Managing Cybersecurity Risk: Cases Studies and Solutions

Part One

Cybersecurity in the Information Age

1.1 BUILDING BUSINESS RESILIENCE

Nick Wilding, AXELOS RESILIA

INTRODUCTION

This chapter contends that a missing key in the creation and growth of a truly cyberresilient organisational culture lies in building a vigilant and resilient workforce through effective awareness learning for all.

KEYWORDS are: cyber security, cyber resilience, resilient workforce, storytelling, boardroom engagement.

THE NATURE OF THE CHALLENGE

Baroness Dido Harding, the outgoing CEO of TalkTalk, called cybercrime ‘the crime of our generation’ when she was thrust into the media gaze following their high-profile breach in October 2015. Her experience is by no means unique — the threat we all face is real and relentless.

Symantec, in their ‘Internet Security Threat Report’ published in April 2016, noted that they had:

‘…discovered more than 430 million unique new pieces of malware in 2015, up 36 percent from the year before. Perhaps what is most remarkable is that these numbers no longer surprise us. As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.’1

This ‘numbness’ is echoed in research carried out by the National Institute of Standards and Technology (NIST)2 in the US. They assessed perceptions and beliefs about cybersecurity and online privacy, and identified that people are increasingly desensitised to constant reminders about cyber risks. One of the research respondents, an ‘average technology user’, commented:

‘I don’t pay any attention to those things any more … people get weary of being bombarded by watch out for this or watch out for that.’

SECURITY FATIGUE

The last quote highlights the difficulties we face in moving beyond the frustration, weariness and ‘security fatigue’ many of us feel from the bombardment of messages about the dangers lurking online.

The NIST research found that many of us often feel out of control or resigned to doing nothing about online security. Now, take these attitudes into the workplace and organisations are faced with a real dilemma. The reality is that cyber attackers often find it easier to communicate with, engage and influence the behaviours of our staff than we do. Technology is not the only answer — just a part of it. In 2015, Tom Farley, President of the New York Stock Exchange, said in his introduction to ‘Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers’:

‘It is important companies remain vigilant, taking steps to proactively and intelligently address cybersecurity risks within their organisations. Beyond the technological solutions developed to defend and combat breaches, we can accomplish even more through better training, awareness and insight into human behaviour. Confidence, after all, is not a measure of technological systems, but of the people who are entrusted to manage them.’

THE HUMAN FACTOR

But there’s a huge challenge here — one which was starkly highlighted in Verizon’s 2015 Data Breach Investigations Report:3 the great majority — estimated to be 90 per cent — of successful cyberattacks succeed because of human error. That means anyone in any organisation, irrespective of their role or seniority, can enable an attack to succeed through their unwitting actions. Jim Baines, the apocryphal CEO whom I cite in Chapter 5.1, couldn’t agree more:

‘Unwitting is the point. Some of my friends say witless but that’s another matter. The point is, we were complacent. We thought it was a technical not a human issue. But it’s all about the human.’

Because most organisations don’t think this way, the cyber attackers will always have the upper hand. They only need to be successful once in their relentless targeting of our human vulnerabilities, whereas we must maintain constant vigilance. In Jim’s case, he was sent an email purporting to be from someone he’d met at a corporate golf event. The email offered pictures of his achievements on the fairway. He opened it on his business laptop and thought nothing of it. The names used were all familiar; one was from his distant past. It all seemed to make sense. But the attachment contained malware that infected the systems of Baines Packaging. Jim happened to be putting together a presentation for one of his major clients, a huge food conglomerate, and he put the presentation on a flash drive, went to a meeting and handed it to his contact — an old friend — who then infected that company’s systems. A chain reaction began. Jim’s entire livelihood was compromised.

That chain of events powerfully illustrates why we all — from the boardroom to the engine room and beyond — have a specific role to play in protecting our most precious information and assets. If an organisation’s people represent its greatest vulnerability, then it follows they can also be its most important and cost-effective defence against attacks. I would suggest that we’re at a crossroads in our collective corporate response to the cyber risks we all face: one where many will continue to invest in more technology and expect that multiple layers of technical defence will suffice. Another group – the market leaders, pioneers and innovators, but increasingly the ‘just plain sensible’ – will change direction and embrace an enterprise-wide approach, led from the top, which uses new methods to engage and openly reward good cyber behaviours, from top to bottom.

On the road taken by this group, storytelling and the business language used will play a vital role in an adaptive and open approach to learning. It’s these firms that also understand that cyber resilience will become a key market differentiator for asserting competitive advantage as customers, partners and — let us not forget — regulators (particularly with the General Data Protection Regulation [GDPR] coming into effect in March 2018) increasingly demand demonstrable proof that their most precious information is being kept safe and secure.

Many firms also increasingly understand that their cyber risks need to be managed in balance with the immense opportunities for operational transformation, innovation and efficiency that digital technologies now offer. As Daniel Dobrygowski, the Global Leadership Fellow for the IT industry at the World Economic Forum, said in January 2017:

‘Cyber risk is a systemic challenge and cyber resilience is a public good. Without security and resilience in our networks, it will be impossible to safely take advantage of the innumerable opportunities that the Fourth Industrial Revolution is poised to offer. Responsible and innovative leaders, therefore, are seeking ways to deal with these risks.’4

Storytelling plays an important role in responding to this systemic challenge; stories spark emotions, and they help people to remember information.

YOUR STRONGEST DEFENCE

Mostly, cybersecurity is communicated within organisations as a set of statistics and data about the latest threats, the changing techniques adopted by cyber attackers and the number of events and incidents experienced. As a method of bringing about systemic and cultural change, this is a flawed approach.

