quarter – 23% – of overall incidents. Nonetheless, their impact can mount up over the course of the financial year, to cost each organisation an average of €3.69m. REACH OUT
If a given instance of insider threat involves a negligent employee or contractor, each incident costs can average €279,704. However, as this incident type is the most common (62% of incidents), total costs can add up to an average of €4.14m per year per organisation. A question that arises from this dire scenario for senior executives is: should a bigger slice of the enterprise cyber security budget now be reallocated to deal with these internal challenges?
An insider incident that involves a negligent employee or contractor can cost an average of €279,704. Organisations have to face up to the fact that their businesses are under malicious attack and that unless the question of insider threats is addressed more forcefully they will continue to hemorrhage their financial lifeblood as a result of them. Given the seriousness of their predicament c-suites should not balk at the prospect of more openly proactive monitoring of all employees’ IT practices and behaviours. This thorny issue should be tackled in a manner informed by solid research, lest it incurs even worse damage on the national economies of Europe. James Hayes
FEEDBACK TO CYBER SECURITY EUROPE
Cyber Security Europe magazine is committed to engagement with its readership: if you have any feedback on this issue, I’d be pleased to receive it via email at the address given right.
O8
CONTACT DETAILS Contact our editorial team via the Managing Editor: | james.hayes@ @cseurope.info
welcome
cybersecurityeurope
WELCOME Resilient organisations need a multi-faceted defensive strategy, explains Cloud & Cyber Security Expo Group Event Director Tom Vine. TODAY’S INCREASINGLY CHALLENGING DIGITAL SPACES MAKE A STRONG FRONT line essential. Every organisation needs to up their defence and protect themselves from potential cyber crime. Cloud & Cyber Security Expo 2020 is the only place you can experience all the most up-to-the-minute solutions. We’ll arm you and your team with all the latest intel, ideas and inspiration needed to be able to detect and respond to every threat. It’s the ultimate programme of strategic guidance and actionable insight. At this year’s Expo, you will find 10 incisive streams focusing on the topics that you told us matter to you. They include: Application Security and DevSecOps; Automation, AI and ML Security; Threat Detection, Intelligence and Response; Securing IoT and Devices; Data Protection, Encryption and Privacy; Governance, Risk Management and Compliance; Enterprise Cloud Security; Vulnerability Management; Securing Network Environments; Privileged and Identity Access Management. Take time to have a look through the conference programme pages from the event URL below to find the sessions BIO
you want to attend and then do continue the conversations with our specialist team of 700+ progressive exhibitors who make this very special event possible. Thirsty Club returns to Cloud & Cyber Security Expo, so don’t forget to stop by for both a drink and catch-up with everything that’s happening at Exclusive Networks. We’ve got more companies providing demo sessions on
We’ll arm your team with the latest intel, ideas and inspiration needed to detect/respond to every threat. stand, designed to get under the bonnet of how the latest technologies can help secure your networks, platforms, devices and applications. So, in addition to stacks of sessions and panel debates, make sure you attend the demos that align with your interests and objectives. I hope that you have a fantastic few days with us! Tim Vine
TOM VINE, GROUP EVENT DIRECTOR, CLOUD & CYBER SECURITY EXPO Tom Vine has over 15 years’ experience of launching and directing events in the media, healthcare and technology sectors. He runs Cloud & Cyber Security Expo and Big Data World in London and Germany.
10
INFORMATION For more event details please go to: | cloudsecurityexpo.com
NEWS & products
cybersecurityeurope
A selection of news and views from the European IT security world, plus other updates for cyber-savvy executives
NEWS ROUND-UP
‘Missed’ cyber targets to hit senior execs... Weak passwords = ransomware... Zero trust regimes lacking... Patch delays due to ‘poor organisational co-ordination’... Oil and gas industry executives urged to prioritise security... Enterprises in dark over who owns database security... C-suites and CISOs must ‘bridge divide’... 15%
CYBER AN AGENDA ITEM AT EVERY MEETING
26% 26%
AGENDA ITEM AT MAJORITY OF MEETINGS
ENISA has published the European Union Cybersecurity Institutional Map to depict the roles, responsibilities and tasks of EU institutions and groups that operate- or are active within the cyber sector. The Map depicts the actors involved in cyber security at the EU level, and scopes the responsibilities and roles of respective EU institutions, agencies and bodies. Its three categories describe Actors, Communities and Functions. The EU Cyber Security Institutional Map was developed jointly by ENISA and the Austrian Presidency of the EU Council. “The mapping of how the roles and responsibilities of EU institutions and groups have developed will allow us to regularly identify gaps, overlaps and improvements,” says Juhan Lepassaar, Executive Director at ENISA. | enisa.europa.eu
CLOUD & CYBER SECURITY EXPO 2020
38% 18% 20%
AGENDA ITEM AT ABOUT 50% OF MEETINGS 14%
AGENDA ITEM AT MINORITY OF MEETINGS
7%
ONLY AT MY REQUEST/AT REQUEST OF OUR CIO/CISO
7%
ONLY IN THE EVENT OF A BREACH/INCIDENT
15% 10% 2%
The responsibility-borne stress felt by CISOs is worsened by a perceived lack of support from the board, according to Nominet’s latest CISO Stress Report: 39% of those surveyed affirm that cyber security is an official agenda item for board meetings less than half the time; 25% reported that it only became a board issue at their request or within the event of a cyber security breach or incident. “We are potentially heading towards a burnout crisis if the very people who we are relying on to keep businesses cyber-secure are operating under mounting pressure,” says Russell Haworth, CEO at Nominet. “It is very worrying that at board level, understanding of these pressures often appears not to have translated into action.” | nominet.uk/nominet-ciso-stress-report-one-year-on
EVENT THEMES IN BRIEF...
Information security is not just for the IT team: it now impacts everyone within an organisation, be it public sector, commercial, or non-profit, and is now become an imperative consideration for the
12
CISOS C-SUITE
The four As: a practical approach to cloud security NATHAN BRITTON Business Applications and Cloud Security Practice Lead, NTT Ltd.
Cloud adoption is growing at a tremendous pace, with Gartner forecasting that worldwide public cloud services will grow at 17% in 2020, and Forbes announcing that 83% of enterprise workloads will be in the cloud in 2020. But with this greater adoption comes an increased likelihood of cloud related breaches. Both Verizon and the World Wrestling Entertainment company (WWE) suffered data breaches due to a misconfiguration of an AWS S3 bucket, leading to up to 17 million customers’ personal data exposed. Security breaches aren’t new. But the drive to cloud whilst offering us a wealth of opportunities - has some real challenges for cybersecurity professionals looking to keep things as secure as possible: • Cloud deployments can move at a pace which traditional security finds difficult to keep up with • Cloud applications don’t always mirror their onpremise version • A lack of cloud-specific security policies or guidelines to drive ‘secure by design’ cloud adoption • Lack of clarity about who is responsible for cloud security
To improve security, organizations should consider a Four As approach to cloud security, a practical methodology that NTT Ltd., has used to help its customers: Assess. A common weakness in an organization’s cloud deployments is the visibility of the assets and workloads that have been stood up in the cloud. Analyze. This phase can identify how a cloud deployment is comparable against known, good security practices or frameworks. Act. With a clearer picture of the security posture of a cloud deployment and visibility of assets, an organization can now look to implement the required security controls. Assure. As deployments grow and workloads are migrated to the cloud, this phase is about confirming that your cloud security grows with you. Using this approach, organizations can benefit from increased visibility of cloud workloads and risks, a prioritized roadmap of remediation and improvement, a proactive and automated approach to consistent security and continuous monitoring – and alerting to ensure regulatory compliance is maintained and gaps are secured.
Be aware of the security risks of moving different workloads to different cloud platforms and implement appropriate controls. Find out more at hello.global.ntt/en-us/solutions/intelligent-cybersecurity/secure-multicloud. hello.global.ntt
Copyright © 2020 NTT Ltd.
NEWS & products
cybersecurityeurope
Executives in organisations that fail to set IT security teams targets that correlate directly with overall business performance, increasingly face problems as a result, a survey has revealed. Out of a sample of more than 100 UK enterprise IT security decision-makers by privileged access management solutions vendor Thycotic, 61% agreed there are implications for the CEO if security teams are unable to meet security targets. Consequences range from receiving a hard time from shareholders (44%) or longer hours spent on the job (40%), to more serious penalties including lost bonus payments (37%), and even a threat to their job security (35%). “This report not only highlights the problems faced by cyber security teams,” says Jim Legg, President & CEO at Thycotic, “it also provides recommendations for how CISOs can meet those challenges and become ‘Chief Revenue Protection Officers’.” | thycotic.com/resources/ciso-global-cyber-security-metrics-report
$0.90
The latest Global Information Security Survey from EY reports that activists were responsible for 21% of successful cyber attacks in 2019 – that’s second only to organised crime groups at 23%. Despite the increased risk, only 36% of technology-enabled business initiatives include the security team from the start. “To get ahead of the threat, we must focus on the creation of a culture of security by design,” says Kris Lovejoy, EY Global Cybersecurity Leader, Advisory. “This can only be accomplished if we successfully bridge the divide between the security function and the c-suite and enable the CISO to act as a consultant and enabler instead of the stereotypical roadblock. CISOs can, and must, engage more collaboratively with the rest of the business. Boards, c-suites and all other business functions must also commit to a closer working relationship with their cyber security colleagues. This way cyber security teams can play a crucial role as the enablers of transformation.” | ey.com/en_gl/giss
CLOUD & CYBER SECURITY EXPO 2020
FY2016 FY2018 FY2020
$0.68
0.7558 0.6721
0.6041 0.4931 $0.45 0.3471 0.3071 0.2776 $0.23
0.2069
$0.00 EMPLOYEE OR CONTRACTOR NEGLIGENCE
CRIMINAL/MALICIOUS INSIDER
CREDENTIAL THIEF (IMPOSTER RISK)
The number of insider threat incidents has increased by 47%, while the overall cost of incidents has risen by 31% to €10.56m, a report has found. Conducted by Ponemon Institute and sponsored by ObserveIT and IBM, the Cost of Insider Threat Report 2020 surveyed hundreds of IT security practitioners to assess insider threat investigation costs and management. ‘Investigation’ is defined as ‘activities necessary to thoroughly uncover the source, scope, and magnitude of one or more incidents’. The study found a clear link between increased insider threats levels and the cyber security resource cost required to investigate them. Companies spent an average of €594,924 per incident across seven cost centres and three categories of threat. | observeit.com/2020costofinsiderthreat
EVENT THEMES IN BRIEF – CONTINUED
entire structure of the enterprise. Cyber security stretches beyond the boundaries of the core business, out to the edge and into the cloud; mobile and Internet of Things devices, all of which are in transit,
14
0.8717
AVERAGE COST PER INCIDENT FOR THREE PROFILES US$ MILLIONS
can potentially be a moving ‘cyber target’. The principle challenge now is in the need to balance innovation and productivity with
A partnership project from Skills Development Scotland, social enterprise SaluteMyJob, Abertay University, IBM and tech startup Skillzminer, aims to help fill the business-critical cyber skills shortage. Launched as part of Cyber Scotland Week, the pilot kicked-off with an eight-week Penetration Testing pilot course that allowed former forces personnel to learn ethical hacking and associated skills, as well as through online study and job shadowing. It follows a preparatory ‘Introduction to Cyber’ course at the University, attended by 30 ex-military participants. The project’s goal is to add cyber security skills to the students’ military training and experience, to help fill some of Scotland’s 13,000 open digital jobs, Skills Development Scotland says. Skills Development Scotland supports the pilot, in partnership with IBM. The scheme has reskilled more than 350 veterans so far. | skillsdevelopmentscotland.co.uk
Ninety-seven out of 100 of the world’s biggest international airports have security risks related to vulnerable web and mobile applications, misconfigured public cloud, Dark Web exposure or code repositories leaks. Research from ImmuniWeb found compliance and privacy of some airports’ websites leaves much to be addressed: 97% of the websites contain outdated software; 24% contain known and exploitable vulnerabilities; 76% are not compliant with GDPR; 24% of the websites have no SSL encryption or use obsolete SSLv3. ImmuniWeb identified only three international airports that successfully passed all the tests, all in the EU: Amsterdam Airport Schiphol, Helsinki-Vantaa Airport, and Dublin Airport. EuroFocus: Ireland – see page 54. | immuniweb.com/blog/state-of-cybersecurity-top-100-airports.html
One-third of employees in the Netherlands do not know whether measures have been taken within their company to comply with GDPR requirements, despite the fact that this legislation has been in force for more than a year and a half. Research by Egress revealed that while some Dutch companies invest in training for their employees, on the whole organisations the Netherlands fell short, as highlighted by the face that 32% of employees do not know whether or not a business email encryption solution is available to them. Almost 16% of all survey respondents indicated that some company data or company-sensitive information has been ‘accidentally’ made public by someone within their organisation. ‘Here too, a clear difference can be seen between employees responsible for information security and non-responsible persons: 32% compared to 7%, which indicates that by no means all data breaches are reported by companies to their staff,’ the Egress report states. | |egress.com/news
functional cloud and cyber security. Delivering a programme of solutionsfocused content, case studies, speakers and an exhibition floor of providers, Cloud & Cyber Security Expo 2020 gives you what you need to stay safe within a hostile digital space. Technology-enabled change is on the boardroom
15
NEWS & products
cybersecurityeurope
Eighty percent of UK CEOs are now concerned about cyber threats to business, making it the issue they are most worried about, rated above skills shortfalls (79%) and speed of technological change (75%). According to PwC’s 23rd Annual CEO Survey, which polled 1,581 CEOs from 83 countries, 48.4% of respondents have ‘taken action’ with regard to their personal digital behaviour. These include the deletion of social media/virtual assistant apps or requesting a third-party to delete personal or professional data they hold about them. The survey’s findings show that the issues shaping CEOs’ cyber security strategies also include growing public concern over data privacy (57%), data privacy regulations (57%), supply chain vulnerabilities (41%) and cyber security skills shortages (27%). ‘As CEOs look ahead to 2020, we see record levels of pessimism,’ the PwC report adds. | pwc.com/gx/en
35% 30%
Weak passwords became one of the most common cyber security vulnerabilities in 2019, and caused 30% of ransomware infections that occurred through the year. A study by PreciseSecurity.com revealed that poor passwords were the third most common reason for ransomware infections. More than 50% of those polled admitted using a ‘favourite’ password for most of their accounts. According to the UK’s National Cyber Security Centre 2019 survey, password re-use and weak passwords still represent a significant risk for companies and individuals around the world. Its breach analysis has indicated that 23.2m victim accounts around the world used ‘123456’ as a password, the research found. Another 7.8m breach victims chose a ‘12345678’; and more than 3.5m people globally used the word ‘password’ to access all of their sensitive information; and 43% of respondents to a survey by Statista reported their primary method of keeping track of their crucial login info was to write it down. | precisesecurity.com
CLOUD & CYBER SECURITY EXPO 2020
25% 23% 20%
23%
22%
23%
15% 14%
14%
10% 9%
9%
5% 0% DELAYS SIGNIFICANTLY INCREASED
PATCH DELAYS INCREASED
NO CHANGE
PATCH DELAYS DECREASED
DELAYS SIGNIFICANTLY DECREASED
Cyber security patching – changes to software to fix vulnerabilities – in many organisations is delayed an average of 12 days due to data silos and poor organisational co-ordination. According to a report from ServiceNow Security and Risk, Costs and Consequences of Gaps in Vulnerability Response, the average timeline to patch the most critical vulnerabilities is now 16 days. The report also recorded a yearly 17% increase in cyber attacks, with 60% of security breaches linked to a vulnerability where a patch was in fact available but not applied. “The study shows the vulnerability gap that has been a growing pain-point for CIOs and CISOs,” says Sean Convery, General Manager, at ServiceNow. “Companies saw a 30% increase in downtime due to patching of vulnerabilities, which hurts customers, employees – and brands.” | servicenow.com/lpayr/ponemon-vulnerability-survey.html
EVENT THEMES IN BRIEF – CONTINUED
agenda for businesses of all types and sizes – whether you are cloud-first, scaling-up, refining, or just getting started. Cloud & Cyber Security Expo 2020 is a major opportunity for you to hook-up
16
FY 2018 FY 2019
33%
31%
EXPO SEMINARS: EDITOR’S PICKS Minimize Your Data, Minimize your Risk Speaker: Jeff Sizemore, Vice President, Governance and Compliance, Egnyte Date: 11.03.2020 Time: 10.10AM-10:30AM Location: Theatre 2
Europe’s oil and gas industries face increased risk from advanced threat groups and others as they continue to build-out digitally-connected infrastructure, the sector’s executives have been warned. Geopolitics and espionage increasingly motivate the cyber attackers that target the oil and gas industry and its supply chains, says a report from Trend Micro, Drilling Deep. While these attacks are not always sophisticated, they are often targeted and impact production, the report found, which can cause significant damage. The focus on data availability makes financially motivated ransomware attacks a critical risk for the industry. “Industrial cybersecurity is not hopeless,” says Bill Malik, VP of Infrastructure Strategies at Trend Micro. “Industrial Control Systems manufacturers and integrators are beginning to understand the value of a comprehensive, layered approach to information security.” Trendmicro.com/vinfo/us/security/threat-intelligence-center/internet-of-things
ZERO TRUST REGIMES ARE LACKING As many more organisations now plan to implement Zero Trust capabilities in 2020 to mitigate an escalation in cyber risk, 47% of IT security professionals lack confidence when applying such models to their secure access architecture. The 2020 Zero Trust Progress Report from solutions vendor Pulse Secure (with Cybersecurity Insiders) polled more than 400 cyber security decisionmakers to discover how well enterprises are implementing Zero Trust security regimes. It found nearly equal confidence and lack of confidence among surveyed respondents in their implementation of strict verification regimes: 53% felt confident while the remainder were not confident. The report also discovered that 30% of organisations polled are seeking to simplify secure access delivery, including enhancing user experience and optimising administration and provisioning; 53% of respondents plan to move Zero Trust access capabilities to a hybrid IT deployment. | pulsesecure.net
with the leading information tech innovators and service providers; network with your colleagues and peers; access a wealth of valuable
Fostering A Security Culture From Top To Bottom Speaker: Kevin Brown, Managing Director of BT Security, BT Date: 11.03.2020 Time: 15:10-15:35PM Location: Keynote Theatre The Fifth Dimension of Warfare – Dissecting Adversarial Tactics and Techniques Speaker: Liviu Arsene, Global Cybersecurity Researcher, Bitdefender Date: 11.03.2020 Time: 14:40-15:00PM Location: Theatre 4 Third-Party Risk Management: Overcoming Today’s Most Common Security & Privacy Challenges Speaker: Scott Bridgen, Global Head of GRC, OneTrust Date: 12.03.2020 Time: 10:35-10:55PM Location: Theatre 2 Threats Facing British Universities: A National Security Issue? Speaker: David Deighton, CISO, University of Birmingham Date: 12.03.2020 Time: 15:10-15:35PM Keynote Theatre
FULL CONFERENCE
knowledge and insight (includes emergent trends, tech ‘deep dives’, key lessons learned, and market forecasts. Conference includes speaker presentations from organisations such as Barbican Insurance,
17
NEWS & products
cybersecurityeurope
Leaders at some of the world’s largest organisations seem to have ‘no idea’ who within their workforce is ultimately in charge of securing sensitive customer and consumer database info. A survey by Percona – Open Source Data Management Software 2019 – found responses to the question of ‘Who is responsible for your database security?’ ranged from ‘I do not know’ (7%) and ‘the IT security team’ (12%) to ‘system administrators’ (16%), ‘developers’ (21%), ‘database administrators’ (42%). Ninety-two percent of respondents said their workplace uses more than one database service, often on multiple platforms, which compounds security management issues, the study found. The majority of companies surveyed rely on self-support for their databases, which underscores the importance of knowing who is ultimately in charge of database security, Percona adds. | Percona.com
Ninety-three percent of EU enterprises used at least one IT security measure, control or procedure in order to ensure integrity, authenticity, availability and confidentiality of data and systems in 2019, according to research by EuroStat: 34% of enterprises surveyed reported having documents on IT security; 62% of made staff aware of their obligations in IT security-related issues. Twentyfour percent of enterprises polled by EuroStat was insured against IT security incidents. Most common IT security measure used by EU enterprises was keeping software updated (87%), strong password authentication (77%), data backup to remote location/cloud (76%) and network access control (64%). Sixtytwo percent made their employees aware of their obligations in ICT security related issues. Voluntary training or internally available information was the most common form used (44%), followed by contractual obligations (37%) and by forms of compulsory training (24%). | ec.europa.eu/eurostat/home
Cloud & Cyber Security Expo again leads the way in delivering a programme of solutions-focused content, case studies, speakers and a huge exhibition floor of providers. The 2020 event gives you all you need to know to stay safe in a hostile digital space. The event sits at the heart of one of the most comprehensive technology industry events taking place this year. It runs alongside its seven co-located events: Cloud Expo Europe, DevOps Live, Smart IoT, Big Data World & AI World Tech World, Blockchain Technology World and Data Centre World. More than of the world’s leading suppliers will be exhibiting there. The Cloud & Cyber Security 2020 Entrance from the central ExCel boulevard leads visitors directly to that part of the exhibition. | cloudsecurityexpo.com/exhibitor-list
CLOUD & CYBER SECURITY EXPO 2020
EVENT THEMES IN BRIEF – CONCLUDED
Halfords, Hastings Direct, Just Eat. We live in an increasingly dense and diverse tech world where our bespoke technology solutions rely on multi-cloud environments with billions of interconnected devices;
18
a world of total reliance on data. All this means a world of increased cyber crime and security breaches. | cloudsecurityexpo.com
From smart TVs to electric scooters, the IoT is now a trove for cyber criminals. local civil authorities ‘paralysed’ and took down email comms, websites, telephone lines and dispatch services. The Internet of Things (IoT) is a ‘trove for cyber criminals’. They continue to deploy ransomware on the latest smart devices, such as TVs, refridgerators, electric scooters – and even doorbells, SonicWall reports. The company’s threat researchers discovered a moderate 5% increase in IoT malware, with a total volume of 34.3m attacks in 2019.
