Continuous Cyber Attacks: Engaging Business Leaders for the New Normal

Transcription

1 Continuous Cyber Attacks: Engaging Business Leaders for the New Normal

2 Business theft and fraud have morphed into significant new threats as companies battle well-funded, highly motivated digital adversaries. Cyber defense rules have clearly changed. Executive leaders must recognize how exposed their organizations are today and take steps to establish a holistic, end-to-end security strategy capable of protecting their most valuable assets and business operations. This starts with aligning the strategic agenda and business priorities with security. Organizations face a cybercrime wave Unexpected losses. Disrupted strategies. Damaged brands. Cyber-attacks can rapidly derail an enterprise s ability to create value and frequency, reach and levels of sophistication continue to grow. Last year, the number of cyber-attacks against large companies increased 40 percent, targeting five out of six enterprises with over 2,500 employees. 1 Attackers currently occupy the high ground in the battle for company data. The barriers to entry are low; with little investment and minimal risk, it s never been easier or more lucrative for adversaries to cash in on their efforts. What s more, cyber thieves that operate across borders rarely face prosecution. Attackers continued to evolve, their targets continued to expand, and their techniques continued to change. But the central narrative stayed the same: Far too many organizations were unprepared for the inevitable breach, allowing attackers to linger far too long in compromised environments. 2 Organizations cyber defense strategies aren t keeping pace with the new technology landscape In today s 24/7 world, global connectivity enables organizations to shrink geographic distances, bridge borders and forge real-time links. But every revolution has its casualties, and one victim of the connected age is the peace of mind companies once had regarding the security of their critical assets. Where a locked door and an onsite security team were once the frontlines of protection, today s attackers can target the company s core technology infrastructure. They can take advantage of company initiatives centered on emerging technology including cloud, analytics, mobile communications and the Internet of Things (IoT), to enter and peruse the most sensitive parts of a business all undetected. Leaders unfamiliar with the specific details of how pervasive cyber defense is becoming may fail to recognize the gaps that exist in their digital security strategies. It s easy to do: Regulators and other government bodies demand compliance with specific regulations focused on meeting baseline security standards, which can drown out other voices supporting dynamic approaches to cyber risk management. Cybersecurity was once a part of the business where meeting the lowest common denominator was an acceptable management practice. Companies soon learned that passing compliance assessments doesn t equal data security. Likewise, a strategy focused on acquiring the latest security products and add-on applications can quickly drain a security budget, while not appreciably improving the organization s defensive posture. The reality is that no organization can defend itself from everything, even if the resources existed to support such an endeavor. Leaders need to embrace a new 2

3 To thrive, business leaders should follow these three approaches to bring risk down to a manageable level: Actively engage to make the business a better security customer Strengthen the partnership between the business and security Continuously exercise organizational defenses 3

4 1 Actively engage to make the business a better security customer A solid cyber defense requires that companies interlock an organization s business stakeholders, its risk management office and the security team and develop a true relationship that asks every employee to own responsibility for security. Much like lean and total quality management drive efficiencies and cost savings in the product lifecycle, securing the enterprise requires a similar pivot organizationally to prioritize this challenge. Some organizations are inadvertently and unknowingly bad security customers, especially when they fail to understand the broader responsibilities and role the enterprise has in protecting itself. The likelihood of cyber threat detection and elimination significantly drops if the business side fails to fully interlock with the security team. Some typical challenges include: Security lacks sufficient top management access. Most companies recognize that digital security is an important agenda item, but in many cases, the chief information security officer (CISO) does not have toplevel access. More than half (54 percent) of security decision makers say security and risk at their company is still mainly technology-focused, and a similar percentage report that their CISO continues to report into IT (55 percent). 3 Consequently, most CISOs focus on technology instead of concentrating on security from a business-centered, holistic perspective. The front lines remain unengaged in security issues. Another study found that 62 percent of information security professionals say employees do not care enough about security to change their behavior. 4 Articulating the importance of security and doing it in an engaging manner starts at the top. One effective method for creating user engagement is through gamification that provides employee incentives and rewards. This can be an effective tool if the organization also creates and enforces robust accountability policies, and develops easily captured reporting measures. Ambiguity regarding who owns the systems under attack. Business teams are trying to meet customer demands; they re agile and entrepreneurial and continually create new applications and data stores. When these systems are under attack, the security team needs to know who owns the compromised system and its criticality to the business in order to coordinate an effective response. Many firms do not have this asset information immediately available due to lack of collaboration between security and the business, which can impede action and reduce the effectiveness of the 4

