Data breaches are costly. According to a recent Ponemon Institute study, the average breach costs an organisation $3.86 million. A…

Data breaches are costly. According to a recent Ponemon Institute study, the average breach costs an organisation $3.86 million. A separate study found that, although the share price of breach-affected companies shows its sharpest drop 14 days after the breach is made public, there is still a discernible impact on the organisation’s stock valuation three years post-event.

By Josh Lefkowitz, CEO of Flashpoint

Business impacts at this level affect the fundamental financial performance and sustainability of an organisation, which means cybersecurity must no longer be considered an IT issue; it’s a matter for the board in its role as custodian of shareholder value. By managing cyber risk as part of the overall organisational risk strategy, boards can put it into a commercial context and drive the cultural awareness of risk that is essential to promote cyber resilience across the business.

Making the shift from technology-centric to business-centric risk management

Elevating cyber risk management to the board level is not without challenges, however. We are still very much in the midst of a shift in mindset from a technology-centric to a business-centric view of cyber threats. This can result in a disconnect: many boards find it difficult to interpret the information they receive from the IT team, while many IT functions struggle to understand what data the board really needs to carry out effective oversight. This challenge was underlined by EY interviews that found difficulties “obtaining relevant, objective and reliable information, presented in business-centric terms…[and this] affects board members’ ability to understand the risk facing their organisations and evaluate management’s response to these risks.”

This area is where the evolving role of the CISO—sitting between the business and the board—requires a mix of skills. CISOs need both technical expertise in analysing and interpreting threat metrics and technology performance, and the ability to apply these skills in a broader business context for board directors so they can deliver strategic cyber risk oversight and governance for the business.

Reporting to the board – from numbers to narrative

While increasingly boards are factoring cyber skillsets into their succession planning when recruiting new board members, most current board directors don’t have deep experience in cybersecurity. This means that any metric-based reporting should be simple to interpret, including auditable figures that provide an overview of the organisation’s security posture.

Reports should also be framed in terms of the impacts specific security incidents have on the business. For example, a DdoS attack might cause reputational risk, operational risk and strategic risk. And, of course, the flipside of risk is compliance, so the board also needs to know how cybersecurity incidents could impact data privacy and governance.

It’s the role of the board to challenge senior management robustly in order to deliver effective oversight, so CISOs should be ready to answer questions around the organisation’s cybersecurity maturity and the frameworks established to manage emerging threats.

However, while numbers and frameworks are valuable in helping boards evaluate and audit cyber risk posture, when it comes to setting a risk-aware culture, directors really need deeper context around the types of threats specific to their organisation. If board directors are given a window into the environment, tactics, and motivational psychology of actors that target their sector and business, they can better understand the risks themselves. Once that has been achieved, board directors can become an asset to the CISO in promoting a cyber risk-aware culture not just as a tick-box exercise, but because they have genuine appreciation of the factors, and indeed actors, in play.

To achieve this board-level buy-in, CISOs need to move from numbers to narrative to drive the message home. This is where business risk intelligence provides the context that helps bring risk to life.

It’s undoubtedly useful for senior leaders to understand the frequency and type of the cyber-attacks the business experiences, but it’s also valuable for them to know the extent to which the organisation is the topic of conversation in the illicit online communities that initiate those attacks.

Deep and dark web forums, chat services, and other platforms are often where cybercriminals discuss tactics to defraud or infiltrate the organisation. These types of venues are also where company secrets, intellectual property, and stolen data may be offered for sale. An overview of the company’s profile across the deep and dark web, as well as other illicit online communities, and the kinds of tactics that are being discussed, is a powerful way CISOs can help directors gain context to understand what the business faces.

Illustrating third-party risk

Third-party risk, including supply chain weaknesses, is a hot topic among board rooms as businesses realise that keeping their own house in order is not enough. Intelligence gleaned from illicit online communities can also be used to illustrate potential weaknesses in, or threats to, partner organisations. This intelligence can help boards meet objectives to manage supply chain risk.

Successful cyber risk oversight by company boards relies on them receiving a combination of auditable metrics, risk impact assessments and contextual information enabling them to provide informed oversight of cyber risk. Greater understanding of the threat actor environment also assists boards in leading a risk-aware culture across the business, moving from a tick-box approach to a genuine cultural shift.  

How digitalisation is bringing the fight to industrial security threats ~ It’s no longer a question of whether your business…

How digitalisation is bringing the fight to industrial security threats ~

It’s no longer a question of whether your business will be attacked, but rather when it will be attacked. Cyber attacks, particularly those on public sector and utility businesses, are now a regular, often daily occurrence. Here, Robin Whitehead, managing director of systems integrator Boulting Technology, explains how this is impacting the role of the chief information security officer (CISO) and resulting in the need for end-to-end digitalisation.