| sonicwall.com/2020-cyberthreat-report
19
DEEPER FOCUS
Cyber criminals continue to hone their abilities to design, create and deploy stealthy attacks with increased precision, while growing their capabilities to evade detection by sandbox technology, according to the Cyber Threat Report from SonicWall. Foremost findings the latest edition include: While data exposures are often caused by malicious cyber-criminal activity, many other cases arise from lackadaisical security practices and unintentional human error. Serious data breaches and exposures run the gamut across different industries, verticals, regions: the report provides a scary snapshot of 2019’s most egregious exposures – see table, left. Cyber criminals change approach to malware: ‘Spray-and-pray’ tactics that once made malware attack numbers soar have been abandoned for more targeted and evasive methods aimed at weaker victims. SonicWall recorded some 9.9bn malware attacks in 2019, a 6% year-overyear decrease on 2018. While total ransomware volume (187.9m) dipped 9% for the year, highly targeted attacks left some regional and
FEATURE
cybersecurityeurope
Digital upheavals, Software-as-a-Service flaws, and workers who say the data they create actually belongs to them: just some of the factors that drive the new generation of mixed – and mixed-up – insider threats...
MORE ORGANISATIONS HAVE BECOME SAVVY TO THE REALITY THAT INSIDER THREATS ARE NOW AS PREVALENT AS the malicious attackers who try to hack through the cyber security perimeter from without – they can also prove more difficult to detect, despite the fact that a CISO might pass a digital malefactor in the corridor two or three times a week, or even work right alongside them. Yet despite heightened commitments to invest in internal security monitoring tools (see Cyber Security Europe, Autumn 2018 issue), a range of evidence suggests that the insider threat has not diminished in scale over the last 18 months. Indeed, more than 50% of c-suite executives who responded to BetterCloud's State INSIGHT
of Insider Threats in the Digital Workplace 2019 report whose organisations are embarked upon greater cloud adoption say that insider threats are now among their top five security concerns. And it’s not the same old threat multiplied. The intrinsic nature of insider threats is changing, due to a confluence of otherwise disassociated factors. This has morphed the challenge away from a threat represented nominally by untrustworthy, crooked or malevolent employees motivated by illicit personal gain or revenge. This sounds as old news to seasoned cyber security practitioners, but may come as somewhat of a shock to non-technical senior executives who have acquired responsibility for enterprise cyber governance.
Insider threats of all shades are on a marked increase. Those that involve employee or contractor negligence show the biggest rise.
GENERATIONAL DATA OWNERSHIP PERCEPTIONS HAVE EMERGED... Research from Egress Software Technologies highlights that attitudes towards data ownership and data responsibility vary significantly between generations of staff employed within an organisation. The heart of the problem, Egress argues, is growth of unstructured data – the data that employees use/interact with to do their jobs. The escalation of data share tools that employees use both inside and outside of organisational perimeters compounds this, plus the fact that low-rank employees don't place the same value on company data as their bosses.
20
6˙6˙
S 6˙0˙ 5˙6˙
5˙0˙
4˙6˙
FEATURE
cybersecurityeurope
THREAT
TYPE:
SENIOR EXECUT IVE
PE: THREAT TY
PE: THREAT TY
TY THIRD-PAR R CONTRACTO
MIDDLE MANAGER
THREAT TYPE:
PRIVILEGED BUSINESS USER
According to the Ponemon Institute’s 2018 The Cost of Insider Threats Report, insider threats of all shades are on the increase. Incidents involving employees or contractor negligence especially have continued to show a marked rise, possibly in line with uptakes of technology. Since 2016, the average number of such incidents increased by 26%, the report indicates, and by 53% for attacks by malicious/criminal insiders. Understanding of insider threat profiles has improved in recent years. More insider threat research has apprised organisations to the fact that malicious insiders do not, in fact, still constitute the biggest threat type that they face. According to another recent study, the Dtex Systems’ Insider Threat Intelligence Report 2019, threats from within can now be categorised into three broad types: malicious, negligent, and compromised. In terms of the overall culpability divide, malicious employees who intentionally engage in activity to harm the enterprise are responsible for some 23% of the insider incidents reported by the Dtex sample. However, users who introduce insider risk due to careless/feckless behaviour or human error are the cause of 64% of insider incidents. (The remaining 13% of insider incidents is made up of employees whose credentials are compromised and leveraged by outsider infiltrators.)
22
Within these three broad categories, some more specific threat personas can be singled-out. For example, the Verizon Insider Threat Report 2019 identifies some insider threat sub-profiles among the careless/feckless persona, such as the Asset Misuser. These are constituted by ‘Employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorised applications and use unapproved workarounds’, the report says. Their actions are categorised as 'inappropriate as opposed to malicious’. Many fall within the world of so-called Shadow IT (i.e., hardware/software/services installed/used unilaterally and without the knowledge, approval or support of the enterprise IT department). Other sub-profiles Verizon spotlights are the Inside Agent, the Disgruntled Employee, the Malicious Insider Threat, and the ‘Feckless Third Party'.
DEFINITIONS OF ‘INSIDER’ AND ‘THREATS’ BROADEN The Inside Agent ‘appropriates (steals) information on direct behalf of external parties that could be criminal or commercially competitive’. Insider Agents are recruited, solicited, bribed or even coerced to exfiltrate employer data. External ‘controls’ have been known to provide Inside Agents with coaching in technical knowhow. The Disgruntled Employee dates from the very earliest perception of the insider threat problem. Such employees seek to harm their organisation via destruction of data or disruption of business activity. Although some may be motivated by an actual or perceived grievance, others can be classed as pure mischief makers. The Malicious Insider Threat, meanwhile, are actors with access to corporate assets who use existing privileges to access information for personal gain. The data they steal will be resold on the Dark Web and elsewhere for supplementary income, and in terms of motivation, are perhaps easiest to comprehend. Lastly, Verizon names and blames the ‘Feckless Third Party’: these are the business or supply chain partners who compromise security through negligence, misuse, or even malicious access to or use of an asset. Another sub-profile who could be added to the above by other reports could be labelled the 'Hapless Untrained'. These are employees who make mistakes
6˙6˙ 6˙0˙ 5˙6˙ THREAT TYPE: LOW-RANKING IT PERSONNEL
5˙0˙ 4˙6˙ 4˙0˙
THREAT TYPE:
PRIVILEGED IT STAF F & ADMINISTRATOR
THREAT TYPE:
RANK-AND-FILE EMPLOYEE
3˙6˙ 3˙0˙
that can result in data breach exposure because they have been coached neither in how to use the applications under their control, nor in cyber awareness training. With so many individuals now being placed in charge of some form of line-of-business application that interoperates with core data sets, this inadvertent risk exposure looks bound to worsen. The trend to class untrained employee mistakes as a form of insider cyber threat is, perhaps, controversial – or at least calls for more qualified elucidation. After all, ever since computer technology first entered the workplace, its users have been prone to unintentional slip-ups and the occasional blunder. According to Egress Software Technologies’ Insider Data Breach Survey 2019, when it comes to the causes of data breaches — both malicious and accidental — 60% of IT leaders surveyed have been inclined to give employees the benefit of the doubt and believe they are primarily caused unintentionally by employees who rush and make mistakes. A ‘general lack of awareness’ was the second leading cause (44%), while 36% believe that a lack of training on the security tools a company uses is the primary driver for the error ratio. Nevertheless, 30% of respondents to the Insider Data Breach Survey 2019 believe that internal data breaches result from employees ‘leaking data to harm the organisation’, while 28% believe employees are, once more, stealing data for personal financial gain. By far, the most toxic type of insider threat actor is the Negligent End-User. Only 21% of respondents to BetterCloud’s report State of Insider Threats in the Digital Workplace said they think malicious actors (intentionally causing harm, either for personal or financial gain) pose the biggest cyber threat. Even fewer – 17% – said compromised users (exploited by outsiders through compromised credentials) posed the biggest threat. Security experts have pieced together a range of behaviours and characteristics that could indicate an intention on the part of an employee that an insider attack is being planned or enacted. For example, employees who plan to leave, or those who have already left, are more likely to be
involved in an unlawful cyber activity. Fifty-three percent of respondents to BetterCloud’s State of Insider Threat in the Digital Workplace believed that outgoing or recently departed employees were prime threats to their organisations, followed by third-party on-site product and service providers whose contracts were ending or had ended. ‘Because offboarding processes are often unorganised
The recent trend to class untrained employee mistakes as a form of insider cyber threat is, perhaps, a controversial designation... and slapdash, exiting employees or exiting contractors can fall through the cracks and retain access,’ the report explains. ‘Employees planning to leave, if they are disgruntled, may also be inclined to steal data before their access is revoked’. The deviant salesperson who downloads their client contact list before leaving to take up a new job with a competitor is an insider threat type that pre-dates the advent of computer databases. If they have thought to plan long enough ahead, there’s every likelihood that the fact the information has been compromised will never be known by management; at least intruder detection systems can
23
FEATURE
cybersecurityeurope
This graph compares the differences between UK and US employees with regard to motivations when they intentionally shared or removed work data against employer rules. These reasons reflect the changing nature of insider threats. 53%
56%
If an insider threat were to maliciously cause a data breach, what outcome would be your greatest concern?
US UK
4%
Sources: Egress Software Technologies Insider Data Breach Survey
21% 32% 29% 21% 21%
19% 12%
11%
13%
21%
16% 7% 5%
NO TOOLS TO SHARE DATA SECURELY
TOOK DATA TO A NEW JOB
FELT DATA BELONGED TO ME, NOT EMPLOYER
let IT security personnel be aware that an outsider is trying to hack into their systems: 54% of respondents to the Bitglass Insider Threat Report 2019 assert that it is more challenging to detect insider attacks than it is to detect external cyber attacks. Latest studies of insider threat thresholds indicate that they are no longer sporadic in frequency, and that such incidents have become routine occurrences. McAfee’s Cloud Adoption Risk Report 2019, for example, found that typically, organisations now experience 14.8 insider threat incidents per month on average, and that 94.3% of organisations experience at least one insider-borne incident per month on average. With improved Threat Intelligence atrisk organisations can now make informed estimates with respect to the financial cost that insider threats have caused them. The Ponemon Institute report reckons that large organisations with an employee headcount of more than 75,000 spent an average of €17.98m over between 2017 and 2018 to resolve insider-related incidents; smaller organisations with a headcount of fewer than 500 spent an average of €1.61m. Companies in financial services, energy and utilities and retail incurred average costs of €10.83m, €9.20m and €7.96m, respectively. The European companies’ annualised costs to contain insider-related incidents were €6.31m. Along with the impact on operations, a rise in insider threats also impacts IT human resource. Ninety-three percent of
24
UPSET WITH EMPLOYER ORGANISATION
OTHER REASON OR MOTIVATION
3%
PREFER NOT TO STATE REASON
EMPLOYEES LEAKING DATA TO A COMPETITOR EMPLOYEES TAKING DATA TO A NEW JOB EMPLOYEES LEAKING DATA TO CYBER CRIMINALS EMPLOYEES SHARING DATA TO PERSONAL SYSTEMS NONE OF THE ABOVE
CIOs already spend up to half of their time on IT security, at a time when Digital Transformation and business innovation initiatives are also high on the agenda, according to Dtex Systems’ 2019 Insider Threat Intelligence Report. And there’s evidence that indicates that Digital Transformation itself may heighten the insider threat risks, as organisations move their operations onto cloud-based platforms that, if not well managed, can make insider risk less visible to cyber security chiefs, reckons Bitglass’s Insider Threat Report 2019. According to 56% of organisations polled by Dtex, the detection of attacks from insider threats is ‘more challenging’ after they have migrated IT functions and/or data to the cloud; this is likely largely due to the lack of direct monitoring oversight by the internal IT security function.
Yet another insider threat sub-profile who should be added to the list by other reports can be labelled the 'Hapless Untrained'... Some studies of the new generation insider threat highlight the influence technological evolution seems to have in more detail, especially where medium-to-large organisations have migrated their IT requirement into the cloud. As noted by BetterCloud’s State of Insider Threats in the Digital Workplace, the emergent consensus is that insider threat risk becomes more problematic after an organisation migrates some or all its IT solutions requirement to a Cloud Services Provider (CSP), typically by the adoption of an ‘as-a-Service’ platform. Software-as-a-Service (SaaS) means that lineof-business applications and data sets are stored and run from a CSP’s own infrastructure, accessed via the Internet or some other circuit. BetterCloud's report posits that SaaS could create ‘a nascent generation of risks’. Employee end-users have a lot of freedom and power when they use SaaS applications (and IT security teams are losing control). More than ever, and in line with the current productivity gains ethos, IT users are empowered in many ways to collaborate and interact with data and with other users.
ACCREDITATION Words | James Hayes Photography | Shutterstock
When Encryption Makes the Cloud Safer Than Anything Tangible In an era of global digitalization, cloud-based technologies have become the lifeblood of many companies that are willing to sacrifice security for convenience. What most companies don’t realize is that – today – the cloud can be much more secure than any on-premise technology, when the right encryption is added.
to maintain these “tangible” in-house solutions, there is much more room for human error, whether intentional or not.
