Cybersecurity Causing Sleepless Nights for Risk Managers, Part 2

Stephen DeAngelis

May 10, 2018

As I noted in Part 1 of this article, supply chain risk managers have plenty on their minds to keep them up at night; but, cybersecurity risks surely cause their share of night sweats. One reason for their concern is that many cyber vulnerabilities lie outside of their control. A report by two British agencies, the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), concludes, “[Criminals are increasingly] capitalizing on the gateways provided by privileged accesses and client/supplier relationships [and] attackers will target the most vulnerable part of a supply chain to reach their intended victim. … It is clear that even if an organization has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain.”[1] Just because some things are out your control doesn’t mean you shouldn’t try to address the challenge. As Gordon B. Hinckley once stated, “Just do the best you can, but be sure it is your very best.”

Doing your very best

When it comes to cybersecurity breaches, it’s not a matter of if it will occur but when. As I noted in the first part of this article, a Thales Security report found “67 percent of enterprises were breached in 2017. Of those that were breached, 71 percent were based in the United States.”[2] Subject matter experts have offered recommendations to help ensure you are doing your very best. Below are a few of those recommendations:

1. Don’t be overconfident. Authors of a Deloitte study report, “Over three-quarters of the executives interviewed report being highly confident of their ability to respond to a cyber incident, yet they simultaneously cite many issues that critically impair their ability to effectively respond to cyber incidents that could be addressed by more involvement from C-level and board executives. This paradox suggests many companies operate with a false sense of security.”[3] To help ensure cybersecurity receives the c-level attention it deserves, Isaac Kohen (@teramindco), founder and CEO of Teramind, recommends appointing a Data Protection Officer. He explains, “Your organization is full of people trying to fulfill their roles and data security can become a burden on a person or a team it is assigned to. Appointing a Data Protection Officer (DPO) will help your organization in the long run. The DPO is a leadership role which is responsible for data protection strategy, implementation and management. The DPO doesn’t necessarily have to be a new person, but it must be someone who has a strong understanding of how data flows through suppliers, clients and all business relationships.”[4]

2. Mitigate the impact of a successful attack. As I noted earlier, when it comes to cyber attacks, the question is “when” not “if” they will take place. Ben Ludford, a consultant at Efficio, writes, “Assume a successful cyber attack is inevitable. This way of thinking shifts your focus to developing plans and practices that will minimize any damage should an incident occur.”[5] One of the best ways to mitigate the effects of a cyber attack is by trying to limit the damage before an attack occurs. Those measures are covered by the next two suggestions.

3. Train company personnel. Ludford notes, “Human error is the primary source of data breaches.” Generally, these errors are not malicious but the consequences of inadvertent actions, like accidentally downloading malware, can be devastating. At the very least, you must provide some cybersecurity training to every employee. Ludford adds, “Training helps staff to identify potential attacks and is constantly refreshed to enable them to act as the first line of defense against such incidents.”

4. Train supplier personnel. Kohen explains, “While data security is an issue that many organizations are concerned about and take regular action internally, there needs to be accountability and standards for suppliers that work with you. Your organization already has standards for who you work with and what constitutes a termination of contract. It is here in your vetting process that you should integrate. Ask questions about their data security management program. If they have none or are unable to answer, they likely will not be able to keep your data secure.” Ludford agrees. “Your suppliers should be operational, effective and secure,” he writes. “Ask questions that test the security of your suppliers’ systems; screen the cyber awareness of personnel; and request to see plans of how a potential incident might be dealt with. As cyber risks continue to grow, this is likely to become standard practice.”

5. Protect your data. David Lavenda (@dlavenda), Vice President of Strategy at harmon.ie, writes, “Assess your current cybersecurity measures, make sure basic security procedures such as encryption and password protection are in place and then promote security best practices amongst members of your organization.”[6]

6. Leverage cognitive technologies. Gary Hayslip (@ghayslip), Chief Information Security Officer at Webroot, recommends using cognitive technologies to help protect your data.[7] He explains, “The days of having a security analyst manually review logs and then manually investigating an anomalous finding are over. As cyber criminals use automation to quickly deploy new threats, [organization’s] must look at automation to improve the capabilities of their deployed security assets and risk management controls. That’s the only way to defend against today’s fast-moving threats.” Maribel Lopez (@MaribelLopez), a technology industry analyst and strategic advisor at Lopez Research, adds, “Machine learning can be used to discover usage patterns from vast amounts of corporate data today.”[8] She notes machine learning can identify “patterns for all the people who access a company’s systems” which “makes it easier for the security system to detect anomalous behavior from a malicious user that may have stolen a password and used it to access a company’s network and data.”

Summary

Tom Beale insists, “Cyber risk can no longer be considered just an IT problem. When assessing the immediate financial loss that might result in suffering some form of business interruption event, organizations are moving beyond IT and considering whether they have a proactive security culture, and whether they have put the right people in place to understand data and how to best keep it safe. It’s also about looking at the people within, the outsourced agreements and how these are managed.”[9] Lopez adds, “Companies spend up to $75 billion on security every year, but research estimates suggest up to two-thirds of companies still experience a breach. It’s clear that the perimeter-based approach to security won’t cut it.” Every tool in security manager’s kit, including cognitive technologies, need to applied to the job at hand — protecting company data.

Footnotes
[1] Su-San Sit, “Six steps to prevent cyber attacks,” Supply Management, 10 April 2018.
[2] Isaac Kohen, “Data Security Best Practices for Mitigating Supply Chain Risk,” Supply & Demand Chain Executive, 8 March 2018.
[3] Sean Peasley, Kiran Mantha, Vikram Rao, Curt Fedder, Marcello Gasdia, “Cyber risk in consumer business,” Deloitte Insights, 15 June 2017.
[4] Kohen, op. cit.
[5] Sit, op. cit.
[6] David Lavenda, “7 steps to ensure an organization is GDPR-ready,” Information Management, 27 March 2018.
[7] Gary Hayslip, “Seven fundamentals for better securing systems and data,” Information Management, 5 September 2017.
[8] Maribel Lopez, “Machine Learning: A New Weapon In Your Security Arsenal,” Forbes, 14 March 2018
[9] Tom Beale, “Assessing cyber security risk: 10 questions organizations should be asking,” Information Management, 9 August 2017.