It’s a simple fact that data makes the modern economy turn. Being the first business to take action, based on the insights gained from some pivotal piece of information, gives businesses a distinct competitive advantage. However, it’s also quickly becoming a fact of life that the same data is being targeted by skilled cybercriminals intent on stealing this new currency and even causing maximum damage to infrastructure.

We can see the potential scale of cyber crime if we look at the number of data breaches made each month. For example, in December 2017, security firm IT Governance reported that 33.8m records — including a mixture of personal and business information — had been leaked around the world. In November 2017, the number was 59m.

Sophisticated cyber attacks

With the world facing the likes of WannaCry, Petya and NotPetya in 2017, sophisticated cyber threats are the biggest technological fear in 2018. Although sectors such as financial services and the public sector are most at risk, there have also been numerous high-profile attacks on utilities, oil and gas and food manufacturing environments in recent years.

At 9:30am on 27 June, 2017, confectionary manufacturer Cadbury was hit by a cyber attack, which halted production at its Hobart factory in Australia. Computers at the facility were infected with the Petya ransomware virus and displayed a message on the screen demanding payment in cryptocurrency.

Later that same day, NotPetya — a variant of the Petya virus — went on to do further damage to facilities across Europe. NotPetya exploits a backdoor in the update system of a Ukrainian tax-preparation programme running on Windows and used by around 80 per cent of all Ukrainian businesses.

It uses a vulnerability in the Windows operating system called EternalBlue — originally believed to have been developed by the US National Security Agency (NSA) — to encrypt the filesystem’s master file table (MFT), preventing the system from locating its own files.

Launched on June 27, 2017 — on the eve of Ukraine’s Constitution Day holiday — NotPetya quickly spread to networks in Russia, France, Germany, Italy, Poland, the UK and the US and affected many sectors. “It’s massive,” Christiaan Beek, a lead scientist and principal engineer at McAfee, told WIRED about the situation in Ukraine. “Complete energy companies, the power grid, bus stations, gas stations, the airport, and banks are being targeted.”

The new CISO

It should come as no surprise then that the advice of IT and security experts is now being sought at the highest levels of business. The role of the chief information security officer (CISO) is also changing in response. Acting as the head of IT security, the CISO has traditionally been responsible for things like operational compliance and adherence to ISO standards as well as performing IT security risk assessments and ensuring that the business is using the latest technologies.

However, increasingly, the CISO must now also drive IT security and strategy, guiding everyone from the shop-floor staff to the most senior officials in the business on how best to protect them from cyberattacks. The modern CISO now takes a seat at the boardroom table, ensuring business continuity, come what may.

Modern CISOs need to be visionaries and good communicators in their own right, exerting their influence at all levels of the business to bring about long lasting technological and security change.

End-to-end digitalisation

For industrial businesses, this change cannot come soon enough. The desire to integrate manufacturing networks with the outside world and the increased use of smart data is driving efficiencies and cost savings in sectors from food and beverage, pharmaceutical and automotive to utilities such as gas, water and energy. At the same time, it’s also leaving them vulnerable to attacks that can lead to business disruption and extended periods of downtime.

Part of the reason for this is that many businesses have traditionally operated in silos, with information technology (IT) and operational technology (OT) experts not historically well aligned to the same objectives and outcomes. However, as we increasingly use more internet-connected devices such as PLCs, HMIs, intelligent motor control centres (MCCs), telemetry devices and smart meters — all relaying millions of data points to centralised and often remote SCADA and ERP systems — it will become crucial to take a joined-up approach to industrial operations. Cue end-to-end digitalisation.

For many businesses, replacing hardware and software to allow functionality such as standardised Fieldbus communications, real-time cloud data, analytics and centralised control across every aspect of their operations is neither a cheap undertaking nor one that is quick to enact.

After all, most engineering plant managers have built up a complex system over many years, retrofitting new components and modules to existing equipment. This is driving the need for end-to-end digitalisation, moving away from fragmented system control, maintenance and upgrade towards a holistic approach that encompasses system-wide transparency, alarms and notifications, including analytics that can deliver actionable insights to improve process efficiency.

At Boulting Technology we’re helping our customers introduce cybersecurity measures to retrofitted equipment in existing industrial setups. Our range of control systems, networking products, intelligent motor control centres and more, form an integrated system that gives engineers easy and secure access to their operation around the clock. Ultimately, end-to-end digitalisation will help companies respond to attacks and breaches in minutes rather than hours or days.

So, while we come to the realisation that cyber attacks are simply a normal part of doing business, take heed of your CISO’s advice and rethink your end-to-end digitalisation strategy.