István Lám, CEO & Co-Founder Tresorit
W
hen it comes to the secure storage of their most confidential files, many enterprises opt for on-premise systems in fear of losing control of their data in the cloud or having to grant third-party providers too much insight into their highly confidential information. What these companies don’t realize is that, with the proper end-to-end encryption, cloud solutions can be the most-secure option.
The Holes in On-Premise Solutions The reason many enterprises invest thousands (or more) in on-premise solutions makes sense on a basic level: your data is safer in your house. However, there are inherent holes in the on-premise way of thinking. In addition to the overhead required
Additionally, setting up high-level protection for servers is much harder than many companies realize. Firewalls, anti-virus, and other standard security products are usually not enough. Companies must also design and maintain a secure server configuration and manage the burden of physical and software maintenance all while trying to maintain the confidentiality and integrity of the data within the network.
Furthermore, this level of security is available immediately in the cloud. Files and documents can be conveniently accessed 24/7 from your computer, mobile phone or tablet, and companies can easily scale their secure cloud solutions as their businesses grow. When the right technology is leveraged, it’s no longer a matter of sacrificing security for convenience – it’s a matter of finding solutions that understand the cloud and use its unique abilities to keep your data safer than humanly possible.
The Highest Classification in the Cloud By harnessing the right technologies, companies no longer have to sacrifice security for convenience, and the cloud no longer has to be the great unknown. Today, there are cloud solutions that combine end-to-end encryption and zero knowledge protocols that provide a secure virtual vault for your files and documents. What’s more, key management is fully controlled by the customer. With this special combination of technologies, these cloud vaults would take lifetimes for hackers to crack and are inaccessible to third-party providers.
www.tresorit.com
Tresorit is a Swiss, end-to-end encrypted, zero-knowledge content collaboration platform (CCP) designed to safeguard the digital valuables of individuals and organizations with the highest classification in the cloud. Our patented, award-winning technology protects files from unauthorized access, disclosure, and loss while enabling users to meet their global compliance requirements and stay in complete control of their data.
Come see us at Stand C1246, or online at ThousandEyes.com
cybersecurityeurope
advertorial
If there’s a cloud-sized hole within your monitoring strategy, finding the source of operational issues is a challenge, explains ThousandEyes’ Ian Waters. NEARLY EVERY BUSINESS IS NOW A DIGITAL BUSINESS. DIGITAL TRANSFORMATION INITIATIVES RANGE FROM the provision of seamless, omnichannel experiences to customers, through to modernization projects around workforce productivity. In more recent years the go-to technologies chosen to support these projects have become cloud, SaaS and software defined networking. However, with so much riding on the outcome of these business objectives, a common set of challenges have evolved for IT. A survey by EMA Research highlighted that around 60% of enterprises moving to the cloud are still struggling with performance management, network planning and security. Digital transformation and cloud adoption exponentially increase the numbers of external dependencies – from DNS to CDN to third-party APIs to public cloud providers. In the cloud, the Internet has become the central nervous system for communication. When you rely on a network that is not built for enterprise communication and arguably has questionable security defences in place, you are susceptible to its vulnerabilities. Unfortunately, if you’re relying on the monitoring stack you built for the pre-cloud world, you’ve got a huge gap in visibility around the external components of delivering digital experiences to customers and employees. Public cloud vendors address a part of the problem by providing access to flow logs and infrastructure health within your environment. However, that still does not address the performance of external service providers, COMPANY INFO
such as SaaS apps, cloud platforms – and the Internet itself. From a business point of view, the impact of loss of control and visibility means exposure to significant risk of damage to revenues, brand reputation, employee productivity and engagement. The problem is that when you cede control over IT assets, the burden of proof rises on the IT team. If you don’t have sufficient visibility, how will you figure out where the source of a cloud issue is? Which provider do you escalate to? Companies can waste a lot of time finger-pointing, and ultimately the user experience suffers. An end-to-end view of service delivery across your extended infrastructure is crucial to succeed in the new cloud era.
THOUSANDEYES
ThousandEyes provides customers with unparalleled visibility and insights into digital experiences from every cloud to every employee and customer, delivering the only collectively powered end-to-end view of the quality of every digital experience. ThousandEyes is central to the global operations in customers including 150+ of the Global 2000, 4 of the 5 top UK banks, and 20 of the 25 top SaaS companies. Author Ian Waters (below) is Senior Director, EMEA Marketing at ThousandEyes.
CONTACT DETAILS For more information please go to: | thousandeyes.com | thousandeyes.com/contact
27
TOP TEN
cybersecurityeurope
HIT LIST We are into new decade, and cyber security specialists have polished their crystal balls to provide precognisance of the cyber challenges that organisations should expect to encounter through the 2020s...
THE MOST ADVANCED – and potentially devastating – attacks on cloud will occur at machine speed in the 2020s, warns Splunk. Most successful attacks on cloud have vectored misconfiguration – a human error that created a vulnerability. For example, the 2019 hack on bank Capital One involved a former insider, but it was due to a misconfiguration (of a firewall on a web application) that she was able to steal data. Capital One told the New York Times it expected the breach to cost it up to $150m (€136m), inclusive of payments for credit monitoring for affected customers.
FORCEPOINT EXPECTS deepfakes to impact all aspects of our lives in the 2020s, as their realism and potential manifestations increase. Ransomware targets will see highly realistic videos of themselves in compromising situations, Forcepoint suggests, and will likely pay the ransom demand to avoid the threat of the video being released into the public domain. In Business Email Compromise (BEC) attacks, deepfakes will be used to add a further degree of realism to fraudulent requests to transfer money to cyber criminals.
28
THE CONNECTED VEHICLES THAT are now coming onto our roads will become increasingly targeted by malicious and mischievous cyber threats. The bidirectional GSM and Wi-Fi communications that are being built-in to new cars, vans and lorries turns them into an extension of the Internet of Things, and makes them as vulnerable as any other wirelessly connected device, as White Hat hackers have demonstrated. Physicists at the Georgia Institute of Technology (Georgia Tech) applied physics in a 2019 study that simulated what it would take for hackers to wreak distributed havoc by mounting remote attacks (via cloud backends) to stall multiple connected cars known to be in a given urban proximity. Randomly causing 20% of rush hour cars to stall would mean ‘total traffic freeze’, it reported.
THE DEMAND FOR cyber security professionals continues to exceed supply, even though security teams have to deal with even more threats. As many as 65% of organisations around the world report a shortage of IT security staff, according to (ISC)²: the professional body estimates 2019’s cyber security workforce to number some 2.8m working professionals, with 4.07m newbies needed to close the skills gap – that’s a huge workforce increase of 145%.
CYBER ATTACKS have now become automated and will become more so in the 2020s. If targeted organisations try to defend against these attacks manually, the battle becomes one of man-versus-machine, with defensive odds that are highly unfavourable, predicts to Palo Alto Networks. To protect against automated attacks, the decade’s overstretched, underresourced enterprise security teams will increasingly have to integrate automation into security armouries.
PROGRESS IN Artificial Intelligence (AI) will bring Machine Learning technologies into defensive cyber security. AI, however, is also being ‘weaponised’ by the cyber threats, to develop more advanced attack methods. For instance, a study in 2018 produced under the auspices of the Universities of Oxford and Cambridge forecast that in coming years AI could be used offensively to hack into commercial drones to turn them into potential weapons.
UNDERWRITERS IN THE 2020s will sell more cyber insurance policies for businesses and government agencies such as schools, hospitals and utilities. Insurers will continue to guide their policy holders to pay ransoms, predicts Check Point, as this is generally cheaper than having to recover from a ransomware attack, say. This will in turn will lead to more attacks, and fast growth for the cyber insurance industry. However, as Check Point notes, cyber claim payouts are not guaranteed: the legal battle between the food giant Mondelez and its cyber insurer Zurich, for example, is still unresolved.
A POTENTIAL cyber attack vector could open with the EU Payments Services Directive (PSD2). Kaspersky warns that as banks will be required to open their infrastructure and data to parties who wish to provide services to bank customers, it is likely that attackers will abuse these new mechanisms with fraudulent schemes.
CYBER ATTACKS on national critical infrastructures will continue to grow in the 2020s, predicts Check Point. Utilities will continue to be a prime target of cyber-attacks, as often critical power and water distribution infrastructure, relies on legacy tech vulnerable to remote exploitation.
AS RESPONSIBILITY for cyber grows across the top executive into the 2020s, enterprise leaders will have to guard against ‘governance sprawl’. More chief officers appointed to c-suites will want to ensure that their priorities are covered. This will make cyber strategy more inclusive – and more fraught with complexity.
29
FEATURE
cybersecurityeurope
NO BACKU DDOS ATTACKS INSECURE
INSIDER THREATS SPECTRE & MELTDOWN
PERSIST EXPLOITS ACCOUNT HIGHJACKING
DATA
Public cloud services may well be harder to hack – but are issues like shared responsibility confusion and Shadow IT giving rise to additional cloud security challenges?
INSIDE THE SPRING 2019 EDITION OF THIS MAGAZINE WE REPORTED HOW Gemalto’s Global Cloud Data Security Study 2018 had indicated that of the companies surveyed, more had moved their data to public Cloud Service Providers (CSPs) in the expectation that it would be safer hosted on their systems. While, for the Gemalto study’s sample, cost and faster deployment time were the most important criteria for selecting a CSP, security as a winning factor increased from 12% of the poll in 2015 to 26% by 2017. According to some sources, that level of confidence has continued to make gains over the 12 months since. Some 72% of organisations surveyed by the Oracle and KPMG Cloud Threat Report 2019 held that they view public clouds as ‘much more/somewhat more secure’ than the IN BRIEF
security assurance they can deliver on-premises – a 10% increase from the previous year’s report’s response on this question. However, as the cloud market has further matured, new security-related issues have also emerged that could indicate that confidence in the resilience of public clouds may have passed an apex. As public cloud service offerings have diversified and commoditised, giving rise to extra complexity and costs, it has brought new challenges for cloud security management. Confusions around the public cloud Shared Responsibility Security Model (SRSM) is an instructive case
A survey of 1,000 enterprise IT practitioners found that 73% of those professionals did not fully understand the public cloud SRSM. in point. The SRSM depicts the division of assigned responsibility between CSPs and the customer of a given cloud service (or services) for how that service, and the data it contains, is secured. This model is regarded in many quarters as the primary foundational construct of cloud security strategies, although it is more a simple reference model than an industry standard.
CLOUD ADOPTION TO ACCELERATE ‘IT MODERNISATION’ Coud-adoption has increased rapidly, with cloudspecific spending expected to grow at more than six times the rate of general IT spending through 2020, according to McKinsey. While large organisations
30
have successfully implemented specific Software-as-a-Service (SaaS) or have adopted a cloudfirst strategy for new systems,
UP
TENT
many have struggled to get the full value of moving the bulk of their enterprise IT requirement to the cloud. McKinsey reports that this is
because many organisations tend to ‘fall into the trap of confusing simply moving IT systems to the cloud with the transformational strategy needed to get the full value of the cloud’. | mckinsey.com
31
FEATURE
cybersecurityeurope
Infrastructure-as-a-Service
Platform-as-a-Service
Software-as-a-Service
User access/identity
User access/identity
User access/identity
Data
Data
Data
Data
Application
Application
Application
Application
Guest Operating System
Guest Operating System
Guest Operating System
Guest Operating System
Virtualisation
Virtualisation
Virtualisation
Virtualisation
Network
Network
Network
Network
Infrastructure
Infrastructure
Infrastructure
Infrastructure
Physical
Physical
Physical
Physical
IN BRIEF
BACK FROM THE CLOUD
Source: 2019 Netwrix Cloud Data Security Report
‘Declouding’ is the ‘re-patriation’ of IT and data back from cloud platforms to on-premsies systems.
The de-clouding of data is often driven by an inability to reach goals. Among organisations that named cost reduction as the major reason to store the PII of their customers and employees in the cloud, 55% have considered or might consider moving this data back on premises. Their reasons include high costs (29%), lack of control (27%) and security issues (22%). A similar number of organisations that moved that data into to the cloud primarily to improve data security would consider de-clouding their data (54%); their top drivers are security (27%), high cost (23%), reliability and performance issues (16%). Below: types of data that organisations who store all their sensitive data in the cloud would choose to move back on premises first. Customer data
43%
Employee data
26%
Payment/financial data
10%
Intellectual Property
7%
Non-sensitive
7%
Patient/healthcare Other
32
6% 2%
Customer responsibility
On-premises User access/identity
Cloud Service Provider responsibility
While many CSPs will provide some native cloud security controls, it remains the responsibility of the customer to apply and manage those controls or those provided by a third party: 47% of the research participants here reported ‘confusion’ with the SRSM for IaaS versus 54% who said the same for SaaS. Sources: Oracle and KPMG Cloud Threat Report 2019.
This confusion has fermented for at least three years. A 2017 survey of 1,000 enterprise IT practitioners by consultancy 2nd Watch found that 73% of IT professionals did not fully understand the public cloud SRSM, with many under the impression that their cloud providers had greater responsibility for securing applications and data than they in fact did. Forty percent of respondents believed their applications and data were ‘fully protected’ by their CSP at the time, while 34% believed security is their own company’s responsibility entirely – an equally erroneous working assumption. The establishment of ‘demarcation lines’ between CSP and customer, and disestablishment of ambiguity in regard to where security responsibilities lie, is critical for businesses that use cloud services – for several reasons. These reasons have become more tangled in recent years due to the complex managed infrastructures that users have assembled due to ‘as-a-Service’ products from CSPs, and the added compliance obligations imposed by data protection regulations; it is at this nexus that senior executive leadership could be drawn into what might otherwise seem a fairly straightforward IT procurement issue.
SO WHOSE CLOUD IS IT, ANYWAY? Popular ‘as-a-Service’ options provide virtualised alternatives to the basic building blocks of IT infrastructure that organisations would, otherwise, have to build and operate themselves in their own physical data centres. The three principle service categories are Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Each category has eight service delivery layers: the security responsibility for each of those layers is assigned to either the CSP or its customer. However, while the SRSM defines how those responsibilities should fall, it does not constitute a mandated industry standard; and while it might be customary for CSPs to provide levels of native cloud security controls (e.g., data encryption), typically it remains the responsibility of their customers to apply/manage those controls or those provided by a third-party. The Oracle/KPMG report findings are echoed by a survey from Barracuda Networks, which indicates that many IT buyers – and it’s not altogether clear whether these are IT practitioners or business managers – buy into public cloud on the assumption that because they are effectively outsourcing the running of their infrastructure to a trusted third-party, the CSP ‘will take care of everything’. But Barracuda found that this ain’t necessarily so. Sixtyfour percent of EMEA IT leaders polled here asserted that their public IaaS
Half of organisations polled report the use of Shadow IT apps has led to unauthorised access to data, easy to understand when tools like enterprise file sync-and-share (EFSS) services are widely used to share corporate data internally and externally.
Unauthorised access to data
...That your employees/depts. violate security policies for the use of cloud applications?
50% 92% 48%
Introduction of malware
82% Loss of data
47%
None of the above
16% 2018
Don’t know, but suspect so
3%
2019
% Very Concerned / Concerned (92%) / Somewhat Concerned
provider is ‘responsible for securing customer data in the public cloud’, applications security (61%), and Operating Systems security (60%). These assertions are at odds with what Amazon Web Services, Microsoft, and others say, Barracuda Networks adds – a misunderstanding that ‘exposes countless organisations to unnecessary risk’. The fact that 61% of the survey respondents declare themselves to ‘fully understand their cloud obligations’ further underlines the ‘dangerous disconnect between perception and reality’ when it comes to public cloud security adoption, Barracuda concludes.
incidents caused by ‘confusion over srsm’ Fifty-four percent of respondents to the Oracle/KPMG report registered confusion with the SRSM for SaaS and 47% polled the same with respect to IaaS. The study also found that many customer personnel who should have the best knowledge of the SRSM do not, in fact, seem to possess it. Just 10% of the CISOs surveyed, and 25% of CIOs, declared that they ‘fully understand’ the SRSM. This is more of a revelation than it might, at first, seem. The report suggests that the cyber security leaders’ lack of assured clarity indicates a lack of involvement in the use of cloud services; that’s because use is often driven autonomously by line-of-business heads, who (perhaps) are none too concerned about potential security liabilities. And they should be: 82% of public cloud users polled by the Cloud Threat Report 2019 say that they have experienced adverse security incidents due to ‘confusion over SRSM’. Thirty-four percent of organisations polled state that such confusion about SRSM has led to the introduction of malware (34%) and a similar number of respondents (32%) think it has exposed them to increased risk of auditory and regulatory penalties. This lack of a clear understanding of the SRSM also puts data at risk: 30% of organisations report that, as a result, data was accessed by persons unauthorised to do so. Additionally, 29% of respondents said an unpatched or misconfigured system was compromised due to SRSM confusion. Another contributory confusion factor is a lack of consistency in SRSMs between CSPs, which has also had ramifications. These days it is fairly usual for an organisation to use two or more difference CSPs. Keeping current with the differences between CSPs, sometimes nuanced ones, is a ‘significant challenge’, and one that 46% of Cloud Threat Report 2019 respondents
indicate requires one or more dedicated human resources to manage. Indeed, it could well be argued that confusion, and the resulting consequences, around the differences in the SRSM between CSPs is, in part, the cost of using multiple CSPs. The old promise that cloud adoption would make the administration of IT simpler now looks very last-decade indeed... Another survey by McAfee approached the subject from the perspective of trust, and uncovered more disparities between assumed responsibility and actual risk. The Cloud Adoption and Risk Report 2019 asked respondents how much they ‘trusted their cloud providers to keep their organisation’s data secure’.
