The Five Anchors of Cyber Resilience: Why some enterprises are hacked into bankruptcy, while others easily bounce back

By Phillimon Zongo

Cybersecurity is a key priority for company directors, business executives, chief information security officers, and risk-management professionals across all sectors.

In The Five Anchors of CYBER Resilience, Phil Zongo, an award-winning cybersecurity expert, strips away the ambiguity and complexity associated with cyber security, and offer

• Language: English
• Publisher: ciso advisory
• Release date: Jun 15, 2018
• ISBN: 9780648007852

Phillimon Zongo

Phil Zongo is an experienced cybersecurity expert, strategic advisor, author and public speaker. In 2017, Zongo was honoured with the 2016-17 ISACA's Michael Cangemi Best Book/Article Award, for his article, 'The Automation Conundrum'. This global award recognises individuals who made major contributions to publications in the field of IS audit, control and/or security. In 2016, Zongo won ISACA Sydney's first Best Governance of the Year Award, in recognition of the thought leadership he contributes to the cybersecurity profession. Over the last 14 years, Zongo has advised several business leaders on how to cost-effectively manage business risk in complex transformation programs. Zongo has been featured at several conferences and at university forums where he delivered cutting-edge insights into disruptive trends, such as cyber resilience, blockchain, artificial intelligence and cloud computing. He lives in Sydney, Australia, with his wife and two children.

Book preview

1

CYBERSECURITY

as a strategic matter

Today, very few actions in life matter more than addressing the growing threat posed by cybercrime to individuals, enterprises and nations. Hardly a week goes by without a major data breach making global news headlines. It seems the risk posed by tenacious threat actors grows in frequency and impact each day.

Every enterprise – no matter how big or small – faces the daunting task of defending itself against increasingly brazen, well-funded and capable cyber threat actors. There is no underestimating the difficult situation most enterprises find themselves in. Enterprises cannot afford to delude themselves about the current state of affairs – protecting against the soaring threat of cybercrime has never been more important. Discounting cybercrime is not just negligent; it’s dangerous.

If the past few years have confirmed anything, it is this: there is now no escaping the risk of cybercrime. Cyber threat actors have burrowed deeply into heavily fortified banks, implanted stealthy programs within and exfiltrated millions of payment card details and sensitive information to sell on the darknet. They have targeted energy companies with meticulous precision, paralysing critical infrastructure and sending thousands of households into darkness, as well as crippled central heating systems, forcing many to endure freezing cold winters. They have crept into high-tech firms undetected, and swiped high-value intellectual property worth billions of dollars – information that took years of research to develop.

In a recent controversial case, a hacking group ripped up the database of a website designed to enable people to cheat on their spouses, exposing details of 37 million individuals (including nude photos, sexual fantasies, real names and payment card details) engaged in illicit affairs.¹ This led to multiple cases of blackmail and divorce, personal disgrace and, in some extreme cases, suicide. In other areas, cybercriminals have intercepted sensitive mergers and acquisitions negotiations, pocketing hefty profits by taking illegal market positions way before significant deals were finalised. These vandals have remotely commandeered printers, webcams, residential gateways, baby monitors, camcorders and other internet-connected devices, turned these devices into zombies and forced them to participate in debilitating attacks, unbeknown to the device owners.

In the political arena, cybercriminals catalysed the impeachment of Mian Muhammad Nawaz Sharif and Sigmundur David Gunnlaugsson, Prime Ministers of Pakistan and Iceland respectively.² After infiltrating Panama-based law firm Mossack Fonseca, hackers publicly exposed more than 11.5 million secret financial and legal records (approximately 2.6 terabytes of information), revealing the identity of several high-profile individuals involved in underhand dealings, including Sharif and Gunnlaugsson.³

The growing list of egregious cyber attacks continue to convey a steady and unambiguous message – this threat will only grow wider and grislier. Each incident paints a sobering picture about the state of some enterprises, many of which appear ill-equipped to handle this trial. The origin of their predicament lies in many factors, but particularly the following five:

» Limited executive buy-in into cybersecurity programs

» A growing list of poorly secured business partners

» A gullible or poorly trained workforce

» Heavily diluted, one-size-fits-all strategies

» A consistent failure to bake security into digital transformation programs.

No individual, enterprise or nation is immune to cyber risk. In no matter what business context, there is a strong possibility that cybercrime will have an impact on any given enterprise. The crucial question is no longer if, but when.

