By Russ Banham
Prepping for the next big cyberattack is business as usual across global enterprises. Since cyber criminals are always conceiving insidious new ways to penetrate IT systems and networks, the best defense is several linesof defense. These defensive tactics are both physical and organizational.
The reason is that no two cyberattacks are alike, each cleverly crafted to achieve specific aims—from a data breach to a disruption in business operations. “Knowing why you are likely to be a target and where your vulnerabilities exist provides insight for information security teams to prioritize their resources,” says Josh Reid, a principal within the consulting group at the international public accounting, consulting and technology firm Crowe.
Here are four cyber-risks that should be on every companies’ radar—some well-known and others under-appreciated—followed by recommendations by Crowe on establishing the best lines of defense.
1) Data Breaches
It’s every chief information security officer’s (CISO) worst nightmare—a cyberattack in which hackers obtain access to private customer information like names, birth dates and credit card and social security numbers. If this data is compromised, erosions in consumer trust, brand reputation and investor confidence are possible.
Tossing salt on the wounds are punitive fines for a data breach from regulations in Europe and California. Effective January 1, 2020, violations of the California Consumer Privacy Act (CCPA) can result in civil penalties of up to $7,500 per infringement. Failing to address the European Union’s General Data Protection Regulation (GDPR) could result in gulping fines of up to 4% of a company’s annual worldwide revenue, up to a maximum of 20 million euros ($22.23 million).
2) Ransoming Sensitive Information
Cybercriminals are always au courant. They are well aware that investors are increasingly concerned over companies’ reputational risks, such as poor environmental sustainability practices and reported employee ethics violations. They also know that these reputational events could have a material impact on the organization’s share value. Hence, hackers continually scour IT networks and systems looking for evidence of such corporate fallibilities. If discovered, a ransom may be demanded to keep a lid on the bombshell information. Even an inference that something is untoward can be a persuasive means of extorting money.
3) Acquired Liabilities
Cyber-risks also may emerge following the acquisition of a company with poor cyber-security practices. Businesses wanting to increase market share or expand geographically buy not only a target company’s assets and capabilities but also its cyber-security practices—or lack thereof. Assuming the latter, the buyer’s susceptibility to a cyberattack that disrupts operations or results in a data breach is heightened. Once the deal concludes and the two organizations merge IT systems, one company’s vulnerabilities become the other company’s vulnerabilities.
4) Third-Party Problems
It’s not only acquired companies that may inadvertently open the door to a breach of private consumer data, sensitive information and intellectual property. More common are the cyber-risks posed by suppliers, contractors and other vendors with access to IT systems and data to provide critical products and services. Infiltration of third parties by hackers was a worrisome trend in 2018, resulting in the breach of 1.68 billion consumer data records, according to the Identity Theft Resource Center.
How To Establish A Strong Defense:
To barricade an organization against the slings and arrows of hackers, Crowe recommends creating sound cyber-security practices throughout the organization across the following four lines of defense.
The First Line
Employees are a company’s first line of defense against a cyberattack. “They’re your boots on the ground—the eyes and ears of the organization when it comes to identifying cyber-risks, complying with cyber-security policies and promptly reporting what appears to be a cyber incident,” says Reid. “Many breaches occur because employees fail to recognize a phishing attempt from a hacker, such as a legitimate-looking email with a corrupted attachment. On the other hand, many breaches are avoided when employees are adequately trained to spot a phishing attack and report it to the company’s information security team before opening the attachment.”
The Second Line
Business functions such as information security, compliance, data privacy and legal counsel are the second line of defense against a cyberattack. These go-to subject matter experts are responsible for establishing policies and procedures to prevent, detect and respond to cyber incidents, protecting what many would consider an organization’s most valuable asset—its data. A company’s CISO typically collaborates with these functions to ensure a cohesive management response to cyber-security risks.
Reid advises that companies involve the CISO early on when making strategic business decisions related to growth opportunities, such as acquisitions, geographic expansion and market diversification. “The CISO can identify the cyber-risks that may result from the growth opportunity and the controls needed to mitigate these threats,” he says. “Many board members and executives tend to focus solely on growth and lose sight of the cyber-risks that can adversely affect the outcome.”
Many CISO’s are experiencing difficulties balancing business growth with limited financial resources to manage their cyber-security programs. While they’re expected to protect the company’s data, funding for cyber-security has not kept up with the increase in cyber-risks. “CISO’s have to scratch and claw for every dollar for their program in many cases,” Reid says.
The dollars they do receive are tough to prioritize, sometimes resulting in the misallocation of funds for cyber-risk remediation. “CISOs have limited budgets and must be very careful where they spend their money,” Reid says. “Many CISOs also are managing the organization’s cyber-risks through highly manual processes and inadequate technologies, resulting in poor risk management practices and significant mis-allocation of funds for remediating cyber-risks.”
To address these challenges, Crowe leverages cyber governance, risk management and compliance (GRC) software enabling a CISO to work with business stakeholders to manage the organization’s cyber-risks through real-time reporting and automation. “Through our technology partnerships and consulting services, we can help companies better understand their financial exposure to cyber-risks,” Reid says. “For instance, based on all the data a company manages and potential attack scenarios, we can help a company understand whether a data breach will cost them $10 million, $50 million or more, and most importantly, which controls best reduce these exposures.”
This analysis can help the CISO determine where to prioritize information security resources to build the most formidable lines of defense.
The Third Line
Internal audit is the third line of defense against a cyberattack. While the lack of communication and collaboration between the second line of defense and internal audit is an ongoing and pervasive challenge, many companies are beginning to understand the benefits of increased collaboration between these critical areas. Reid advises companies consider the use of a centralized GRC platform to share information across lines of defense to successfully manage their cyber-risks. “This way internal audit, information security and other risk management functions can evaluate cyber-risks from a variety of perspectives to prioritize their activities and reduce unnecessary costs,” Reid says.
The Fourth Line
The fourth line of defense includes external audit and regulatory bodies. By understanding how a company leverages technology to support its business operations, external auditors and regulators can spot cyber-security deficiencies and pass on these findings to the CISO. “A good external audit firm will perform a thorough evaluation of a company’s implementation of its cyber-security controls,” Reid says. “The firm or a regulator will request information related to the company’s cyber-security program and associated risks and controls. Having this information stored within a centralized GRC software platform allows for it to be provided in a timely manner, greatly reducing the cost of the external audits and regulatory exams.”
Cyber-risks are increasing daily and are a topic in nearly every board room. But through sound cyber-risk management practices, proper investments in GRC software platforms and appropriate allocation of funds, companies can be better prepared to barricade the fort.
Russ Banham is a Pulitzer-nominated financial journalist and author.