Those with cyber governance are less likely to be won over by unquantifiable claims put forward by the pro-Shadow IT lobby. What happens to data once uploaded to a CSP continues to be one of the biggest concerns of respondents to McAfee’s poll. Fewer than 50% of service providers specify that customer data is ‘owned by the customer’; the rest either claim ownership over all data uploaded, or do not legally specify who actually owns the data. An even smaller number of CSPs delete data ‘immediately’ on account termination, with the remainder keeping data up to 12 months, with some claiming even the ‘right to maintain copies of [customer] data indefinitely’.
33
FEATURE
cybersecurityeurope
However, a total of 69% of McAfee’s respondents reported that they did ‘trust the cloud providers to keep their data secure’, and 12% of same respondents claimed that the CSP is ‘solely responsible for securing their data’, despite the provisions of SRSM, and there is no CSP delivers total security assurance The McAfee report opines that it’s likely, therefore, that (the polled) organisations’ lack of knowledge (at best) and/or ignorance (at worst) means that they are ‘underestimating’ security risks they are subject to by trusting CSPs entirely without applying their own set of controls.
SHADOW IT: CLOUD’S ‘DARK LINING’ Shadow IT is another cloud-related security challenge that is now making a bigger blip on IT security risk-awareness radars. Despite its essentially illicit nature, Shadow IT has, nonetheless, had some success in normalising the broad notion of cloud-based enterprise computing solutions procured and deployed by staffers without the explicit approval of their IT departments, and paid for on their personal company credit cards. Even as far back as 2016, the Logicalis Global CIO Survey suggested that Shadow IT is ‘now a fact of life for the majority of CIOs’: 90% of IT chiefs polled for that research admitted that they are ‘now by-passed by line-ofbusiness colleagues at least occasionally’.
34
Subsequently, its proponents sought to re-label Shadow IT less threateningly as ‘flexible IT’ or even ‘devolved IT’, and rather than try to quash the grassroots trend, caught-in-the-middle CIOs were advised by their executive masters to instead enfold it into their management plans. More fatalistic IT chiefs have thought hard about bringing Shadow IT under the remit of ‘progressive’ enterprise IT strategies, but may retain an anti-Shadow stance toward those c-suite execs susceptible to tell of Shadow IT’s perceived business benefits. Those c-suiters with cyber governance nous, however, were and are less likely
‘Demarcation lines’ between a CSP and their customers in regard to where cloud security responsibilities lie, has become critical. to be won over by unquantifiable claims put forward by the pro-Shadow lobby; rather, as an expectation arises that – even though they have no innate influence over, or knowledge of, Shadow IT adoption – they should assume responsibility for remediating security-related incidents where Shadow is the known cause, they feel the need to bring forward countervailing arguments more stridently. As Shadow IT proliferates, so too have the potential system security-related issues that it is likely to cause. The Oracle/KPMG Cloud Threat Report, meanwhile, reckons that Shadow IT is ‘here to stay’, and will continue to flourish independent of attempts by the IT security function to control usage with policies, despite the specific jeopardies it presents to data protection and security governance regulations that have come into force since 2016. The challenge of stemming the tide of Shadow IT is evidenced by the lack of adherence to policies. Business units that use non-approved cloud services and apps for business purposes blatantly ignore the rules, the Cloud Threat Report reminds its readers. Even though most organisations now have a formalise policy to review and approve cloud applications, there has been a substantial year-over-year increase in the concern that such policies are being ignored, violated. Indeed, the 92% of research participants reporting concern that their company has
bound to be most sensitive to them; CIOs, arguably, must balance the proliferation and propensity toward Shadow IT against some other considerations. For instance, does it help a workgroup achieve productivity targets? What is the evidence that even known exploits result in security breaches? Does Shadow IT represent acceptable or unacceptable risk? There can be little doubt that these differences of opinion between chief officers are informing lively debates in many board and c-suite executive meetings.
get ready for ‘shadow clouds’
individuals, departments, or lines-of-business in violation of their security policies for the use of cloud applications is a notable 10% point increase from last year’s research (see Cyber Security Europe Spring 2019 issue). But is the concern that individuals, departments, or lines of business are not following policies, resulting in actual Shadow IT application usage? A sizeable 69% of organisations stated that they are aware of a ‘moderate’ or ‘significant’ amount of Shadow IT apps, with another 15% stating they are aware of a few such apps in use. All that notwithstanding, use of Shadow IT applications has had adverse consequences. The findings in the Cloud Threat Report 2019 survey results clearly indicate that Shadow IT has led to the very outcomes cyber security personnel aim to guard against. Exactly 50% of the respondent organisations report the use of shadowy apps ‘has led to unauthorised access to data’, which is easy to understand when tools like Enterprise File Sync and Sharing (EFSS) services are widely used to share corporate data internally and externally, for instance. Nearly as many organisations polled – 47% – report ‘actual loss of data due to the use of Shadow IT apps’. Such incidents include storing sensitive corporate data in an unauthorised personal cloud application – data that is lost, should a Shadow-inclined employee move on. Shadow IT has also often resulted in the introduction of malware (48%), as malevolent threats employ cloud apps as a cyber attack vector.
CIOS AND CISOS SEE SHADOWS DIFFERENTLY… Another noteworthy point with regard to the implications of Shadow IT is the ongoing fundamental difference in perceptions between CISOs and CIOs, with CISOs generally of the view that Shadow IT is more problematic than do CIOs. CISOs report incidents caused by Shadow IT apps at more than twice the frequency of CIOs (23% versus 10%). CIOs may, in fact, even see a budgetary benefit from the use of Shadow IT apps, with the cost being submitted as a business expense rather than a funded IT line item. CISOs are unlikely to make such a distinction as they feel responsible for securing all applications and services in use, whether they are approved or unauthorised. Wherever the buck might be supposed to stop, the risks Shadow IT poses are cyber security risks, and so CISOs and their teams are
Research in a study by Snow Software, also found that most global workers are ‘going rogue’ with cloud applications despite having been made aware of the potential business risks their actions could result. Rogue Resourceful surveyed 3,000 professionals in Europe, Asia/Asia Pacific and the US, uncovered stark contrasts between the mindset of large sections of today’s workforce and the priorities of IT security leadership. This rift is especially notable in younger ‘millennial’ employees, who are almost twice as likely to go circumvent the security ground-rules than older workers: 81% of those millennials polled admit they have used or accessed something on their work device without proper permission versus just 51% of seniors who have done the same. However, Rogue Resourceful also found that exec-level employees – for example, senior manager, director, vice president, for - were almost twice as likely to use unauthorised professional or personal applications compared to middle-ranking respondents (e.g., entry-level, associate or specialist staffers). At senior levels, c-suite executives (including Presidents and VPs) led the way in using work apps (57%) and personal apps (51%) on their work device without properly authorised permission from their IT managers. There is a disconnect between workers’ behaviour and understanding the business risks of unsanctioned and unmanaged technology. For example, just 7% of the executives polled said that they do not think it causes any business issues – yet 57% have engaged in that exact behaviour by downloading work applications and software without IT’s permission.
ACCREDITATION Words | James Hayes Photography | Shutterstock
35
ADVERTORIAL
cybersecurityeurope
Klaus Brisch
A B2B ‘Cyber-Threat-Platform’ would enable efficient exchange of intelligence between taregted companies and IT security providers, explains DWF’s Klaus Brisch. EACH YEAR, CYBER ATTACKS CAUSE CONSIDERABLE ECONOMIC DAMAGE: ACCORDING TO A STUDY, worldwide losses of approximately $600bn were incurred in 2017 alone. In Germany, for instance, yearly damages are estimated at €43.4bn. Furthermore, experts warn that the risk of becoming a cyber crime victim will continue to grow. Increased digital transformation, for example, leads to more possibilities for cyber attack; and all the while, attackers enhance their technological prowess. DWF has called for the creation of a B2B platform solution – a ‘Cyber-Threat-Platform’ – that brings together all parties involved in cyber counteraction. This platform would allow key information to be exchanged between all parties – in real time. Klaus Brisch is Partner and Global Head of Technology at DWF, with expertise in data protection and privacy law, IT-compliance, cyber security, additive manufacturing and cross-industry innovation. Cyber Security Europe spoke to him about why he feels such a platform is necessary.
KLAUS BRISCH: Improvements in intelligence bring and speed of response to that intelligence could make a significant improvement to Europe’s cyber defences. It is equally important to be immediately informed about security gaps that have been discovered in software programs used – in order to be able to react accordingly. This, however, is exactly what has not yet been organised in Germany, for instance, on a national level. We need to do more to improve our threat intelligence network potential.
CSE: Even though it has now become quite normal to regularly install updates to IT systems, and to regularly change passwords, it’s clear that these measures alone do not provide adequate protection against persistent, technologically-adept attacks by both cyber criminals and nation-state threat actors. What more can be done to consolidate these defences?
CSE: This is why you have advocated the creation of an electronic B2B platform that would bring parties together? KLAUS BRISCH: Yes, bring together as many businesses as possible, security authorities and cyber security companies. The platform I have in mind would also allow information to be exchanged between all parties – and, importantly, in real-time. Such a ‘Cyber-Threat-Platform’ would then
36
Such a ‘Cyber-Threat-Platform’ would strengthen our industries’ defences against digital threats. CSE: Can you elaborate on your concerns? KLAUS BRISCH: In the future, the BSI’s information flow – for example, on existing security threats – would remain restricted to certain segments of the economy. This would not be a comprehensive solution. In addition, not all economic players would be obliged to report cyber attacks. Lastly, no framework exists that would bring together providers and users of security services directly.
receive alerts on potential threats directly from cyber security companies. The users of the platform, and thus the receivers of such alerts, would then be companies in the private sector as well. Respective vertical sectors and company size would be irrelevant. Such a solution would help to strengthen our industries’ competence with regard to cyber security, identify threats more quickly, and to address them comprehensively. As a result, economic damage could be limited. CSE: And government agencies should also be connected? KLAUS BRISCH: Absolutely, and they also could contribute insights or relevant information on security issues. In this context, however, it would be important for these institutions not to have full access to company data, as the impression of government monitoring could deter participation of some companies. Corresponding platform solutions are by no means new. Comparable approaches already exist – both on a national and international level. So far, however, they have been limited to defined participant groups. CSE: How do you foresee sensitivities around public disclosure being handled? After all, some organisations and business may be happy to share information about being attacked, but not to be identified as victims. KLAUS BRISCH: That is, naturally, understandable and important. Companies that report an attack on their IT to the platform should – indeed, must – be allowed to remain anonymous in order to avoid reputational damage. Nevertheless, it needs to be transparent to all users which companies are connected to, and contributing to, such a ‘Cyber-Threat-Platform’ platform. CSE: A threat platform of the kind you describe would, obviously, have a number of legal implications – for example, for competitive cyber security companies involved. Presumably, some kind of co-operative agreement would be required, that regulates the respective rights and obligations of the arrangement?
KLAUS BRISCH: Yes, I agree, it would. It would also be absolutely necessary, I also think, to establish clear conditions for the companies’ participation. These would need to include minimum requirements for technical IT standards in the companies, as well as specific codes of conduct for the platform in order not to endanger the users’ reputation and integrity. CSE: How soon do you envisage the kind of ‘CyberThreat-Platform’ that you describe could be brought up to operational strength? Can it build upon existing cyber intelligence sharing platform solutions? KLAUS BRISCH: Well, it is important to bear in mind that we already have a wealth of information and intelligence and experience that would be useful when developing the ‘Cyber-Threat-Platform’ as I have explained, so I believe that a technical implementation would be feasible relatively quickly. The sooner the better, ideally, because there’s no doubt that we urgently need its help. COMPANY INFO
DWF
We are a legal business, transforming legal services through our people for our clients. Led by Managing Partner and CEO Andrew Leaitherland, we have over 31 key locations and more than 3,900 people delivering services and solutions that go beyond expectations. Interviewee Klaus Brisch is Partner and Global Head of Technology at DWF and a previous contributor to CSE. FOR MORE INFORMATION | dwf.law | klaus.brisch@dwf.law
37
FEATURE
cybersecurityeurope
Do cyber threats perceive a value in your enterprise data that you’ve missed? Can that value go up as well as down? Calculating minds understand the data economy rules.
THE WIKIS DEFINE THE ‘DATA ECONOMY’ AS A GLOBAL DIGITAL INTER-SYSTEM IN WHICH DATA TYPES ARE GATHERED, organised, processed and exchanged by a network of vendors and agencies to derive value from the information thus accumulated. This definition has assumed broader resonance, however, as more sections of the data economy undergo programmes of digital transformation, and start to discover, perhaps for the first time, the full extent of their data assets and the full extent of those assets’ value. This means that a general appreciation of data economy dynamics, at least, should exist around Europe’s c-suites and boardrooms. Cyber security process plays an important part in this assessment: it is because data has an intrinsic value that cyber criminals BRIEF
and other threats try to steal it for resale and other nefarious exploitations. Targeted organisations that want to understand the intrinsic value of their data assets should factor its attractiveness to hackers into their calculations. (Additional value criteria could include intellectual property value and value for business analytics.) The calculation of value naturally depends on the type of data under evaluation. Some data, such as intellectual property (IP) and data-protected customer data is innately valuable. Other data holds value because if anything unlawful happens to it, the data owner could be penalised by regulator. Some data owners want to find out how much their data is worth so that they can decide how much of their IT security budgets they should spend to protect it: little point in defending relatively worthless data with expensive arrays of security. Data value might also be a decisive metric for data that’s insured against cyber attack. Data is so important to businesses today that 67% of EMEA businesses that responded to Evolution’s Data Economy Report 2017 reckoned it should be ‘shown as an asset on the company balance sheet’. Some respondents went as far as to say the data their company holds is ‘more valuable than the people it employs’. It is evident that some of the cyber criminals who hack into an organisation’s IT systems and steal data do so to feed a
WHERE DATA ECONOMIES ADD VALUE... Increasing opportunities for the creation of financial value for businesses and other organisations through the analysis and interpretation of different types of data include: Creation of high-value employment opportunities
24 38
from the demand for the skilled labour needed to undertake data analytics or other data economy services; Efficiencies in the management of
business procurement and supply chains; Greater innovation in existing products or services; Improvements in the current business decision-making
process; Opportunities for efficiency-driven reductions in the price of goods and services; Potential for the realisation of enhanced levels of operational efficiency. Source: Digital Reality Data Economy Report 2018.
39
FEATURE
cybersecurityeurope
demand. A decade ago there were still organisations who were convinced that they would not be subject to cyber attack because its data was valueless. They were wrong, somewhat in the same way that 150 years ago, few people thought that oil was worth drilling for. Indeed, within its publication The Hidden Data Economy (2015), McAfee designates enterprise data as ‘the “oil” of the digital economy’. The commercial market for personal data is ‘booming’, it reports with large databases of subscriber information drive up the valuations of the companies it belongs to, even though many have yet to turn a sure financial profit. As the commercial value of personal data is a good example of this. As it so grows, cyber criminals have long built a complex economy to purvey stolen data to anybody with a computer browser and the accepted means to pay. It’s likely that some buyers of illicit data don’t really know the true value of what they buy, and just hope that they will find something in there that proves profitable. Digital economists have been somewhat enlightened by the activities of cyber criminals and other data thieves. Many organisations, for instance, are progressing their own models for making public data assets available for commercial use. It’s arguable that this would have happened anyway – cyber thieves or not – but data breaches do represent some supporting evidence for the models being evinced. According to the Body of European Regulators for Electronic Communications (BEREC)’s Report on the Data Economy, the European Commission has stated that the value of the data economy in the European Union (EU) was more than €285bn in 2015: that represented 1.94% of the EU’s gross domestic product (GDP). The total direct economic value of public sector information in the EU states, for instance, is expected to increase from a baseline of €52bn in 2018, to €194bn in 2030. Accordingly, favourable and timely policy and legislative conditions and incentives to invest in ICT might support an increase of the value of the European data economy to €739bn by 2020, that represents 4% of overall EU GDP. BEREC’s Report on the Data Economy goes on to point out that our traditional economic structures as well as our societal structures will undergo a rapid change as a result of global Digital Transformation. The diverse possibilities to be found in data collection, storage, evaluation and
40
transmission are commensurately at the centre of these changes. These are the basic requirements for the achievement of potential intra-company efficiencies and the development of innovative business models. Data is thus becoming a central factor of competition and value-added growth. It is also of ever-increasing economic relevance. The European Commission further estimates the added value of the EU data economy in 2015 at around €272bn; it forecasts an increase to €643bn by the end of 2020.
FOCUS: UNITED KINGDOM AND GERMANY A comparison of two of Europe’s leading data economies by the Digital Catapult’s UK Data Economy After Brexit report (2017) provides some key indicators of how they feed into traditional economic trends. In 2016, the UK’s data economy accounted for more than 2% of the country’s GDP with an estimated value of €61.3bn. This placed the UK data economy as the second largest in the EU, behind Germany with a data economy worth (an estimated) €77bn. Not surprisingly, both nations have experienced growth in their legitimate suppliers of data. In the UK, the number of data suppliers is disproportionately bigger than other large EU economies (albeit with a rather average growth rate). In 2015, there were some 120,500 data companies in the UK; that was about 95,000 more than Germany (a distant second) and more than 47% of the whole of the rest of the EU, which the Digital Catapult estimated to have about 254,850 data companies in total at the time of its report. Similarly, in terms of data revenue, the UK leads – along with Germany in close second place – but with growth rates only slightly better than average. The UK also has a sizeable and active data market, which for the purposes of The UK Data Economy After Brexit is defined as’ the aggregate value of the demand for data products or services in the economy’. In 2016, the value of the UK data market was estimated to be €13.313bn; that’s marginally higher than Germany’s €12.9bn, with above-average growth levels, at 13.2%. Projections of the growth of the EU data market by the end of 2020 place the UK first at €17.7bn, with Germany again being a close second at €16.4bn. (France is a more distant third at €9.1bn, and Italy comes in fourth at €6.3bn). Analyst IDC’s European Data Market report (2017) reckons that the UK share of the EU data market to be the biggest, at 22.4%. Such statistics and forecasts make heady reads, to be sure; but there is one substantial inhibitor that is ever-poised to curtail the full potential of the European digital economy from being realised: the cyber threats that make use of the public internet a risky undertaking. In short, by any assessment.
