Cyber Security in the Board Room

Posted on : 26-02-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , , ,

0

Most of us are all familiar by now with the Sony Entertainment hack which happened at the end of last year which had disastrous consequences for the film company. There have been many high profile breaches but this is probably the most notorious hack to date.

The Sony cyber attack resulted in embarrassing emails and personal details of movie stars published over the internet, contract and salary details released and the hackers managed to steal five entire movies! Whilst investigations were underway and the network disabled, Sony employees were left with just a pen and paper and fax machine to carry out their daily business. It has been impossible for business to ignore such high profile attacks which have helped to push cyber security onto most boardroom agendas.

The Thomson Reuters Corporate Governance Survey for 2014 reveals that although Cyber Security was now on the board agenda with 88% of boards including a Cyber Risk category in their Strategic Risk Register.

  • Only 29% viewed cyber threat as a “Top Risk”.
  • Two thirds (67%) of corporate boards are very concerned about cyber risk, but only 44% claimed they actually make decision on the topic.

The question is does the board see cyber security as an integral part of their business risk strategy or rather as tick box exercise that needs to be undertaken in order to satisfy compliance and regulatory departments. It still does not appear to be the case that company executives understand the paralysing nature of cyber crime and the ultimate affect it could have on their company’s profits and reputation.

An important part of any cyber defence approach is education and this must start with senior management. The Thomson Reuters Board Governance Survey found that board members had a poor understanding of the importance of the intellectual property and company data that they regularly carried around with them in person and on personal mobile devices.  A large volume of information was on paper which was rarely officially destroyed after it was no longer required and sometimes left on the train!  All company employees need to be trained in cyber security with the board being no exception.

  • The FTSE350 Cyber Governance Report found that 75% of board members had no cyber security training.

One way of improving this education is through the Chief Technology Officers and Chief Information Officers as the main communicators between IT and the business. A key part of their role is to talk to the company leadership in a way in a way which translates from the IT detail to a business level.

Less technological jargon and more about the people and the processes around which the IT framework sits.

The Government is keen to address this language issue and challenge the common perception that cyber security is an IT problem.  In 2013 it launched it’s 10 Steps Guide to Cyber Security which is a simple framework of 10 questions around information security presented in a more business friendly format. A summary of this document has been published with board members in mind 10 Steps: A Board Level Responsibility. The idea behind the 10 Steps is to encourage organisations to adopt a comprehensive risk management approach from the top.

The BIS 2014 Information Security Breaches Survey found that

  • 81% of large organisations had suffered a breach at an average cost of £600k – £1.5M
  • 60% small business suffered a breach at an average cost of £65k – £115k

A cyber attack experienced by Sony may sound like the stuff of Hollywood movies but the threat is very real, a threat that ultimately will affect the company profits.  A threat to company profits is a threat that any board member cannot afford to ignore.

If you would like any more information on Information Security and ways in which Broadgate can help your organisation please contact:

Kerry Housley
+44(0)203 328 8006

Cyber Warfare: Protection is vital but it’s how you respond

Posted on : 23-12-2014 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , ,

0

Last month we wrote an article entitle “Are we heading for a new Cyber Cold war?” – with a focus on the emerging threat from Russia and the fact they are investing some $500m in recruiting a new online army.

The events since then involving the cancelled release of a film by Sony Pictures, following what the US described as an alleged state sponsored act of “cybervandalism”by North Korea, have certainly elevated the narrative to a new level. It will take months for Sony to assess the complete financial impact. Of course there is the obvious loss of revenue by not releasing  the film (it was expected to gross $30m in the first weekend) and millions on marketing wasted…but the most difficult will be the potential cost of a reported 50,000 employees who are suing Sony over leaked personal information.

Whilst President Obama stopped short of calling the attack an act of war, he did label “very costly”, and could land Pyongyang back on the administration’s terror list, a designation lifted by the Bush administration in 2008 during nuclear talks.

To balance the argument, we must point to the fact that the infosec world is somewhat wary of the FBI’s accusations that North Korea was to blame for the attack against Sony. In an interview with The Register, the renowned security commentator Bruce Schneier stated;

“I’ve been very sceptical throughout and now I have no idea,” adding that the evidence the Feds had presented so far was “flimsy at best”.

However, putting the “who did what to who” question to one side, what the whole event has highlighted is the importance for all parties, whether nation state or commercial, to have a clearly defined, understood and rehearsed Incident Response process.

On the positive side, unlike some organisations, Sony Pictures Entertainment (SPE) do have a Global Security Incident Response Team (GSIRT) which monitors systems across the business for indicators of compromise. That said, leaked files related to a security audit show that Sony was having to cope with a significant number of potential breaches, with 193 incidents escalated between September 1st 2013 and 30th June 2014. Also, it reported that out of total number of 869 systems some 149 were not being monitored, stating;

“As a result, security incidents impacting these network or infrastructure devices may not be detected or resolved timely,”….“In addition, procedures have not been developed to reconcile the population of security devices that are being monitored by GSIRT to the actual SPE security devices that should be monitored to validate accuracy and completeness.”