5 2 Strengthen the partnership between the business and security Leaders should take steps to ensure the organization can preempt, detect and respond to current and future threats. Instead of relying on the security team to play clean up after a breach, organizations need to factor potential cyber threats into today s business decisions. Many cyber defense veterans feel their teams are catching frequent Hail Mary passes from the business; but as sports fans know, hope is not a strategy. Instead, leading cybersecurity players take proactive steps to align the business side s commercial needs and the security team s cyber defense requirements by forging an effective business-security-risk management partnership. Four elements of such a partnership are: Keep security on the agenda. If organizations can operate under a concept called presumption of breach, acknowledging that a hacker will get into their networks, perspective on the right security strategy becomes laser focused. Having the right security strategy and cyber defense capabilities are core elements of business resilience and brand trust. Accenture recently collaborated with the Ponemon Institute, an independent research center specializing in security trends and best practices, in a study to understand key characteristics to improving security effectiveness. The study suggests that a focus on cyber defense innovation and strategy separates leading organizations from the laggards. 5 These organizations embrace and implement new ideas, develop officially sanctioned security strategies, make information security a business priority and do a better job of making employees fully aware of the business security requirements. Recognize the complexity of the challenge. The best organizations view risk management in dynamic terms, prioritizing the protection of critical information and recognizing that future costs could rise significantly. It s important to determine where to set the bar regarding loss tolerance. Part of the challenge is recognizing the complexity of roles; the organization has revenue goals and other business targets, and the security team has its own set of objectives. While the aims may differ, each group should align fundamentally in its dedication to the company s success. Work together to identify the organization s critical data. While all risk can t be mitigated, it can become manageable by applying a level of triage. Most organizations can pinpoint their most consequential risk in a small percentage of their networks giving them a greater level of protection. By triaging and prioritizing what is truly critical, an organization can reduce the bulk of its risk and mitigate the line of the attacker. In addition, from a data management perspective, as part of a continuous cycle, organizations should industrialize processes to delete, rationalize or encrypt dated and non-critical information with regular cadence. Volume matters; to cash in on PII [personally identifiable information], cybercriminals want to steal as many customer records as possible. Hackers pick their victim organization carefully, learn its business, understand its partner relationships, and test for weaknesses and vulnerabilities. 6 Evolve the organizational culture to attract and retain top-tier security talent. Given the intense focus on digital security, the war for top talent has reached new levels, triggering bidding wars for the elite cyber defense talent. More organizations are evaluating traditional hiring guidelines to attract and retain Millennials with in-demand skills. Today s security talent want challenging roles with opportunities to continuously develop technology skills. Organizations that fail to deliver face increased attrition and recruiting cost. Think proactively about talent pools, working with universities to develop key cyber defense recruits, and looking for expertise outside of normal channels. 5

6 3 Continuously exercise organizational defenses The cyber defense story is compelling, but what can leaders do to improve the enterprise s data security? Focus on developing organizational defenses: Relentlessly test cyber defenses. One way to become more resilient is to train like a professional athlete. Athletes who train exclusively with a static punching bag won t stand a chance against a real opponent. Likewise, an enterprise focused totally on conventional defenses will quickly fall prey to today s increasingly aggressive digital attackers. Individual hackers and organized criminal groups are using state-ofthe-art techniques to infect hundreds of thousands sometimes millions of computers and cause massive financial losses, all while becoming increasingly difficult to detect. 7 Organizations leading the way in cyber defense are training with third-party sparring partners equipped with the skills and technologies (but none of the malice) that attackers bring to bear. Organizations that consistently engage in sparring sessions benefit from the feedback loop such training provides, developing a real understanding of how well the enterprise detects, defends and responds to cyber-attacks. They learn from mistakes without facing the catastrophic effects of a real attack. Hunt inside the organization s defenses. When leaders assume the enterprise is already compromised, they find better methods to constantly look for intruders across the entire enterprise. Design security architectures and business processes for emerging technologies and proactively hunt across systems to better anticipate attacks and significantly reduce detection timeframes versus waiting for a static indicator of compromise, which will likely happen too late to minimize the impact of an attack. Improve response effectiveness. As the organization spars with an elite security assessment team going through the same tactics as the attacker would use over time they develop much needed muscle memory. The more time fighters spend in the ring, the more their comfort levels increase and their performance improves. Likewise, organizations that spar repetitively and consistently work more effectively to minimize an event s impact. They read their opponent more effectively and improve their abilities to actively defend their business with speed, strength and accuracy. As companies become more adroit in response to incursions, the better they become at mitigating 6

7 Put the 100-day cyber defense plan into action Once an enterprise takes the pulse of its cyber defense strengths and weaknesses, developing an action plan is critical. That means assessing where the organization needs to invest and architecting triage procedures to handle security concerns now and in the future. By following assessments with clear-cut 100-day and 365-day plans, organizations can build the momentum needed to realize their cyber defense goals. Conclusion Fraud and theft are nothing new, but the intensity, impact and level of sophistication of current digital attacks make cybercrimes uniquely dangerous for digital businesses and governments. In this everchanging environment, business leaders need real solutions to improve resilience and that starts with aligning security to strategic imperatives. 7

8 Contributors Bill Phelps Managing Director, Global Security Services Ryan LaSalle Managing Director, Security Growth & Strategy Lead Kevin Richards Managing Director, North America Security Practice Matt Devost Co-founder and CEO of FusionX Steve Culp Senior Managing Director, Accenture Finance & Risk Services David Smith Senior Managing Director, Talent & Organization References 1. Internet Security Threat Report, Volume 20, Symantec Corp. symantec.com/security_response/publications/threatreport.jsp 2. Mandiant, M-Trends 2015, A View from the Front Lines, Forrester, Evolve to Become the CISO of 2018 or Face Extinction, August 14, Clearswift survey of 4,000 employees and 500 decision makers in the UK, Germany, the US and Australia. state-of-security/security-data-protection/cyber-security/one-thirdof-employees-would-sell-corporate-information-for-the-right-pricereveals-clearswift-survey/ 5. The Cyber Security Leap: From Laggard to Leader, Accenture and the Ponemon Institute 6. Forrester, The Cybercriminal s Prize: Your Customer Data and Intellectual Property, Sept. 2, Source: Department of Justice, ASSURING Authority for Courts to Shut down Botnets, March 11, assuring-authority-courts-shut-down-botnets About Accenture Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions underpinned by the world s largest delivery network Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 358,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at DISCLAIMER: This document is intended for general informational purposes only and does not take into account the reader s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this document and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals. Copyright 2015 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners. We disclaim proprietary interest in the marks and names of others.