MEAN VALUES FOR ITEMS OF PRIME IP TYPE
VALUE AT CYBER RISK, BY VERTICAL SECTOR
Respondents asked to select type of IP stored by their organisation would cause more $ damage if compromised. Source: Trustwave The Value of Data Report.
Companies risk losing an estimated $5.2tn in value creation opportunities from the digital economy from rising the cyber security attacks. Source: Accenture Securing the Digital Economy Report 2019
$289,102
753 642
$6,254,143
505
$211,513
385
$0
$100
$10,000
$1,000,000
Accenture’s Securing the Digital Economy 2019 report suggests that until the public Internet is made a safer place to conduct commerce and the normal conduct of business, the aspirations of a digital economy will perforce be limited by cyber threats. It states: ‘One of the most glaring challenges of an insecure Internet is the economic cost. In the private sector, over the next five years companies risk losing an estimated €4.71tn ($5.2tn) in value creation opportunities from the digital economy – almost the size of the economies of France, Italy and Spain combined – to cyber attacks’. This translates to 2.8% in lost revenue growth over the next five years for a large global company, Accenture extrapolates. However, it is Europe’s hightech industries that face the biggest risk, with more than €683bn ($753bn) ‘hanging in the balance’. This brings us back to the question of how an organisation begins to calculate the intrinsic/extrinsic value of its data assets. Published by Trustwave in 2017, the Value of Data Report was conceived to examine the relative value placed on enterprise data from the perspective of different stakeholders: be they enterprise security practitioners, state regulators, cyber insurers – or even cyber criminals. Determining of what that data is worth is integral to this process. The report attempts to answer this question and to provide guidance that can be used to help evaluate the cost of data breaches. It also looks at what data risk vigilance measures organisations it surveys have in place. The Value of Data Report focused on four standard (and regulated) data types: Personally Identifiable Information (PII), Payment Card Data (PC data), intellectual property (IP), and enterprise email. It looks also at how the value of PII varies by data subject, by use of Per Capita Values (PCV). Different types of data may be involved in any given data breach, the Value of Data Report outlines. The targeting of a point-of-sales device, for example, may involve exclusively PC data, whereas the theft of a laptop may involve PII, email and IP. Respondents to the report’s survey were asked to rate four basic data types in order of priority. Each data type could then be assigned an overall average priority score. PII was ranked highest, followed by IP, PC data and email. All organisations store PII and IP of some sort and all must deal with email, although enterprise email is given the lowest priority. However, only a subset deal with PC data. The data type ranked first by each organisation has been termed its ‘prime data type’. 47.4% selected PII, 27.6% selected IP, 18.4% selected PC data, and 6.6% selected email.
283
257
223
219
206
147
110
70
47 Capital Markets
$1,333 $933
Corporate emails (50)
Automotive
Copyrighted works (19)
Life Sciences
$2,329 High Tech
Survey results (16)
Retail
$5,446
Health
Pre-release financial data (72)
Banking
$6.565
Consumer Goods & Services
Contracts & agreements (63)
305
Travel
340
Transportation
347
Chemicals
347
$24,288 $12,544
Energy
Design documents (33) Pre-release product info (33)
Utilities
$31,625
Natural Resources
Merger & acquisition info (50)
Communications & Media
Software/algorithms (26)
Industrial Equipment
Formulas/recipes (16)
Insurance
Overall RESPONSE median (378)
Different data types do matter more in certain industries, the report determined: PII is given the highest priority in health care (3.5) and hospitality (3.4), and least in industrial (2.9), while IP was given the highest priority in industrial (3.0) and IT and communications (2.9); IP was lowest in hospitality (2.4) and financial services (2.4). The size, and therefore value, of data
Data is so important to businesses that 67% of EMEA firms reckoned it should be ‘shown as an asset on the company balance sheet’. sets is not just a function of the number of records, Trustwave’s Value of Data Report suggested, but of the information each record so contains. A data subject record consists of attributes: family name, date-of-birth, Social Security number, mother’s maiden name are all examples. An average of 49 attributes are held for each prime data subject. This rises to 74 for patients and drops to 18 for contractors. This richness of information is part of the reason patient records are considered some of the most valuable, being assigned an estimated mean PCV of €1,402 ($1,546). This is just behind shareholders, which come highest at €1,564 ($1,725), and ahead of consumers at €995 ($1,054).
ACCREDITATION Words | James Hayes Photography | Shutterstock
41
interview
cybersecurityeurope
ANJOS NIJK Europe’s influential industry body for energy infrastructure is helping the continent’s power utilities become savvier to cyber threats. ANJOS NIJK IS THE CURRENT MANAGING DIRECTOR OF THE EUROPEAN NETWORK for Cyber Security (ENCS). Based in The Hague, and founded in 2012, the ENCS is a non-profit member organisation that brings together critical infrastructure stake owners and security experts to deploy secure European critical energy grids and infrastructure. ENCS has dedicated researchers and test specialists who work with the association’s members and partners on applied research, defining technical security requirements, component and end-to-end testing, along with education and training. The ENCS serves as an important point-of-crossover between the worlds of Information Technology of the enterprise world and Operational Technology that predominates in the infrastructural domains of national and international power infrastructure. In 2018 the ENCS completed its first course of a training programme designed to help cyber security architects design secure smart grids, looking at risk-based architecture design and the IT/OT interface design. “There are many measures from the IT world that are applicable to OT systems,” Nijk said at the time. “Using too many measures will cause high investment costs and may make the system hard to use; [but use] too few, and the system is vulnerable. Assessing that balance requires thorough understanding of the systems and risks involved.” BIOGRAPHY
In addition to his ENCS duties, Nijk is a member of the Steering Committee of the Smart Grids Task Force of the European Commission Directorate-General for Energy, a member of the Cyber Security Expert Group, and ENCS liaison with several key European associations, which include European Distribution System Operators (E.DSO), the European Network of Transmission System Operators (ENTSO-E) and the European Utilities Telecom Council (EUTC).
You can’t just switch off a national grid when a major cyber security attack incident takes place... CSE: From the ENCS’s perspective, how well do European states compare with each other in regard to the cyber security readiness of their respective energy infrastructures? ANJOS NIJK: The diversity in culture, legislation and technology deployment in European nation states is reflected in security readiness of their energy infrastructures. This diversity provides the opportunity to identify and deploy the best practices. The NIS Directive introduces a degree of harmonisation by fostering a baseline security for operators of essential services, including Europe’s big energy grid operators. But other infrastructures like wind and solar farms
ANJOS NIJK, MANAGING DIRECTOR (ENCS) Anjos Nijk has been MD of the European Network for Cyber Security (ENCS) since February 2016. Prior to that he was the organsation’s COO. He presents regularly at power industry and security events.
42
DETAILS For more information about the ENCS visit: | encs.eu
interview
cybersecurityeurope
and EV charging infrastructure, which can have a big impact if compromised, are out of scope. This needs to be addressed, and support is needed for initiatives fostering best practices deployment and all implementation through collaboration and harmonisation. CSE: Do you see evidence that non-technical executive chief officers and directors in European energy utilities companies are acquiring greater responsibility for the cyber governance of their organisations? AN: Yes, we see a clear increase. This is initially driven by the need to prevent incidents similar to what happened to the Ukraine power grid, and now with the broad implementation and certification of Information Security Management Systems driven by the NIS Directive. Also, the growth in ENCS members has been a clear indicator expressing a strong commitment and investment of European grid operators in security skills and capacity building. By now it is quite common that CEOs of grid companies refer to cyber security as a top priority in keynote speeches. CSE: What are the main ways recent European legislative compliances such as GDPR and the Cyber Security Act (2019) have affected energy utilities in the EU regions?
AN: GDPR has resulted in appointment of specific responsibilities for data protection and governance structures in utility organisations. The Cybersecurity Act mandates ENISA to prepare certification schemes for ICT products, services and processes, also in the energy sector. But certification schemes which have been effective for other domains, have not been designed to address the specific needs of electricity grids. Electricity grids have a unique mix of legacy systems and new technology, real time requirements – you cannot switch off the grid when there is an incident – and cascading effects. Close collaboration between domain experts and regulators is required to create a scheme that addresses security effectively.
44
CSE: You have made the connection between good cyber security management and competitive advantage in the energy industry. In other vertical sectors these two factors have been linked for a long time. Is it fair to say that Europe’s energy utilities somewhat behind the curve in their understanding of the connection? AN: I think that it is fair to say so. The energy industry only recently got exposed to cyber threats and started addressing it within its context of high investments, long cycles and regulatory framework. Industries like finance and telecoms have had a much longer history and higher volume of cyber incidents and, consequently, they have higher maturity in organisations and technology. But Europe’s energy utilities have identified the opportunity to build on this knowledge and is rapidly improving by collaboration to share knowledge and raise technology security levels. CSE: You have pointed out that closing the skills gap is crucial to cyber preparedness for Europe’s energy supply and delivery sector. Is it in fact harder to recruit cyber security professionals who are able to understand the special nature of that sector’s infrastructure and also of its Operational Technology (OT)?
AN: Yes, it is, due to the requirement to master both security and OT technology and operations before you can effectively contribute. Grid cyber security is rocket science. Experts with only IT security knowledge already can choose any job they like and earn big salaries, so why bother to make the effort to start as junior again? The same goes for a network engineer starting to work in security. Luckily, there are also people who get motivated by the intellectual challenge. CSE: ENCS uses members to work on projects that all members share. How often do non technical senior executives from member organisations get directly involved in these initiatives? And what are the key benefits?
AN: In the ENCS we have various levels of engagement. Non-technical board level executives participate in ENCS Strategy Assemblies, Assembly Committee and Strategic Advisory Board. This assures strong c-suite level involvement in setting ENCS strategic direction and governance of the work. Benefits are two-fold: connecting ENCS stronger in the grid community and European groups as well as assuring budgets and support for the member projects and ENCS work program. CSE: The ENCS member project for 2019 was ‘Information Security Management’. Are you able to briefly explain how that project progressed? Can you also say what its key outputs will eventually be? AN: It was one of the member projects, we also had a member project on procuring secure equipment and we started substation automation security and hardware security. The objective of the ISMS member project was to gather and share best practices in implementing an ISMS, so that ENCS members can adopt and benefit from these best practices to create a first ISMS or improve an existing ISMS. An ISMS best practice guide was published on the ENCS portal and an expert group was established and will continue as an ENCS roundtable fostering ENCS members ISMS implementation.
CSE: You have said (in a March 2019 interview) that in terms of bringing about effective change in cyber security readiness and awareness that the focus should be much more on the facilitation of initiatives that deliver ‘concrete’ results. Can you briefly explain what kind of results you had in mind in that particular context? AN: Concrete results are, for example, security requirements sets that can be used at procurement, testing methods and tools to verify the implementation of the requirements, role-based training such as designing secure architectures and secure configurations, vulnerability reports and everything that grid operator staff require to manage their
It’s quite common for the CEOs of European grid companies to refer to cyber security as a top priority. grids’ security. Besides creating the content, it is important [for the ENCS] to support grid operators in implementing and using it. CSE: If a cyber-aware CEO from, say, the finance sector, were to move across to a role in a European energy utility, what cyber security cultural differences do you expect that they would they encounter? AN: They would certainly have to learn and appreciate the specifics of the grid, the different
nature of the cyber risks and the culture of a technical organisation managing a very complex system, incentivised and evolved to operate the system within tight margins of system availability and security of supply at the lowest cost. This implies a culture of risk averseness, long term planning and compliancy with regulatory demands. The challenge will be to build and maintain the skills and processes capable of dealing with the short cycles of digital technology.
ACCREDITATION Words | James Hayes Photography | ENCS
45
350% ANNUALLY
cybersecurityeurope
advertorial
Is your organisation being held back by a lack of visibility into its data? Multi-cloud data management can help restore vision, says Rubrik’s Robert Rhame. HAVING LITTLE OR NO VISIBILITY INTO DATA – REFERRED TO AS ‘DATA BLINDNESS’ – HAS BECOME COMMONPLACE among organisations. Not knowing what data an given organisation has, or who owns, it can completely impair the ability to assess and reduce risk; that’s an untenable position in 2020. In fact, according to a report by the Institute of Directors (IoD) and Barclays, more than 40% of organisations have no idea where their data is stored. With regulations such as the EU General Data protection regulation (GDPR) and California Consumer Privacy Act (CCPA) coming into play in 2018, more attention than ever is being paid to the way organisations all around the world use and abuse data. Data blindness, therefore, must become a thing of the past. The impact of lack of visibility into data can be crippling for organisations. This is especially pertinent when it comes to an audit or a data breach. Without awareness into data around every facet of your organisation, it becomes impossible to accurately model the risk of a data breach to your business. How can you protect the most important data if you don’t even know where it is? Due to the ever increasing frequency of data theft, organisations are making the assumption that it is not a matter of if your organisation faces a data breach, but when. That makes it even more critical to map out your data across your infrastructure and in the cloud to identify what is where. COMPANY INFO
Adopting an effective multi-cloud data management solution that not only protects but automates data governance activities, can enable your organisation to fully combat data blindness and the damaging consequences that ensue. A multi-cloud data management solution provides visibility across your whole business, improving efficiency and productivity as well as enabling your organisation to save ample money and resources. When it comes to auditing, a multi-cloud data management solution that unifies data silos across data center and cloud environments will allow you to find your data more easily and classify it.
RUBRIK
Rubrik delivers a single platform to manage and protect data in the cloud, at the edge, and on-premises. Enterprises choose Rubrik’s Cloud Data Management software to simplify backup and recovery, accelerate cloud adoption, and enable automation at scale. Rubrik’s run-anywhere, scale-out architecture
empowers IT departments both today and in the future.
Robert Rhame (below) is Director of Market Intelligence at Rubrik.
CONTACT DETAILS For more information please go to: | rubrik.com | rubrik.com/en/contact-us
47
FEATURE
cybersecurityeurope
I
REPUTAT WARREN BUFFET ONCE SAID “IT TAKES 20 YEARS TO BUILD A REPUTATION AND FIVE MINUTES TO RUIN IT... IF YOU THINK about that, you will do things differently”. It’s not known if the business magnate spoke from bitter experience, but he would certainly be apprised of the importance of a sound reputation as a business enabler. Reputational damage is a concomitant of reputational risk. As Deloitte has pointed out, reputational risk is interconnected with other business risks more closely than any other type of liability. For example, an industry regulator’s censorious advice can turn into a reputational risk if it becomes subject to media misinterpretation. The same goes for other risk types, such as the corporate culture, financial results, and of course, cyber security resilience. Arguably, no other phenomenon now has
BRIEF
a greater impact on brand reputation than being victimised by a successful hack attack. Indeed, this phenomenon has over the last decade served to teach executive leadership across a range of vertical sectors, just how critical their organisations’ reputations are – and just how vulnerable they are to impairment that can result from even comparatively minor cyber incidents. ‘Organisations’ exposures to reputational threats have never been greater and continue to grow with the proliferation of digital media,’ Deloitte reports. ‘Threats to reputation can emanate from other risks, yet reputation itself stands among [an] organisation’s most valuable assets, and must be managed proactively... This is one of the few risk domains that chief officers and board members can directly control’. Such eventualities have resulted in a fundamental thought change around reputational risk. Traditionally, senior executives have seen reputational jeopardy as a consequence of other things that happen, Deloitte has noted, rather than a defined risk type in itself:
The overall ‘cost’ of reputational damage is now increasingly being factored into the financial impacts of cyber data breaches.
‘REPUTATIONAL RISK CAN ERUPT OUT OF NOWHERE AND WITHOUT WARNING...’ Reputational risk is generally deemed a threat or danger to the good name or standing of an organisation, business or other entity. Reputational damage can occur in three primary ways. First, directly, as the result of the actions
48
of the organisation itself. Second, indirectly, there due to the actions of an employee or employees, say. And third, tangentially, through other
W
R
O
N
G
D
O
IN
G
T
FR
A U
D
peripheral parties, such as business partners or supplier chains. And in addition to good governance practices and transparency, companies need T
EG
N
LL
LE
A
U
A TI
O
N
S
ut
at
D
B
N R IC NO A E IS W ME A F A R C R EA FF M EC LLS ES OM O C U H R TI H A LT PR E A N O VA RM D IN OM TA CA N. C .. LU D SH ISE TH NG N U A A E S TA A O IB TO AR D N B N F O L I G E O M N W A TH E B F ER O D FI TO W RO SSE A E I N T N A K M T A TA B O AN CU EI EN S.. NY L N C . N ET IA R FI R G T EP ST N L H A F E A R O U N AC Y L ‘ C TO TA IA TI CO EN R L ED ON ST D ’ A IS IN M TO A G E. ..
W
H
IS TL
E-
B
LO W
ER
ca ion n s m ta ak rn e is a h th b ed an igg b y fil er a ch fi su ed na cc n f u c i e ss nd al fu s im l d or pa a st c t t a ol o br en n e a as an ch se or G O ts ga O C A D N . P n
ep
R
is
at
D A LO TA SS M LO O ... SS R S EP T R E I V U TA AL PU NC T I U TI A AT DE O B I N LE ON NT S C A I A A R SS S N E C ET ON O N M E CA S. O PE .. W O US N E V TH F SA A U E TI LN N MA M O E O JO O N R ST RG R A B LE R AN RE E V I E TO DO SA TI NU U O B E D N T A M AB ’S A LE G E. ..