I believe that the opportunity is clear: staff are not, as is so often lazily reported, ‘our weakest link’. They are instead our most powerful and effective defence against attacks and only as ‘weak’ as the strength of the awareness training we give them. But does this training engage? Is it relevant and relatable to the learner? Does it provide simple, practical guidance? Is it focused on giving them the confidence to change their existing behaviours and to discuss incidents with their colleagues? Does it tell a strong story about what ‘good’ looks like?

The sad truth is that most organisations continue to educate their people with an annual information security awareness e-learning exercise. It can take over an hour to complete and typically ignores some basic rules for effective learning. With cyber attacks relentlessly targeting and threatening our most sensitive and valuable information, forgetting, sadly, is no longer an option. Ignorance isn’t a defence anymore. The risks and potential impacts are too great.

In this vital area of staff training and development, one size doesn’t fit all. The current ‘all staff, once a year’ approach simply does not influence or sustain long-term behavioural change. At best, it reminds us of some essentials; at worst, it’s treated as a necessary evil, a distraction, and something to be completed as quickly as possible.

Annual e-learning will not instil and sustain the cyber-resilient behaviours that employees need today. We’re trying to ‘programme’ our people in the same way we programme computers: to do certain things, in defined ways, at certain times. This approach doesn’t work with human beings.

During January 2016, AXELOS RESILIA, with IPSOS Mori5, carried out research among those responsible for information security awareness learning in their organisations. We wanted to find out how well prepared members of the UK’s workforce were for a cyber attack in the companies they work for. The results were sobering.

While it was positive to note that 99 per cent of business executives responsible for cyber awareness learning said that information security awareness learning was ‘important to minimise the risk of security breaches’, less than a third (28 per cent) judged their organisation’s cybersecurity awareness learning as ‘very effective’ at changing staff behaviour.

A similar minority (32 per cent) were ‘very confident’ that the learning was relevant to their staff, while 62 per cent were only ‘fairly confident’. This comparatively low level of corporate confidence in the ability of people to deal with a cyber attack is simply not good enough in an era where cybercrime has become ‘business as usual’. It reflects either a lack of understanding or a state of denial about the impact that a successful cyber attack can have on a business.

Organisations cannot continue to accept this low level of employee awareness and competence in the face of sophisticated cybercriminals who are constantly adapting their methods. Imagine how your customers would respond if told, ‘We’re fairly confident that your confidential information is safe from attack’. Equally, a report to a board of directors that the level of confidence in the organisation’s information security awareness is only ‘fair’ would provoke some serious alarm. If company boards are not asking questions about the current effectiveness of their awareness learning programme and what is being done to improve their organisational cyber resilience, then they should be. Now!

AWARENESS TRAINING

What determines the capability and performance of employees is the relevance and effectiveness of the training they’re provided with and the behaviours they adopt as a result.

What needs to be understood is that we all learn differently and at different speeds. We need to offer awareness training that provides our people with multiple approaches that appeal to the widest possible spectrum. This way, they are far more likely to have the confidence to share and discuss experiences, to get proactively involved in their own learning, to champion resilience to others and to continuously learn and adapt. That’s why the picture painted by our research suggests that the current annual compliance-based approach, which is still relied upon by most organisations, is failing.

The same challenges are being faced in the boardroom. The impact of a major attack can be catastrophic and the boards of many high-profile global brands have already felt the reputational and financial damage that can ensue. Many more continue to struggle to properly understand what they can do to address this and what good cyber resilience looks like for them.

THE BOARDROOM CHALLENGE

While business leaders and senior executives strive to mitigate and respond more effectively to their cyber risks, the challenge remains a big one for boards. The UK Government’s annual FTS 350 Cyber Governance Health Check research published in May 2016 6 pinpoints many of the problems faced in the boardroom. The research, carried out with CEOs and CFOs, highlighted that:

•   Only 33 per cent of boards have clearly set out and understood their appetite for cyber risk.

•   Only 16 per cent have a very clear understanding of where the company’s key information assets are shared with third parties.

•   Over 50 per cent said: ‘We listen occasionally — e.g. a bi-annual update, plus being told when something has gone wrong’ in answer to the question: ‘Which of the following statements best describes how cyber risk is handled in your board governance process?’

•   Over 60 per cent have either not at all or only loosely defined their appetite for cyber risk, both for existing business and for new digital innovations.

In all too many boardrooms their organisation’s resilience to cyber risks does not form a key part of the agenda. They remain largely ‘blindsided’ to the nature and impact of the risks they face and are not communicating in an informed and effective ‘tone from the top’ to all their people.

Consequently, many will continue to ‘sleepwalk’ into reacting to a crisis rather than taking adequate precautions to mitigate their risks before a crisis occurs. Personal and corporate reputations have been irreparably damaged as a result. In the digital age, five seconds is perhaps more accurate.

Just as our technical security controls must constantly evolve and adapt to combat changing cyber threats and vulnerabilities, so we need to ensure all our people maintain their awareness learning and are provided with the appropriate, practical guidance on a continual basis that fits the needs and requirements of the organisation.

If you would like to find out more, you can contact Nick Wilding at

nick.wilding@axelos.com

_______________

1. Symantec (April 2016), ‘Internet Security Threat Report’, available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf (accessed 26th July, 2017).

2. NIST, available at https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly (accessed 27th July, 2017).

3. Center for Internet Security, available at http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report_2015_en_xg.pdf (accessed 26th July,