Cyberspace offers enormous benefits and opportunities through increased innovation, collaboration, productivity, competitiveness and customer engagement. But barely a day goes by without news of a new cyber threat, or major data breach, arising from ‘malspace’ – an online environment inhabited by hacker groups, criminal organizations and espionage units.
The big question posed to governments, enterprises and citizens is how can this growing cyber threat be counteracted without losing the enormous benefits of Internet-based trade, commerce and communication?
With Opportunities Come Risks
Cyberspace is constantly evolving and presenting new opportunities, as the desire of businesses to quickly adopt new technologies, such as using the Internet to open new channels and adopting cloud services, provides vast opportunity. But, it also brings unanticipated risks and inadvertent consequences that can have a potentially negative impact.
With cyberspace so critical to everything, from supply chain management to customer engagement, holding back adoption or disconnecting from cyberspace completely is simply not feasible. But the commercial, reputational and financial risks that go with cyberspace presence are real and growing each and every day.
If an organization’s senior executives don’t understand cyberspace they will either take on more risk than they would knowingly accept, or miss opportunities to further their strategic business objectives, such as increasing customer engagement or market leadership. These organizations are more likely to suffer embarrassing incidents, and when they do, they will suffer greater and longer-lasting impact.
Understanding cyber risks and rewards is also fundamental to trust. If organizations can’t maintain a trusted environment in which to communicate and interact with their customers, their business could suffer or even collapse. This is true whether it’s a customer engagement program using audio or video, or systems that support essential customer transactions such as banking, shopping or reservations.
Weighing Risk vs. Reward
Business leaders recognize the enormous benefits of cyberspace, yet many are having difficulty determining the risk versus the reward.
The benefits of cyberspace come with significant risks, and the threat of cyber-attack is firmly at the top of the board agenda. While organizations are exploiting the business benefits of cyberspace, they may not realize that cyberspace confers the same benefits to those who attack our organizations. Hacker groups, criminal organizations and espionage units worldwide have access to powerful, evolving capabilities, which they use to identify, target, and attack.
Many of the security activities associated with dealing with cyber crime attacks are based on fundamental information security incident management, and are covered in topics such as information security, incident management and forensic investigations. However, cyber crime often involves sophisticated, targeted attacks against an organization, and as such, additional security measures may be required to respond to specific cyber crime-related attacks.
Cybercrime-related intelligence relating to the development of attacks should be reviewed on a regular basis to determine:
- The extent to which the organization is at risk of a cyber crime-related attack (example: review of discovered code on the Internet or discussions in underground groups)
- How targeted information could be used by criminals (example: creating false passports, false accounts, credit cards or online scams)
- The techniques used by criminals to perform cyber crime-related attacks (to help detect them)
Cyber Security is Not Enough
Establishing cyber security alone is not enough. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberspace activity.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves.
Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
Becoming Cyber Resilient
Cyber threats are not just a challenge for IT departments; they require the involvement of every discipline within an organization, including its customers, suppliers, investors, partners and stakeholders.
Cyber resilience involves assembling multidisciplinary teams from across the organization, and beyond, to develop and test plans for attacks and breaches that may, or may not, occur. This team should be enabled to respond quickly to incidents by communicating with all parts of the organization, those external people and organizations that may be directly impacted, shareholders, regulators and other relevant stakeholders.
A vital component of cyber resilience is governance with senior support for monitoring cyber activities – including monitoring partner collaboration, and the risks and obligations in cyber space. Organizations must have a process in place for analysing, gathering and sharing cyber intelligence with stakeholders. They also need a means to assess and adjust their preparedness and resilience from past, present and future cyberspace activity.
Finally, organizations should partner internally – sharing knowledge of risk and best practice across business units and functional groups.
What Can You Do?
Businesses operate in an increasingly cyber-enabled world and traditional risk management just isn’t nimble enough to deal with the risks from cyberspace activity. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling. From cyber to insider, organizations have varying degrees of control over evolving security threats.
By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond appropriately.
About the Author:
As the Global Vice President of the Information Security Forum, Steve Durbin’s main areas of focus include the emerging security threat landscape, cyber security, consumerization, outsourced cloud security, third party management and social media across both the corporate and personal environments.
Formerly at Ernst & Young, Durbin was responsible for the growth of the firm’s entrepreneurial markets business in Europe, Middle East, India and Africa. He has been involved with mergers and acquisitions of fast-growth companies across Europe and the USA, and has also advised a number of NASDAQ and NYSE listed global technology companies.
Durbin has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner. As global head of Gartner’s consultancy business he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets. He has served as an executive on the boards of public companies in the UK and Asia in both the technology consultancy services and software applications development sectors.
He is currently a Digital 100 selection committee member in the United States, a body established to improve the talent pool for Fortune 1000 boards around information governance with the aim of helping them protect and monetize their technology investments. He is also chairman of the Digiworld Institute senior executive forum in the UK, a think tank comprised of Telecoms, Media and IT leaders and regulators.
He may be contacted as follows:
Email: [email protected]
Twitter: @stevedurbin
LinkedIn: http://uk.linkedin.com/in/stevedurbin
Tel: (M) +44 (0)7785 953800; (US) 347 767 6772
About the Information Security Forum
Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.
Further information about ISF research and membership is available from www.securityforum.org