IONAL
to be socially responsible and environmentally conscious to avoid or minimise reputational risk. Such damage can wipe out millions of euros within market capitalisation or potential revenues. (Source: investopedia.com.)
49
io
n
FEATURE
cybersecurityeurope
Deloitte’s The Global Survey on Reputation Risk report found 87% of executives deemed reputational risk to be more important than other kinds of strategic risk.
The survey also found that 88% of those polled wanted to recruit employees to be dedicated reputation managers. At c-suite level, this role is usually known as the Chief Reputation Officer (CRO). A CRO reports to the CEO, and their primary job responsibility is build and maintain a strong organisational reputation. Role nuances may vary between organsations, but the CRO is primarily responsible for the for reputation KPIs: The ability to measure the effectiveness and of an organisation’s communications department and to develop a programme for reputational success.
‘a risk of risks’, rather than a risk in its own right, as it were. Deloitte has further stated that if that question had been asked five years ago, likely no one would have seen reputational risk as a standalone risk. This viewpoint has been upended by successive disclosures about cyber attack events, and the rise of social media as an influencer of public perception. Given all the potential causes for a reputation impact incident, many organisations are now aware – sometimes by dint of painful experience – that even the most redoubtable enterprise reputations are perpetually vulnerable to damage – damage that can prove slow or hard to recover from, even when not altogether warranted or fair. More than any other reputational threat type, cyber attacks have highlighted also the ways in which a stainless reputation is one of an organisation’s most valuable assets. Reputation and brand value may be intertwined, but it has become clear in recent years that while brand value may provide a winning proposition when it comes to customer engagement and market share, attracting strategic partners and favourable analyst opinion, it is also a vulnerable attribute that can be quickly tarnished as soon as knowledge of a cyber attack enters the public domain and becomes much picked-over media fodder. The intrinsic nature of reputational damage is being quantified in terms of overall reputational risk models. Two realisations that have shaped this in the light of recent studies are, first, that a successful cyber attack that results in a data breach, for example, can incur more financial loss than the monetary value of stolen data assets or funds. Secondly, reputational damage sustained following a cyber attack can hurt business or fund-raising operations more than can the lawful actions of your competitors.
Source: The Reputation Institute (reputationinstitute.com).
GREATER LEVELS OF REPUTATIONAL CONCERN
Corporate Social Responsibility (CSR): organisations that have thoughtful CSR campaigns and sustainability programs often outperform in reputation. Evidence suggests that CSR is more important to most stakeholder groups than financial performances, goods, and services. Levels of stakeholder support: key stakeholders may include customers, employees, investors and shareholders, regulators, policymakers, and the public. Reputation readiness: proactively planning for and actively mitigating reputational risk includes the develoment of an airtight strategy around internal communications, external outreach (e.g., PR, social media), global correspondence, crisis documentation, and actionable methods of support for leadership. The ‘Return on investment (ROI) of reputation’: quantitative reporting that points to the ROI of reputation as it may drive revenue, aligns with share price value improvement, and ability to engage employees and attract talent.
50
An April 2019 article from Raconteur also highlights the fact that reputational risk has traditionally been seen as ‘an outcome of other risks and not necessarily a standalone risk’. As Deloitte also suggests, this view has been gradually changing, Raconteur explained, as it becomes increasingly clear that reputation is now ‘critical to the viability of a company’, and deemed part of the intrinsic value of brand or product assets. Aon’s Global Risk Management Survey 2019 points out that whenever a business undergoes a ‘reputation event’ it cuts to the core of their brand’s perception. ‘Technological developments have heightened reputational risk by making it easier, cheaper and faster for news to be propagated,’ the report adds. ‘The combination of [the] 24/7 news cycle with widespread use of social media puts brands at risk for long-term negative consequences, both in public perception and in the marketplace.’ According to some other recent surveys, many organisations are alert to the fact that cyber threats pose
POTENTIAL RISK AREA CAUSES OF REPUTATIONAL DAMAGE European c-suite executives polled for this survey primarily about workforce activism responded to a range of potential damage areas that could carry a degree of reputational risk. Source: Herbert Smith Freehills Future of Work Report (2019). 26%
Ethical business conduct CORPORATE SOCIAL RESPONSIBILITY
34%
Geopolitical events
36% 40%
Sustainability / environmental issues Regulatory intervention
45%
Supply chain problems
48%
Workforce activism
55%
Global economic slowdown / recession
62%
Cyber SECURITY threats / data loss
65% 0
10
20
30
40
50
60
70
S N O A TI EL EV W
R
O
N
G
D
O
IN
G
R
the biggest challenges when it comes to mitigating the risks of reputational damage. Sixty-six percent of respondents to the Business Continuity Institute’s 2018 Cyber Resilience Report considered reputational damage as ‘the most concerning trend’ when it comes to cyber security incidents, and rated it ahead of the adoption of IoT devices (54%) and cyber attacks with physical security consequences (46%). Fifty-three percent of respondents to the same survey rated a consistent PR strategy to mitigate reputational losses in the event of a cyber security incident as being the third most important feature of their enterprise business continuity strategies.
ACTUAL EVIDENCE OF REP DAMAGE Increasingly, the ‘cost’ of reputational damage is being factored into assessments of the total financial impacts of cyber data breaches. In general terms, the cost of data breaches continues to increase year by year, according to figures from the 2018 Cost of a Data Breach Study by Ponemon Institute (sponsored by IBM Security), with reputational and regulatory costs identified as main drivers of the increase for 2018. In 2018, the average cost of a data breach globally was €3.47m – a 6.4% increase from 2017, Ponemon Institute estimates. (This due to so-called ‘mega breaches’ where 1m-50m records are compromised, resulting in losses between €35.98m to €314.84m.) It is reasonable to infer that ‘indirect losses’ – which include customer churn, business interruption, and management strategies to handle the breach – were significant contributors to these large losses. Large-scale breaches (of more than 1m records) typically cause reputational damage to the affected company, which results in share price reduction and loss of customers for some period, the Cost of a Data Breach Study notes. As the Centre for Risk Studies Cyber Risk Outlook 2019 report explains, organisations should be aware that significant indirect losses can stem from reputational risk caused by data loss events. Stock price decreases, and increased customer turnover, following a data loss incident can cause
Now, even the most redoubtable enterprise reputations are acutely vulnerable to damage following a range of cyber-based incidents. major revenue loss. In 2018, for instance, Facebook suffered a data breach that resulted in an estimated 50m accounts being compromised. The day the breach was disclosed, Facebook’s share price fell by 3%, wiping $13bn (€11.68bn) off the company’s market capitalisation (Fortune. com). Facebook may also face a penalty if found to be in violation of GDPR.
ACCREDITATION Words | Edmund Burr Photography | Shutterstock
REPUTATIONAL DAMAGE AS AN IMPACT
REPUTATIONAL DAMAGE AS A WORRY
Reputational damage due to insider threat data breach constituted the greatest area of impact in this IT chiefs survey. Source: Egress Insider Data Breach Survey 2019.
After revenue loss, reputational damage was cited as second biggest worry in this survey of IT chiefs: these two worries can prove to be interrelated. Source: Databarracks Data Health Check 2019. 24%
38%
66%
27%
3%
7% none
7%
9% don’t know
NONE OF THE ABOVE
lost productivity
CUSTOMER CHURN
13% employee penalties
INTELLECTUAL PROPERTY LEAK
13% regulatory penalties
FINANCIAL IMPACT
8%
cUsTomer dissatisfaction
5% REPUTATIONAL DAMAGE
loss of revenue
12%
Reputational damage
18%
loss of sales opportunities
17%
51
insight
cybersecurityeurope
This excerpt from Europol’s report on organised cyber crime focuses on the economic damage inflicted by a rise in Card Not Present attacks. PUBLISHED BY EUROPOL’S EUROPEAN CYBERCRIME CENTRE (EC3), THE LATEST Internet Organised Crime Threat Assessment – IOCTA – reports on key findings and emergent threats and trends in the panorama of cyber crime. It features recommendations for action and intelligence to law enforcement, policy makers/regulators and organisational leaders. IOCTA aims is to inform decision-making at strategic, policy and tactical levels in the fight against cyber criminal activity, and to direct the operational focus for EU law enforcement. The 2019 edition of IOCTA highlights the persistence and tenacity of several key threats, as Catherine De Bolle, Executive Director at Europol, explains. “‘New’ threats continue to emerge from vulnerabilities in established processes and technologies,” De Bolle says. “Moreover, despite our best efforts, the longevity of cyber threats is clear, as many long-standing and established modi operandi persist. Some [past] threats remain relevant, and will continue to challenge us into tomorrow – so we must not forget to look behind us.” One such threat is Card Not Present – CNP – fraud, which is still the main BRIEFING
priority for investigators of payment card fraud within EU Member States. One law enforcement agency respondent to IOCTA names it as ‘the single most common form of fraud’. Within CNP fraud, fraud relating to the purchase of physical goods tops the list. EU Member States often cite the purchase of (high value) electronic devices like smartphones, laptops and tablet PCs. CNP is increasingly moving into other sectors such as
Cyber crime has now become more audacious, and shifted its focus to larger, more profitable targets. travel (hotels, car rentals, etc.) postal services, and gift-cards. Fewer cases have been reported to law enforcement since there is not yet the same level of awareness as in, for instance, mainstream e-commerce. The source information required to execute CNP fraud generally seems to originate from data compromise, IOCTA reports The Magecart group, which Europol explains, comprises at least six distinct cyber criminal
EUROPOL AND THE EUROPEAN CYBERCRIME CENTRE (EC3) Led by Executive Director Catherine De Bolle (pictured left) Europol is the EU’s law enforcement agency. The agency set up the European Cybercrime Centre (EC3) in 2013 to strengthen its response to cyber crime.
52
MORE INFORMATION IOCTA 2019 can be downloaded at: | europol.europa.eu
credit card fraud shift evident This also connects to the increasing threat and growing concern with respect to supply chain attacks. The European Central Bank also recognises the ‘ongoing shift of fraud from the card-present to the CNP environment’. Data seems readily available: reportedly, 23m stolen credit cards are for sale on the Dark Web in the first half of 2019. With all the data available and accessible for criminals, the focus ought to be on monitoring and detection of accounts to curb the number of frauds and the amount of
damage. From that perspective, the European Central Bank notes how ‘the market has started to develop a plethora of fraud prevention and detection security tools with the objective of bringing online fraud rates down’.
MORE TECHNOLOGY INSIGHT FROM LEADING CYBER SECTOR EXPERTS IN THE NEXT ISSUE OF CYBER SECURITY EUROPE MAGAZINE
groups operating independently, came to notoriety throughout 2018, a year when several prominent companies suffered huge data breaches. The groups exploit a common attack vector – they target shopping cart platforms or third-party services used by e-commerce websites by injecting code that allows them to skim sensitive customer data; this is a technique usually known as ‘formjacking’. Magecart attacks have hit almost 17,000 e-commerce websites since April 2019. The criminals behind them are generally able to exploit vulnerabilities that occur when public website owners inadvertently misconfigure their Amazon Web Server (AWS) S3 storage servers. More interestingly, Magecart attacks now target smaller vendors that supply functionality services to large enterprise websites including analytics, browser display requirements, social media, marketing and chatbots. This means that when the code from one of these vendors is compromised, the compromise affects all the websites that contract with the vendor.
INTEGRATION OF FRAUD TECHNIQUES Simultaneously, criminals also expand on their existing repertoire of methods as the prevention and security measures of companies improve. One relatively new development, for example, is a ‘Crime-as-a-Service’ facility, where cyber criminals provide a platform with available bots that contain a victim’s real digital ‘fingerprint’, cookies, saved passwords and other personal information; that includes bank and payment information. These ‘fingerprints’ contain all the necessary information to enhance the possibility of the avoidance of detection mechanisms of companies, namely e-commerce. Criminals obtain the ‘fingerprints’ as real-time fingerprints or generated when scratched by the bot from the user’s device. The platform provides a simple user-friendly interface which allows other criminals to set up a different digital identity. This way it is much easier for criminals to commit fraud, compared to the purchase of compromised credit card details or account details, and (thereby) risk the detection of standard security measures. Whereas cyber law enforcers tend to discuss CNP fraud purely from a financial perspective, this type of crime also facilitates other types of illegal activity. Examples include the facilitation of illegal immigration, people smuggling and, more specifically, Trafficking in Human Beings. Criminals do this through the purchase of plane tickets, booking hotels, car rentals, etc., with compromised credit card credentials. They do this through CNP fraud in cunning combination with forged identification documents. Indeed, cyber criminals’ increased utilisation of complex misdeeds, in which cyber crime plays a supportive role, constitutes one of the main challenges for the Europol and its partners. Cyber crime across Europe generally continues to mature and become bolder and much more audacious, shifting its focus to larger and more profitable targets, adds its Executive Director Catherine De Bolle: “To tackle it, law enforcement must be equally audacious in order to meet the challenge head-on.”
53
EUROFOCUS
cybersecurityeurope
IRELAND As one of the EU’s most digitally-developed states, Ireland’s economic status depends on a punch-above-weight IT security strategy.
THE REPUBLIC OF IRELAND RANKS ITSELF AMONG THE FOREMOST EUROPEAN UNION (EU) MEMBER STATES IN TERMS OF UPTAKE AND USE of digital technologies. There’s no doubt that Ireland has significantly gained economically from its EU status: the development of the pan-European data exchange system, its geopolitical location, and open economy have also contributed to the country’s position as host to a major share of Euro-centric data and economic activity. Its success in this respect has, unsurprisingly, made Ireland a prime target for cyber threats bent on hacking into its enterprise information systems, financial deposits, and critical national infrastructure. Despite increased level of security awareness over recent years, cyber crime incidents in Ireland are on the increase, with 61% of Irish organisations reported to have suffered cyber crime in the last three years, up from 44% in 2016, and its attack rate is now double the average of global companies (31%), according to PwC’s Irish Electronic Crime Survey 2018, with an estimated loss on average of €3.1m. The country is also subject to cyber attack by nation-state threat actors. The Irish Independent reported that the North Korean hacker gang called Lazarus carries out ‘almost daily’ cyber attacks on Irish banks and utilities, according to Symantec. According to a report on Independent.ie, investigators believe the cyber raid carried out against Meath County Council – the regional LEAD
CYBER IRELAND CLUSTER MUSTERS... Launched in May 2019, the Cyber Ireland initiative is hosted by the Cork Institute of Technology (CIT). This national cluster aims to represent the needs of the sector in Ireland and it includes stakeholders from business, industry,
24 54
academia and government. It stated aims are to encourage co-operation, raise awareness of education and career opportunities, drive innovation
and stimulate new business in the Irish cyber security sector. The CIT has secured two years of funding from foreign direct investment
agency IDA Ireland to facilitate the establishment of developing the cluster. The organisation has further has drafted a seven-phase structured programme to support this aim. | cyberireland.ie | cit.ie
55
EUROFOCUS
cybersecurityeurope
government body for County Meath – in October 2016 originated in North Korea. In total some €4.3m was swagged following the Business Email Compromise attack on the local authority, but was later recovered from a Hong Kong bank due to action by the Garda Computer Crime Bureau, Europol and Interpol. However, the Council later confirmed that the recovery effort incurred costs of €120,964. Another high-profile Irish attack was directed at EirGrid, the utility company that manages Ireland’s electricity grid. EirGrid was targeted by state-sponsored cyber attacks in April 2017, which left its network exposed to further attack. Using IP addresses sourced in Ghana and Bulgaria, the attackers gained access to a Vodafone network used by EirGrid in the UK, the Irish Independent reported in August 2017. Following the initial security breach, the attackers then compromised the routers used by EirGrid in Wales and Northern Ireland. This was achieved by installing a ‘virtual wiretap’ on the system so that the attackers had access to all of unencrypted communications sent to and from the companies. The hack came to light after a tip-off to EirGrid from Vodafone and the UK National Cyber Security Centre. PwC’s Irish Economic Crime and Fraud Survey revealed that the rate of economic crime in Ireland has increased significantly since the previous (2016) survey: 50% of Ireland-based respondents to the poll reported that they were victims of fraud or economic crime, up from 33% of respondents in 2016. More frauds are being detected, but more fraud and economic crime is happening – including specifically, cyber crime, PwC’s research found.
56
Given the detrimental impact this could have on the Ireland’s attractiveness to foreign investors as a safe place for the conduct of business, its minority coalition Government has since 2017 redoubled its efforts to make the country more cyber resilient and security conscious. The Irish Republic’s first Governmental National Cyber Security Strategy (NCSS) was published in 2015. It set out a roadmap for the development of a National Cyber Security Centre (NCSC) for Ireland, and a series of measures to better protect Government data and networks, and critical national infrastructure. Since then the NCSC’s activities have enlarged in scope and capability; and the introduction of EU Network and Information Security Directive (NIS Directive), a significant set of measures to support Government Departments and Agencies in managing their systems, has further consolidated Ireland’s cyber defences.