So, what should organisations look at in terms of their readiness to deal with the increasing cyber threat? Mandiant, the leading security response organisation (and part of FireEye), identify a number of areas that companies need to assess, including;

  1. Regulatory Compliance: Do your response strategies support applicable regulatory and legal requirements? This is an increasingly important consideration across all industries. As new regulation emerges to protect customer data off the back of high profile breaches, we can only expect more rigour and oversight moving to the board level.
  2. Organisation: Are staff organised effectively and do they clearly understand their roles and responsibilities during an attack? This is vital. During significant data breaches all staff need to have clarity on how to respond, what the governance process is, who is leading and coordinating activities and very importantly, what the communication channels are.
  3. Training: Do staff have the training they need to respond effectively and efficiently when incidents arise? We take time to ensure that staff are trained on the technical aspects of their job, but we also need to ensure that education of the incident response process is not only performed but also reinforced at regular intervals.  
  4. Incident Detection: Does the organisation have the mechanisms in place to rapidly detect an incident? The statistics vary a little, but it is generally accepted that the average time between infiltration and detection is still over 200 days. More importantly, it is estimated that it takes an average of 32 days to respond to a data breach with the majority actually being notified by their customers! 
  5. Processes: Do you have a clear process for rapidly responding to potential data breaches? We’ve spent many years testing and rehearsing our business continuity and disaster recovery processes for dealing with external threats or infrastructure failures. Organisations need to ensure that the various cyber threat scenarios are added and tested at regular intervals.
  6. Technology: Does the organisation have the necessary hardware and software to respond across your enterprise? Sadly, whilst often breaches are inevitable, there is much that can be done to ensure that the security mechanisms implemented at the technology level are as robust as possible. Indeed, the systems and software to do this have evolved significantly from traditional firewall and perimeter defences. It’s an ongoing process, so if you haven’t assessed your own controls recently then it’s time to do so!

Recent incidents have highlighted how important it is for companies to really understand the risk posed by cyber threats, specifically in terms of what are the “crown jewels”, and the fact that they should be central to any operational risk strategy. We believe it is only a matter of time before companies are required to disclose all breaches and include in the annual reports (we also expect to see a rise in cyber insurance and a need to demonstrate that adequate controls are in place).

So, as we move into 2015 we can only expect to see more focus on combating the cyber threat.

 

Broadgate Consultants work with clients to assess their security readiness – if you would like to find out more please contact:

jo.rose@broadgateconsultants.com.

 

Data Analytics – Big in 2013…Bigger in 2014

Posted on : 31-01-2014 | By : john.vincent | In : Data

Tags: , , , , , , , , , , ,

0

We didn’t produce our annual predictions this year, but as we approach the end of January we thought the topic of data analytics trends deserved some attention. So, we’ve listed the Top 5 trends in this space that we believe will be prominent, or emerge stronger, during 2014. We strongly believe that the data analytics theme and driving decisions and future strategies will be at the forefront (see our other article on moving from hype to execution).

As always, we are interested in your thoughts!

1) More emphasis on Predictive Analytics

Looking back on past performance, peer groups and trends has been the traditional way of shaping and product and service strategies. However, with the improvement in predictive analytics, both from an infrastructure perspective with products like Hadoop managing unstructured data inputs, tools and a new breed of Data Scientists, technology leaders can now work closely with the business to drive decision making.

2) The Mobile Data surge continues

Seems that consumers can’t operate now with their trusty smartphone or tablet. Indeed, it is estimated that in 2014 mobile internet traffic will overtake desktop usage. With the amount of data that consumers download (and tariff limits increasing accordingly), the possibilities of companies using this information to analyse customer behaviour and adapt accordingly is huge.

3) Wearables and the “Internet of Things” revolution

For the first time we are seeing this whole subject make its way onto the CIO agenda. In 2013 we saw some activity, with the release of watches from Samsung and Sony (and the continued speculation of iWatch in 2014), smart health monitors, telematics devices and so on. For this year, expect the pace to pick up with organisations looking at new products and how to tailor the data to differentiated service offerings (such as insurance premiums).

4) Data Visualisation – Part of Business as Usual

The ability of business users to take more control of the organisational data, drive “what if” scenarios and visualise through dashboards have really taken off in the last few years. Once the data was transported out of the rigidity and control of central IT departments through to the users for agile manipulation, products like Qlikview, Tableau, Board and the like have really taken off. We expect this to become an expected part of the end user toolkit in 2014 and also see some consolidation/acquisition in the provider market.

5) On-Demand Analytics develops further

Cloud computing made great steps in 2013, with Microsoft Azure, Amazon Web Services and other providers extending the infrastructure, product sets, security and pricing to a level that is starting to entice customers away from build to buy.  We expect a further increase in shifting from on-premise infrastructure to running data compute analytics and business intelligence in the Cloud in 2014.