Building a ‘cyber-smart’ culture from C-Suite still biggest challenge
SPECIAL to SDN — Scitech and Digital News
By HackerOne CEO MARTEN G. MICKOS
Organisations around the world today are becoming more cyber-security conscious. Cyber-security is a topic discussed regularly in the boardroom, especially against the backdrop of significant financial and reputational liabilities brought upon by data breaches.
And Asia has seen its fair share of data breaches. In March 2016, 55 million voter data from the Commission on Elections (Comelec) government database in the Philippines was breached. In July 2016, 410,000 Vietnam Airlines user information was compromised. In 2017, 46 million mobile phone subscribers’ information were breached and showed up in the dark web. And in 2018, 1.5 million users’ data was breached on Singapore’s SingHealth electronic medical records (EMR) system, including permanent personal identifiable information.
As a result, we are seeing organizations today getting more proactive with cyber-security and working towards nurturing communities of relevant professionals. However, knowing where to start and how to build a “cyber-smart” culture can often be the biggest challenge.
If you are a board member of a CXO in an organization, cyber-security falls entirely or partially on your plate, whether it was in your job description or not. You bear responsibility and accountability.
Here are some questions you may ask to help understand how prepared your organization is for a cyber-security incident and what areas you need to improve in to become more “cyber-smart”:
Image: through Wikipedia.
1. How bad can it get?
Don’t leave the threat modelling exclusively up to the cyber-security team. Ask what will happen if you get cyber-security wrong or inadequately addressed. Understand your risk profile. This question will lead to the discovery of the key digital assets and the threats these assets are facing. What are the risks and fall-outs from an insider job? What about a successful phishing attack, theft of devices or credentials, malware or ransomware, a system vulnerability that leads to a data breach? Could a malicious actor interrupt your operations? What is the risk of public embarrassment or defamation? There are more potential risks. Be creative and brutally honest and list all of them. Better to have thought through all the horror scenarios than to be taken by surprise.
2. How likely and costly are the risks?
For each potential problem listed in the first question, no matter how unlikely, try to estimate the likelihood that they will happen in a certain time-frame (such as 12 months) and what the total quantum of the damages would be (in monetary terms). An average cost of a data breach is upwards to US$3 million and a bad one an order of magnitude higher (source: “2018 Cost of a Data Breach Study” by Ponemon). This exercise is difficult, but it will provide some insights in what you stand to lose following an attack. Repeat this exercise regularly, and for each repetition the result will be more useful.
3. How much funding do we need to fight the bad?
This is a straightforward question with an often complex answer. If we cannot reach complete security, how will we know how much to invest? What’s the price of adequate protection? There is no scientific answer to this. It is up to your conviction and estimation. As a rule of thumb, start by comparing to other companies in similar situations and spend what they are spending (as a percentage of overall cost, or perhaps as a percentage of IT cost). Moving forward, as the risk estimation of your organization gets more dependable, the budgetary question will find its natural answer.
4. What preventative actions are we taking?
When you have an idea of the cyber threats you are facing, you can start reducing them one by one. The goal is not to reach 0% risk. That is not possible. The goal is to increase the cost and pain for the adversary. If you are a costly and difficult target, the bad guys will go for other targets. Preventative actions take numerous forms. They involve technology to protect and defend data and systems. They involve services. They involve practices, everyday discipline, checklists, and more. The preventative actions involve listening to industry intelligence, input from external security experts, and threat analysis.
5. What is our readiness when something happens?
Whatever the preventative actions, an organization must always be alert. A bad actor may slip through the defenses and cause an incident. When an incident happens, speed of action (and relevancy of that action) is critical. Only the prepared will fare well in an incident.
6. How do we recover after an incident?
After a security incident has happened and is over, the recovery actions begin. These may include damage payments, insurance payments, customer outreach, government notifications, and so on. Do you know whom to call should you need expert help with the remediation or legal implications? Make sure you have our list ready.
7. Rise and Repeat.
The goals should be to turn all of the above into a repetitive cycle where we learn and improve at every step as we cycle through the steps. Whether security incidents happen or not, the organization needs to build a system of review and improvement of existing processes. Risks need to be re-evaluated continually. Preventative actions need to be built and renewed, and so on. Security is not an end state, but a continuous process. It matters little at what level you start. It matters a lot how you improve cyber-security at every step of the cycle. That is how you reduce cyber risks.
When you diligently go through these seven questions and the answers they produce, you are slowly moving towards a “cyber-smart” culture. In this pursuit, you will learn about specific methods and technologies, while embracing honesty and discipline. And to be successful in reducing cyber risk, you need a “muscle memory” of what to do when an incident occurs. It is as easy as that, and as difficult as that. (HackerOne)