GREATER GOVERNMENT ACTION PLAN In December 2019 Ireland’s Department of Communications, Climate Action & Environment published an updated and expanded NCSS, which outlines how the Government will continue to facilitate the security of the country’s ICT and associated infrastructure. “Ireland’s digital economy contributes 5% of national GDP and provides employment for more than 100,000 people. [Therefore] protections of data, sustained investment and the continuance of reliable, functioning ICT, and of the Internet, are priorities for us,” said the Minister for Communications, Alex White. “This Strategy [outlines] how Ireland addresses cyber threats and protects against them.” With more than 6,500 people employed in the cyber security sector itself in Ireland, the industry is already a key part of the technology sector there, both in its own right and as an enabler for investment in related sectors. ‘Sustaining and building on this success is an essential part of ensuring future economic growth and high value jobs, and also ensuring that a cyber security ‘ecosystem’ with adequate critical mass exists in the State,’ the Government has said. Ireland is among the leading ranks of EU Member States in terms of the uptake and use of digital technologies (7th out of the 28 EU Member States in the EC ‘Digital Economy and Society Index’ 2019). In practical terms,
FOCUS
KEY ELEMENTS OF A CYBER SECURITY PROGRAMME SURVEY PwC’s survey shows that 75% of Irish organisations operate cyber security programmes to combat cyber attacks, compared to 59% globally. This demonstrates that Irish businesses are investing in multifaceted strategies to counter cyber threats. However, it remains critical that organisations also can measure how effective these defensive programmes are, and can track their success through metrics that are meaningful to the entire organsation, PwC says. Source: PwC Irish Economic Crime Survey 2018 GOVERNANCE
IRELAND
GLOBAL
83%
CYBER SECURITY POLICY
65% 69%
TRAINING / MONITORING FOR STAFF RELATED TO CYBER SECURITY
46%
61%
DESIGNATED CHIEF INFORMATION SECURITY OFFICER
38%
58%
CYBERS SECURITY PERSONNEL AND TRAINING
49%
53%
CYBER SECURITY-RELEVANT DATA RETENTION POLICY
38%
50%
THIRD-PARTY INFORMATION SECURITY POLICY
37% 31%
REGULAR EXECUTIVE-LEVEL INCIDENCE RESPONSE TESTING
21% 17%
A CROSS-FUNCTIONAL CYBER-GOVERNANCE COMMITTEE 100
90
80
70
60
50
40
30
20
10
14% 0
this means the country acknowledges, arguably more than most EU states, that internet technology and connected devices have ‘played a central role in delivering and enabling Ireland’s economic success’. Ireland is the location of the European headquarters of many of the world’s largest technology vendors. An estimated 700+ US companies, for instance, now have significant operations in Ireland. These include major knowledgeeconomy players like Dell, Facebook, Google, HP (Hewlett-Packard), IBM, and Intel. Its economic success is therefore closely bound up with its capability to provide a secure environment for these companies to operate within its borders. Data centres are the early 21st century powerhouses of digital growth, and according to estimates, Ireland hosts 25%30% of all EU data. Critically, the conceptual evolution of cloud-based enterprise IT delivery models has had profound implications for the data centres of Ireland. In many cases, rather than being ‘passive’ repositories of data, these data centres are now home to live operational mission-critical software environments. ‘An outage or incident affecting one of those facilities could therefore have immediate disruptive effects on infrastructure or business across the EU or globally,’ the NCSS has warned.
0
10
20
30
40
50
60
70
80
90
100
Cyber Defence Centre of Excellence – or CCDCOE – based in Tallinn, Estonia This is a NATO-accredited group of diverse international experts recruited from more than 25 nations. The international military organisation focuses on interdisciplinary research and development, as well as training courses and cyber field exercises.
Ireland is among the leading ranks of EU Member States in terms of the uptake and use of emergent digital technologies.
CYBER SECURITY ‘OUTREACH’ INITIATIVES As an offshoot of the NCSS, Government of Ireland has also established the National Security Analysis Centre (NSAC) which will work across Government to support a coherent approach to assessing, understanding and addressing national security challenges, resulting in enhanced strategic advice for Government. Additionally, Ireland intends to reinforce its diplomatic reach in cyber security by assigning ‘Cyber Attachés’ to key diplomatic missions. The Government also plans to deepen Ireland’s engagement in international organisations in dealing with the full range of issues that arise under the NCSS. As such, Ireland will join and play a full part in the NATO Co-operative
In October 2019, the Irish Ambassador to Estonia, Frances Kiernan, visited the Centre to submit the Letter of Intent and thereby start the accession process. “With its strong digital economy, Ireland is a country that is very much aware of the security risks in cyber space,” said Colonel Jaak Tarien, Director at NATO CCDCOE. When its application is ratified, Ireland will join Austria, Finland and Sweden as Contributing Participants – the status that designates non-NATO nations.
ACCREDITATION Words | Jim Meyers Photography | Shutterstock, EirGrid
57
FEATURE
cybersecurityeurope
Understanding revolutionary shifts in Business Continuity Planning is key to an understanding of the changing nature of enterprise cyber risk.
AS A PROCESS, BUSINESS CONTINUITY PLANNING CONCERNS THE CREATION OF SYSTEMS OF PREVENTION AND RECOVERY TO MANAGE LIKELY THREATS to an organisation. Such systems can be designed to deal expediently with a wide range of threat types other than cyber; but increasingly, Business Continuity plans are put in place primarily with the cyber exigencies in mind. As well as prevention and defence, the aim of a Business Continuity plan is to enable ongoing operations before and during commencement of Disaster Recovery. The terms ‘Business Continuity’ and ‘Disaster Recovery’ are sometimes synonymised, but in fact, they apply to two distinctively different processes. Business Continuity has a wider scope, and refers to the procedural actions that an organisation’s chief officers take during a disastrous disruption to normal operations, and ensure that routine operations will continue even as that disaster unfolds. Disaster Recovery, meanwhile, should be deemed a subset of the Business Continuity plan. It involves the restoration of critical ICT support systems, and getting them back to normal running a fast as possible. Although different, both types of plan should be harmonised and, to an extent, integrated. Business Continuity plans should scope any event that could negatively impact operations, such as cyber attack, supply chain attacks, loss of or damage to critical infrastructure, natural disasters (floods, storms), and other emergencies, like fire. As such, a Business Continuity plan is itself a subset of enterprise BRIEF
BUSINESS CONTINUITY PLANNING MARKET VALUE 2020-2029 According to forecasts from Persistence Market Research, the Business Continuity Planning solution market will grow at a CAGR of ~13% between 2020 and 2029, and is estimated to reach a global value of ~€1.44 by the end of the 2020s.
58
As a process, Business Continuity meant to manage likely threats to with a wide range of threat types in place primarily with the cyber aim of a Business Continuity plan of Disaster Recovery. The terms Business Continuity an two distinctively different process actions that an organisation’s chi and ensure that routine operati should be deemed, meanwhile, a critical ICT support systems, and different in application, both typ Business Continuity plans should cyber attack, supply chain attack storms), and other emergencies enterprise risk management; how and Disaster Recovery processe Strategy. Generally, most larger or Business Continuity Officer (or ev necessarily entail c-suite-level p profiles, will not usually have a ded per se. Into the 2020s, it seems i cyber governance, they will also Continuity planning. Their input Continuity parameters, such as M long could an organisation surviv are usually not best placed to giv That said, traditionally ‘Business deeper relevance as more organ cloud-based platforms is key to su – where an organisation owns its premises physical harm, such as their applications and data, it co another. For some senior executiv insights into the way their organi Sponsored by Zerto, a white pape many senior executives have nev they are faced with a Digital Trans and data are accessed. With the m beyond the incumbent IT depart application ownership and manag provider. Responsibility for the a among the extra parties. The complexity of this task ‘requ recover business-critical data’, ID nature of business are increasing Business Continuity plan must co of response to a disruptive or offe plans. Very often with a cyber a limited the deleterious impacts o This calls for a communication p to determine who bears responsi it will be delivered. The Business with the support of Sungard AS) cyber security incident from the I software, also likely to be mana technology experts play a cen responsibility in the communica effective way. The Business C responsibility is challenging, as sh do not believe they communicat challenged are organisations w approved by senior executives be of minutes could mean the differ
y planning involves the creation of systems of prevention and recovery o an organisation. Such systems can be designed to deal expediently s other than cyber; but increasingly, Business Continuity plans are put exigencies foremost in mind. As well as prevention and defence, the n is to enable ongoing operations before and during commencement
nd Disaster Recovery are sometimes synonymised, but they apply to ses. Business Continuity has a wider scope and refers to the procedural ief officers take during a disasterous disruption to normal operations, ions will continue even as that disaster unfolds. Disaster Recovery a subset of the Business Continuity plan. It involves the restoration of d getting them back to normal running a fast as possible. Although es of plan should be harmonised and, to an extent, integrated. d scope any event that could negatively impact operations, such as ks, loss of or damage to critical infrastructure, natural disasters (floods, s, like fire. As such, a Business Continuity plan is itself a subset of wever, there are theorists inclined to see both the Business Continuity es themselves as further subsets of an overarching Cyber Resilience rganisations – especially commercial entities – would have an assigned ven a team dedicated to the role) in place, although that role may not power. Small-to-medium enterprises (SMEs), with their smaller risk dicated staff member who is assigned to look after Business Continuity inevitable that as senior executives acquire greater responsibility for o be drawn into c-suite level conversations with regard to Business is anyway essential when it comes to the determination of Business Maximum Tolerable Period of Disruption (MTPD) – that’s to say, how ve without its crucial IT systems. These are issues that the ‘IT crowd’ ve answer to. Continuity’ is somewhat of a tech buzzword that has acquired much nisations undertake a process of Digital Transformation. A shift to uch transformations. The move away from on-premises IT infrastructure s IT assets in facilities they own or lease – makes them prone to onflood or fire; but rather than feel more confident about the safety of ould be argued that they have swapped one set of vulnerabilities for ves, involvement in Business Continuity planning will provide important isations’ IT requirement is provisioned and managed. er from market analyst IDC (The State of IT Resilience) points out that ver dealt with the intricacies of data availability and continuity until formation initiative that changes the way business-critical applications move to public cloud services, additional external and internal parties tment are added to the governance mix. With that, a greater share of gement is offloaded from IT onto the business owners and the services availability and continuity of the data and applications is also spread
uires a rethinking of what it means for an organisation to protect and DC says, in a climate where ‘transactions, intellectual property, and the gly digital’. It also extends the range of stakeholders interests that a over – inclusive of those who belong to the board or the c-suite. Speed ensive incident has emerged as a critical aspect of Business Continuity attack, for instance, the faster an organisation responds, the more on business operations will be. plan to be central to the overall recovery scheme. Organisations need ibility for communicating information about a cyber-attack, and how Continuity Institute’s latest Cyber Resilience Report 2019 (produced indicates that 66% of respondents found out about their most recent IT department; an additional 43% were informed via virus notification aged by the IT department. Thus, as the report’s data highlights, tral role within an organisation, although they also have a clear ation of possible breach incidents to other teams in a timely and Continuity Institute also acknowledges that this communication hown by previous industry research, which reveals how most IT leaders te to the rest of the organisation in a highly effective manner. More where c-suite’s insistence is that news of cyber incidents must be efore it can be forwarded to the ‘rank-and-file’ workforce. Small delays rence between a multi-strike phishing attack being successful and it
FEATURE
cybersecurityeurope
Most users find out about cyber security incidents from the IT department or virus notification software (which is also IT managed). Source: BCI Cyber Resilience Report 2018.
IT teams have become less responsible for the BCP. There is an increase in FDs, CEOs and MDs who now take on the responsibility. Source: Databarracks Data Health Check 2019.
66%
IT department virus notification software
27% 25%
43%
Other (please specify)
22% 17%
18%
Website failure
17%
15%
12%
15%
Supplier notification
5%
10% 0
IT MANAGER 10
20
30
40
risk management; however, there are theorists who are inclined to see both the Business Continuity and Disaster Recovery processes themselves as further subsets of an overarching Cyber Resilience Strategy. Most generally, many larger organisations, especially commercial entities, would now have a Business Continuity Officer (or even team dedicated to the role) in place, although that may not necessarily entail c-suite-level power; but small-to-medium enterprises (SMEs) will not usually have a dedicated staff member who is assigned to Business Continuity responsibilities. Into the 2020s, it seems inevitable that as senior executives now acquire greater responsibility for governance of cyber, they will also be drawn into c-suite level discussions with specific regard to Business Continuity planning. Their input is, in any event, essential when it comes to the determination of Business Continuity parameters, such as Maximum Tolerable Period of Disruption (MTPD) – that’s to say, how long could an organisation survive without its crucial IT systems. These are issues that information technologists are usually not best placed to give answer to. That said, traditionally, the term ‘Business Continuity’ is now somewhat of a tech buzzword that has acquired much deeper relevance as more organisations undertake a process of Digital Transformation. A shift to cloud-based platforms is key to such transformations. The move away from on-premises IT infrastructure – where an organisation owns its IT assets in facilities they own or lease – makes them prone to on-premises physical harm, such as flood or fire; but rather than feel more confident about the safety of their applications and data, it could be argued that they have
60
50
60
70
IT DIRECTOR
11%
9%
8% Customer notification
18%
BUSINESS OPERATIONS CONTINUITY MANAGER MANAGER
4%
13%
7%
FINANCIAL DIRECTOR
2% MANAGING DIR./CEO
DON’T KNOW
4%
OTHER
swapped one set of vulnerabilities for another. For come senior executives, involvement in Business Continuity Planning will provide important insights into the way their organisations’ IT requirement is provisioned and managed. Sponsored by Zerto, a white paper from market analyst IDC (The State of IT Resilience) points out that many senior executives have never dealt with the intricacies of data availability and continuity until they are faced with a Digital Transformation initiative that changes the way business-critical applications and data are accessed. With the move to public cloud services, additional external and internal parties beyond the incumbent IT department are added to the governance mix. With that, a greater amount of application ownership and management is offloaded from IT onto the business owners and the services provider. Responsibility for the availability and continuity of the data and application is also spread among the additional parties. The complexity of this task ‘requires a rethinking of what it means for an organisation to protect and recover business-critical data’, IDC says, in a climate where ‘transactions, intellectual property, and the nature of business are increasingly digital’. It also extends the range of stakeholders interests that a Business Continuity plan must cover – inclusive of those stakeholders who belong to the board or to the c-suite team.
INCIDENT COMMUNICATION AND SPEED OF RESPONSE Speed of response to a disruptive or offensive incident has emerged as a critical aspect of Business Continuity plans. Very often with a cyber attack, for instance, the faster an organisation responds, the more limited the deleterious impacts on business operations will be. This calls for a communication plan to be central to the overall recovery scheme. Organisations need to determine who bears responsibility for communicating information about a cyber-attack, and how it will be delivered. The Business Continuity Institute’s latest Cyber Resilience Report 2019 (produced with the support of Sungard AS) indicates that 66% of respondents found out about their most recent cyber security incident from the IT department; an additional 43% were informed via virus notification software, also likely to be managed by the IT department. Thus, as the report’s data highlights, technology experts play a central role within an organisation, although they also have a clear responsibility in the communication of possible breach incidents to other teams in a timely and effective way. The Business Continuity Institute acknowledges that this communication responsibility is challenging, as shown by previous industry research, which reveals how most IT leaders do not believe they communicate to the rest of their organisations in a ‘highly effective’ manner. More challenged are organisations where c-suite’s insistence is that news of incidents must be approved by nominated senior executives before it can be forwarded to
These figures show that Business Continuity Planning has a central role in a cyber resilience strategy and how its key benefits stack up. Source: BCI Cyber Resilience Report 2018.
Small increases for IT Directors, CIOs, CFOs and CEOs; in 2015, more people across different roles were involved in creating the BC plan. Source: Databarracks Data Health Check 2019.
the ‘rank-and-file’ workforce. Small delays of minutes could mean the difference between a multi-strike phishing attack being successful and it being contained as soon as its initial victims have realised what is happened and alerted colleagues in IT. Co-workers who have been away from their desk will also inadvertently taking the phishing bait, and the attack gets further. The Business Continuity Institute’s Cyber Resilience Report found an improvement in response time: 38% of organisations surveyed reckon they can respond to a cyber security incident ‘within one hour’, compared to 33% in 2018. However, 14% still take more than four hours to respond, similar to 2018’s 16%. These response periods differ in accordance with the nature of cyber threat involved. With malware, for example, fast reaction is key to reducing the ‘dwell time’, which begins at the moment of infection until the point at which the malware is halted. The Business Continuity Institute suggests that a Business Impact Analysis can help detect the Maximum Tolerable Period of Disruption (MTPD) or Maximum Acceptable Outage (MAO) caused by a cyber attack. The Business Continuity Officer/team can then use these metrics to set the ideal time of recovery or Recovery Time Objective. As noted, organisational responsibility for Business Continuity Planning has traditionally fallen to the IT function; but a gradual shift is underway. Databarracks’ annual Data Health Check survey - which questioned more than 400 IT decision-makers – found that c-suite-level executives now oversee Business Continuity plans at 25% of organisations in the UK – that’s up from 21% in 2015. Meanwhile, it is the IT leaders who oversee Business Continuity plans in 42% of organisations – down from 27% in 2015. Seventeen per cent of those polled report that ‘IT managers’ are in charge of the process - that’s a figure down from 22% in 2015. ‘Business Continuity [has now become] a consideration for leaders across the entire [organisation], and not just the IT department,’ the Data Health Check concludes. ‘It is fine for [the IT directorate] to be involved, certainly; but the overall direction should come from management in the wider business. This is the best way to ensure that Business Continuity plans are effectively implemented and embedded throughout the [organisation].’
DON’T KNOW
8%
13%
21%
24%
22% 14% 16%
11% 12% BOARD
100
13%
80
BUSINESS CONT. MAN.
