cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!
Cybersecurity is all over the news. Target, University of Maryland, Neiman Marcus, J.C. Penney, Indiana University, Sally Beauty Supply, and many smaller companies are being targeted by hackers, disgruntled employees, and competitors every day. According to a recent study of small businesses by Symantec, 77% of small and medium-sized companies think their companies are safe from hackers, viruses, malware or a cybersecurity breach. But the data shows differently. In 2013, 1 in 5 small business organizations was the recipient of at least one targeted attack. It s happening every day and we re losing money, data and ideas. Research by Symantec also found that in 2013, 61% of all targeted attacks focused on businesses with fewer than 2,500 employees (an 11% increase from 2012). In addition, the Symantec report warns of an expansion of traditional threats...in particular, social media and mobile devices have come under increasing attack...online criminals are following users onto these new platforms. 60% of small firms go out of business within six months of a data breach. National Cyber Security Alliance 1
KSGs of Cybersecurity Risk Management for Small-to-Medium Sized Businesses Cybersecurity for small and medium-size companies is a business problem that can affect the ability to keep business, stay in business, or get new business. These are the KSGs of cybersecurity risk management. K S G The ability to KEEP business: Once a company s infrastructure has been breached, sales plummet, customers leave, students apply elsewhere, and many of them don t come back. This can cause irreparable damage, including the loss of reputation. Even when a company does everything it can after the fact, such as strengthen its cybersecurity risk management solutions and provide free credit monitoring, the damage has been done. The ability to STAY in business: Anyone whose data has been compromised employees, customers, or suppliers may have legal grounds to sue. They expect the companies they do business with to be careful with their information and keep it safe. Companies that fail to protect this information from being compromised may be liable. The cost of a single lawsuit can put a small business out of business. The frightening fact is that 60 percent of small firms go out of business within 60 months of a data breach, according to the National Cyber Security Alliance. The ability to GET business: If sensitive company data or company intellectual property (such as financials, trademarks, copyrights, or new product / service plans) are hacked, the potential inability to attract new customers creates a huge competitive disadvantage. There is a problem if a company is perceived to be vulnerable to cybersecurity attacks, or is unable to demonstrate that it is investing in protecting its assets or its customers. The firm may be perceived as more risky in the supply chain or a business partner and could have difficulty securing new business. Recently AT&T Chairman & CEO, Randall Stephenson, was quoted that any large company that isn t imposing cybersecurity standards on service providers has a vulnerability that they re missing. 2
Making Cybersecurity Risk Management an Industry Priority Responding to a need for better preparedness and coordination of critical infrastructure protection initiatives across the entire business spectrum, leading information technology companies, professional service firms, and information technology trade associations formed the Information Technology Sector Coordinating Council (IT SCC) in 2006. The IT SCC is currently working in partnership with the U.S. Department of Homeland Security (DHS) to address strategies for mitigating cybersecurity threats and risks to our nation s critical infrastructure, especially for businesses and organizations that are particularly vulnerable. Needless to say, the IT SCC is a crucial resource for addressing solutions for security issues and engages with the public and private sectors in all areas of Critical Infrastructure (CI) protection. Framework for Cybersecurity Risk Management Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. Keeping the focus on risk management is very important to us. We re looking at how you foster risk management across ecosystems, how you get people to be more aware of risk management and to share the practices. We want to consider security, privacy and resiliency all together...in a global context the approaches should be usable around the world. Microsoft s Angela McKay, 2014 Chair of the IT SCC 3
NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. Cybersecurity Framework: 5 Core Elements of Any Organization s Risk-based approach to Managing Cybersecurity Risk Recover: Develop and implement the appropriate activities, prioritized through the organization s risk management process, to restore the appropriate capabilities that were impaired through a cybersecurity Identify: Develop the institutional understanding of which organizational systems, assets, data, and capabilities need to be protected; determine priority in light of organizational mission; and establish processes to achieve risk management goals. Protect: Develop and implement the appropriate safeguards, prioritized through the organization s risk management process, to ensure delivery of critical infrastructure services. Respond: Develop and implement the appropriate activities, prioritized through the organization s risk management process (including effective planning), to take action regarding a detected cybersecurity event. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. 4
It is important to note that the Cybersecurity Framework is not a risk management process itself. It enables the integration of cybersecurity risk management into an organization s overall risk management process by fostering: Approaches that address both traditional IT and industrial control systems; and Cybersecurity standards that can be used to support risk management activities. Key to implementation of the Cybersecurity Framework is DHS s Critical Infrastructure Cyber Community C³ Voluntary Program. The C3 (or C cubed ) Program aligns critical infrastructure owners and operators with existing resources that will assist their efforts to adopt the Cybersecurity Framework and manage their cyber risks. How e-management Fits Into the Cybersecurity Framework The perspective of small and medium-sized businesses like e-management is essential to the IT sector and the government in helping to shape implementation of the Cybersecurity Framework, so that it is easier and more affordable for smaller firms to adopt. For 15 years, e-management has been working in the cybersecurity, risk mitigation and technology industries, delivering mission-critical information protection, technology development, and risk management solutions for clients that own, operate, or support critical infrastructure. e-management has recognized the market need for a cybersecurity risk management tool geared to the elements of the NIST Cybersecurity Framework. CyberRx, e-management s new and innovative solution, helps small and medium-sized organizations understand their cybersecurity risks and the financial impact of a cybersecurity breach so they can be better equipped to make critical IT security decisions, prioritize investments, and maximize the impact of their investments in cybersecurity. By automating the NIST Cybersecurity Framework to create a cyber early warning system, CyberRx is designed to be the prescription for cybersecurity assurance for businesses. Early Adopters of the NIST Cybersecurity Framework American Chemical Council; National Association of Manufacturers; PwC US; AIG; and Dow Chemical. These organizations have emerged as champions to help NIST and DHS tell the story of what the Framework is and what it can do. cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) 5