60
13%
40
DEPARTMENT HEADS
20
FINANCIAL DIRECTOR
10% 8%
2% 0
CEO
don’t know
CFO
3%
CIO
Other
IT DIRECTOR
5%
IT MANAGER
BCPs Are not very effective
18% 17%
30%
Reduce likelihood of human error
20%
25%
52%
Mitigate financial losses
15%
53%
PR strategy to mitigate reputat. losses
OPERATIONS MANAGER
40%
56%
37% 36%
Help detect attacks at an early stage
47%
87%
Ensure faster recovery
Speed of response to a disruptive or offensive incident (like a workplace flood) has emerged as critical to Business Continuity plans... The report also adds that ‘more c-suite executives and other business leaders are taking control… CEO involvement is fairly strong at 25%, but only 10% said that the CFO is involved… It is important that a wide range of people – including IT leaders – are involved in Business Continuity plans – but we’re still not seeing enough buy-in from the c-suite. The pace of change remains slow.’ It is worth bearing in mind that, as Databarracks’ Data Health Check 2019 notes, larger companies generally have a dedicated Business Continuity manager (or even team); but SMEs will not normally have a dedicated member of staff who handles Business Continuity issues.
ACCREDITATION Words | Edmund Burr Photography | Shutterstock
61
cybersecurityeurope
FEATURE
What are the best practices for a cyber-committed board or c-suite? And what more can senior execs do to maximise their role value in cyber governance?
WHEN SECURITY AND RISK LEADERS MAKE CYBER SECURITY ‘BUSINESS RELEVANT’, THE CYBER-COMMITTED CEO AND BOARD OF DIRECTORS become ‘engaged, not just involved’. This point, which informs the principle message of Accenture’s briefing document The Cyber-Committed CEO and Board (2017) has resonated louder in recent years than when it was first published. However, any organisation’s cyber-committed senior executives now have to ramp-up those levels of engagement if the organisations they lead are not to continually be weakened by a bifurcated vision of how business and security exigencies leverage each other’s strengths. In most European organisations the c-suite is accountable for the gamut of its decrees, and ‘plausible deniability’ (the ability to deny knowledge of or responsibility for any damnable actions committed by others in a hierarchy because of a lack of evidence that confirms their participation) is no longer an excuse. Boards directors and senior managers should include potential and evidential cyber threats and solutions in corporate governance debates, as they seek to understand and manage the business impacts incidents bring. FOCUS
Chief officers also have to proactively educate themselves about the cyber security issues, and not sit back and wait to be briefed by IT security confreres at quarterly meetings. They are fortunate in that they now have more executivefriendly sources of security information at their disposal than they previously had. “When a cyber attack hits, you are potentially faced with an existential crisis that you’ve never faced before,” says a chairman quoted in the 2019 AON/FT review, Safeguarding Value in the Era of Cyber Risk. “You cannot underestimate the human response to such an incident, a situation that will change constantly
IT’S GETTING CROWDED IN THE C-SUITE (ONLY ONE OF THESE JOB TITLES IS FAKE)... Chief AI Officer, Chief Brand Officer; Chief Chief Officer; Chief Joy Officer; Chief Knowledge Officer; Chief Love Officer; Chief Mindfulness Officer; Chief Paradigm Officer; Chief Reimagination Officer; Chief Value Officer; Chief Visionary Officer; Chief Wellbeing Officer.
63
FEATURE
cybersecurityeurope
FOCUS
EXECS ‘BIGGEST TARGETS’ Board and c-suite executives who have access to their company’s most sensitive information are now the major focus for social engineering attacks by criminals.
According to Verizon’s latest Data Breach Investigations Report, organisational leads are now 12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches than in previous years; financial motivation remains the key driver. “A successful attack on senior executives can reap large dividends as a result of their (often unchallenged) approval authority, and their privileged access into critical systems,” explained Verizon in a statement. “Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next – or have assistants managing email on their behalf. This makes suspicious emails more likely to get through”. The increasing success of social attacks such as those involving Business Email Compromise (BEC) – which represent 370 incidents or 248 confirmed breaches of those analysed in the Data Breach Investigations Report – can be linked to the ‘unhealthy combination’ of a stressful business environment combined with a lack of focused education on the risks of cyber crime, the report suggests. (See also article on BEC in Cyber Security Europe, Autumn 2019 issue). MORE INFORMATION | enterprise.verizon.com/ resources/reports/dbir
64
requires a great degree of flexibility in crisis-response plans. The board and executive are on such high alert that it’s difficult to stay within a rigid structure.” Introduced in May 2018, the EU’s General Data Protection Regulation – GDPR – has also had an important effect on the improvement of c-suite awareness on cyber issues, according to another quotee in the AON/FT review: “GDPR has made companies really understand their [ICT] systems,” they said, “and [improved] their internal understanding of the impact of cyber threats… As a process, [GDPR] has [also] allowed the acceleration of knowledge at the c-suite level.” C-suite involvement in cyber governance and defensive decision taking will not, perforce, result in a comparatively short-term improvement in a typical organisation’s cyber defensiveness. And While 79% of directors questioned last year (2019) by BDO’s annual Cyber Governance Survey claim they have avoided a data breach or incident in the past two years, public company boards are becoming more involved in cyber oversight; 72% of board-level respondents confirmed the board is more involved with cyber governance than they were in the 12 months prior to the time of the survey. The Cyber Governance Survey also found that as boards become more involved in cyber security decisions (especially due to regulatory changes and reputational damage concerns), the ‘cadence of reporting on cyber security is increasing’: 32% of senior execs polled report that they are briefed at least quarterly on cyber security, while 54% are briefed at least annually. However, 9% of boards indicate they are still ‘not being briefed on cyber security at all’. During the initial four years BDO conducted the Cyber Governance Survey, the percentage of directors reporting no cyber security briefings dropped consistently, and during the 2018-2019 year, that number has ‘held steady’. The reasons why nearly 10% of c-suites/boards are not in scheduled communication with their IT security personnel are less clear, especially given the fact that the individuals involved now bear professional culpability for both regulatory compliance and legal liability in the event of a successful cyber attack against their organisations. It’s possible that some c-suites/boards feel too overstretched by other demands that they have marginalised their interest in cyber security, or do not regard it as a business
Companies and organisations that appoint a specific c-suite/board member for cyber security suffer lower average losses in the event of successful attack. Source: Grant Thornton Cyber Security: The Board Report (2019).
31.2
23.3
15.9
15.3
8.5
3.2
2.6
Chief Information Officer (CIO)
Chief Technical Officer (CTO)
Chief Executive Officer (CEO)
Chief Financial Officer (CFO)
Chief Strategy Officer (CSO)
MANAGING DIRECTOR or chair person
Unknown or not sure
reality priority. There is no doubt that assuming greater responsibility for cyber governance constitutes an additional imposition on their schedules. Grant Thornton’s Cyber Security: The Board Report (2019) points out that the impact of regular cycles of cyber attacks ‘places a huge burden’ on the senior executive, especially those who will have designated roles in the business continuity and incident response plans. During serious incidents, typically the CFO, the CIO and CLO/General Counsel commit 100% of their time until the crisis is resolved, and the CEO around 50% of their time. Vital response activity may last for weeks, and cause chief officers to have to postpone important appointments and other work.
EXECUTIVE CYBER RESPONSIBILITY IS EXTRA BURDEN
‘The knock-on impact is considerable,’ Cyber Security: The Board Report points out. ‘Decisions are delayed, and plans are put on hold as senior leaders’ attention is diverted away from their day jobs. The effect spreads across the organisation: employees lose confidence in the leadership team and pride in the organisation’. In its commentary, Grant Thornton recommends that enterprise cyber security be made the responsibility of a specific board member in order to ‘stop cyber risk management slipping through the net’. Its research indicates that organisations which appoint a specific c-suite/ board member to this role ‘suffer lower average losses in the event of successful attack’ than those that do not do so. In Grant Thornton’s client experience, organisations most frequently choose the CIO or CTO to fulfil the role (as the IT security lead, the CISO is likely to be committed to the front-line remedial activity). Yet, in its view, it is worth considering a different board member, one without any particular technology specialism. ‘The CFO (Chief Financial Officer) would be a good choice,’ Cyber Security: The Board Report states. This is because ‘in most mid-market companies, it is the CFO who is typically responsible for the risk. Making cyber security their responsibility underlines the fact that cyber risk is a business risk, like any other, that needs to be managed’. A further advantage, Cyber Security: The Board Report says, is that in business, there is often a natural tension between operational targets and cyber security targets: ‘Should the priority be to minimise interruption to operational systems (and therefore limit or delay software updates)? Or should maximum security be the priority, even if frequent updating means users cannot access business systems for hours or sometimes days?’ A board member who is neither the COO or CIO has the benefit of a degree of distance on the debate and is perhaps positioned to find a better balance, Cyber Security: The Board Report observes. The UC Berkeley’s Center for Long-Term Cybersecurity (CLTC)’s study Considerations for Effective Oversight of Cyber Risk (2019) is one of the first to focus on questions around how should boards of directors oversee cyber security risk for large global organisations. The study found there is no single governance ‘playbook’ for cyber that can be applied across sectors and risk
profiles. It determined that cyber security risk requires ‘a different, more dynamic governance model than is common among boards for handling other risks’, a mindset the study defines as ‘resilient governance’. Boards feel a ‘deep sense of urgency to exercise a central role in improving cyber security postures and outcomes’ for their organisations, the study reports. This attitude is appropriate, because by most common measures cyber security problems are ‘morphing and mounting in importance faster than they are being solved or managed’, the study adds. The CLTC and Booz Allen Hamilton study also found that there are in fact significant differences in what directors mean when they assert that cyber has become ‘a board issue’; not withstanding, cyber security will without unquestionably remain a c-suite/board-level issue for the foreseeable future, it concludes. The study also revealed some anomalies that
The board and executive committee are on such high alert that it can sometimes be difficult to stay within a rigid structure... highlight a slight susceptibility on the part of cyber-aware c-suites and boards to absorb and regurgitate buzzterms. A proportion of the study’s interviewees began by asserting that cyber security is now an ‘existential risk’ – generally taken to mean a fundamental hazard to the continued existence of their enterprises. ‘Surprising,’ the report says, ‘because it is very hard to identify a major firm or government organisation that has ceased to exist as a result of a cyber attack’.
ACCREDITATION Words | James Hayes Photography | Shutterstock
65
sign-off
cybersecurityeurope
Here we highlight two of the standout practitioner presentations from the many that will be delivered at the Cloud & Cyber Security Expo conference. ON 11 MARCH, VIKTORAS DAUKŠAS OF DEBUNK.EU WILL EXPLAINS HOW ARTIFICIAL INTELLIGENCE (AI) IS BEING USED TO SPOT AND COUNTER RUSSIAN DISINFORMATION campaigns. The following day Martyn Coupland of Virgin Atlantic will talk about how he has steered the airline toward success in the art of DevOps – a technical and cultural philosophy that can be a little obscure to the uninitiated – there was a time when Martyn also struggled to embrace the new way of working DevOps demands. Both presenters promise key insights into their specialist areas. COUNTERING RUSSIAN DISINFORMATION Viktoras Daukšas, Head of Debunk, Debunk.eu Misinformation campaigns have long been used by hostile states against enemies and competitors, yet within the past few years the problem of ‘fake news’ has grown dramatically in scale. Facilitated by social media, it’s easier than ever to spread lies and confusion online. But concerned citizens are starting to take a stand – and they’re using AI to help. Viktoras Daukšas likens the problem to a contagion: “Disinformation, as with any contagious disease, can actually touch everyone personally. Countermeasures are key to prevent the spread of the virus”. Daukšas argues that Artifical Intelligence is an important corrective in the treatment of this ‘illness’, as he will explain in his forthcoming Expo address. 11 March 2020 | 15:45-16:10 MAIN STAGE EVENT
SECURING THE DEVOPS LANDSCAPE Martyn Coupland, DevOps Technical Lead, Virgin Atlantic With DevOps, many still question the security of our tools and also our processes. In this session Virgin Atlantic’s Martyn Coupland will look at the common challenges, questions and solutions when it comes to securing your DevOps investments. How has DevOps evolved over the last few years? According to Coupland, the biggest shift he has seen is that many strategists now view it as a means of optimising for speed, rather than as a way to ‘optimise on costs’. Savvy organisations now increasingly recognise that DevOps is best deployed when optimised for speed, as “speed and value are increasingly the main drivers to getting products to customers before competitors”, he believes. 12 Mar 2020 | 15:45-16:25PM THEATRE 13
CLOUD & CYBER SECURITY EXPO 2020 CONFERENCE Cloud & Cyber Security Expo leads the way in delivering a conference programme of top speakers, case studies, solutions-focused content – plus a huge exhibition of providers – so you can stay safe in a hostile digital space.
66
DETAILS For more information about the expo: | cloudsecurityexpo.com
<< ALL EDITIONS NOW ONLINE >>
<< ALL EDITIONS NOW ONLINE >>
cyber ce cyber risk r governan ine files mach igence cybe er threat log artificial intell on algorithm analytics insid rity automati r skills data attack secu artificial security cybe t phishing ious threa ce algorithm t intelligen learning malic r skills threa cybe IT rity ure shadow cyber secu cyber risk security post malicious ce ing rnan learn ine cyber gove ow files mach intelligence posture shad er threat log rity insid secu tics mation data analy ce cyber security auto cial intelligen ing attack rithm artifi analytics threat phish igence algo skills data rity cyber IT threat intell ing cyber secu threat phish cyber risk malicious threat governance IT ine learning ow mach t log files posture shad on security ce cyber insider threa r governan rity automati igence cybe files attack secu artificial intell er threat log insid rithm tics algo analy security intelligence r skills data ing attack security cybe threat phish igence risk cyber ing malicious IT threat intell r machine learn ure shadow r risk cybe security post rnance cybe automation machine ce cyber gove files igen log t intell er threa artificial on algorithm analytics insid rity automati r skills data attack secu artificial security cybe t phishing ious threa ce algorithm malic igen ing intell learn cyber skills IT threat r security ure shadow r risk cybe security post malicious rnance cybe ine learning cyber gove files mach shadow intelligence threat log rity posture tics insider mation secu data analy ce cyber security auto cial intelligen ing attack rithm artifi analytics threat phish igence algo skills data intell r t cybe threa rity IT t phishing cyber secu ious threa cyber risk malic ce ing t rnan gove ow IT threa machine learn t log files posture shad on security ce cyber insider threa r governan rity automati igence cybe files attack secu artificial intell er threat log algorithm analytics insid k security intelligence r skills data attac ing cybe rity secu threat phish igence risk cyber ing malicious IT threat intell machine learn ure shadow cyber security post ce cyber risk automation r governan ine files mach igence cybe er threat log artificial intell mation algorithm analytics insid security auto r skills data ing attack artificial security cybe rithm threat phish algo ious ce t intelligen learning malic skills ow IT threa rity cyber shad secu r ure cybe r risk security post malicious rnance cybe ine learning cyber gove files mach shadow intelligence threat log rity posture tics insider mation secu data analy ce cyber security auto cial intelligen ing attack rithm artifi analytics threat phish igence algo skills data rity cyber IT threat intell t phishing cyber secu threac risk r ious cybe ing malic t governance ow IT threa machine learn t log files posture shad on security insider threa c ce cyber r governan rity automati igence cybe files attack secu artificial intell er threat log algorithm analytics insid rity intelligence r skills data attack secu t phishing security cybe igence ious threa risk cyber intell malic t ing threa IT machine learn ure shadow cyber security post ce cyber risk automation r governan ine files mach igence cybe er threat log artificial intell on algorithm analytics insid rity automati r skills data attack secu cial security cybe t phishing rithm artifi ious threa igence algo learning malic r skills threat intell cybe IT ow rity r secu ure shad r risk cybe security post ing malicious rnance cybe learn gove ine r cybe files mach shadow intelligence threat log rity posture tics insider mation secu data analy ce cyber security auto cial intelligen ing attack rithm artifi analytics threat phish igence algo skills data rity cyber IT threat intell phishing cyber secu threatM EXPO.CO cyber risk malicious ing RITY ECU learn governance IT threat ineUDS ow CLO mach shad files| t log 2019 posture r CH threa MAR on security insid – 13 er rnance cybe rity automati DON | 12 ce cyber gove attack secu EXCEL LON cial intelligen rithm artifi algo ce intelligen
S U D IN Y TR INSIG HTS URITY CYBER SEC CLOUD &
INTELLIGENCE
EXPO
|
c
OPEN ACCESS TO ALL PAST EDITIONS – PRINT AND DIGITAL – NEWS AND FEATURES
Cyber Security Europe’s extensive back catalogue is a valuable reference source of cyber insight and analysis that you will return to again and again – and it’s all just a couple of clicks or taps away!
| cseurope.info/editions
FOR ALL YOUR EVENT AND EXHIBITION PUBLISHING REQUIREMENTS
ONLINE, DIGITAL AND PRINT EDITING ● DESIGN ● ADVERTISING SALES ● PROJECT MANAGEMENT ● INTERNATIONAL
WORLD SHOW MEDIA Tel: +44 (0) 208 160 6464 | Fax: +44 (0) 845 862 3433 | Website: worldshowmedia.net For all corporate enquiries | corporate@worldshowmedia.net
Support business innovation while managing risk, with intelligent cybersecurity A multicloud strategy offers clear business and technology benefits. More and more, you’re likely to be transitioning your processes, applications, and workloads to the public cloud. Yet, adopting it without a holistic cybersecurity strategy could leave your business exposed. At NTT, we can architect and build a cybersecurity strategy, processes, and tools across your entire multicloud environment – and supporting IT infrastructure. We’ll minimize the risk to your business and ensure you remain compliant.
Visit us at Cloud Expo stand C1210, or visit hello.global.ntt for more information.
Copyright © 2020 NTT Ltd.
Secure infrastructure
Secure workplace
Secure the digital business
Secure multicloud
Secure OT and IoT
Predictive threat intelligence
Manage risk and compliance