Consider this: in 2015, a hacker code-named Phineas Fisher – who sometimes refers to himself as ‘anarchist revolutionary’ – claimed to have single-handedly hacked the HackingTeam (an Italian company dedicated to developing spyware and hacking programs for police and intelligence agencies across the world) and silently exfiltrated approximately 400 GB of data, including internal emails and the source code of the HackingTeam’s proprietary surveillance software.⁴ The incident, among a myriad of others, begs an important question: if a lone hacker can breach the security of a firm whose mission is to develop advanced cyberweapons, how much damage can a highly resourced, formidable and inventive cybercriminal syndicate cause against a traditional enterprise?

It also seems that spending millions of dollars on state-of-the-art technologies is no remedy for cyberthreats. A growing list of multi-billion dollar enterprises becoming victims of high profile data breaches continue to provide a sobering reminder that neither size nor abundance of resources can shield an enterprise from resourceful attackers.

The five anchors of cyber resilience

Given the increasing effectiveness, sophistication and frequency of cyber attacks, most enterprises now find themselves in a difficult position. Combating this lethal business threat will certainly be pricey and complex, but the task is pressing. Corporate directors now widely acknowledge this inescapable reality and are eager to entrench cybersecurity into strategic and operational decision-making. However, without clear guidance on how business leaders can create high-impact, focused cybersecurity strategies, the idea of cyber resilience remains a distant dream for many enterprises. Faced with a barrage of high-profile data breaches, some crippling even the most resourced and complex of enterprises, some business leaders now harbour deep-seated reservations that cyber threat actors are undeterrable and cyber resilience is unachievable. Inside boardrooms, there is a significant amount of justified frustration. Most leaders feel like passengers on a run-away train that the driver can neither control nor stop.

These are reasonable sentiments, but they also raise important questions. Why are some enterprises able to withstand cyber stresses while other enterprises are hacked into bankruptcy? And why can some companies bounce back as quickly as they are taken down?

The Five Anchors of Cyber Resilience tackles this vexing question by helping business leaders focus on five strategic aspects of cybersecurity that, if properly implemented, will significantly reduce any enterprise’s cyber-risk exposure while keeping costs at a minimum. Mastering these five essential domains can spell the difference between an enterprise’s success and failure.

So, what are these ‘five anchors’? What do cyber-resilient enterprises do differently from other enterprises?

1. They build their cybersecurity strategy centred on high-value assets

Cyber-resilient enterprises steer away from conventional, one-size-fits-all cybersecurity investment models and prioritise the protection of their crown jewels – their most critical information assets, which, if compromised, could severely undermine the enterprise’s bottom line, competitive advantage, reputation, or even threaten its survival. They are willing to break down barriers and redefine how cybersecurity is done. These digital assets represent the heart of the enterprise and underlie business functions that deliver high return on investment for stockholders and product offerings that customers value highly. They then build security infrastructure that actively supports these priorities.

Unlike several enterprises that start with a predefined set of controls and then build security frameworks based on ‘best practice’, cyber-resilient enterprises think differently – they place the customer at the centre of everything they do. By building customer-centred cybersecurity models, cyber-resilient enterprises shift the oft-held perception that security (and technology at large) is a cost centre to that of integral force that empowers business growth and buttresses customer trust.

They also acknowledge that times have changed: consumer digital experience is now a key differentiator – protecting the enterprise while meeting the demands of today’s empowered consumer is a careful balancing act. To that end, cyber-resilient enterprises actively manage the seemingly conflicting demands of convenience and security – they don’t prioritise one at the expense of the other. When designing new digital solutions, cyber-resilient enterprises always start with the end customer, and then design dynamic security solutions that enable customers to opt into security features based on their appetite for risk, rather that sticking to widely resented binary security models.

2. They put people at the centre of their cybersecurity strategies

Cyber-resilient enterprises put people’s hearts and minds, not technology, at the centre of their cybersecurity strategies. They create deeply entrenched beliefs that protecting the enterprise from cyberthreats is everyone’s responsibility, from the board of directors through to frontline personnel. Cyber-resilient enterprises transform employee attitudes and behaviours through compelling and contextualised messages; reinforce good deeds; and provide steadfast, clear and frequent messages from the top. These enterprises know that cyber resilience transcends technology – the real work of defending the enterprise takes place within business teams and is underpinned by shared norms and values. They extend the scope of their cyber-awareness outreach beyond the periphery of the enterprise and empower their customers and business partners with real-time, practical insights. Their people embrace the precepts of cybersecurity appetite of their own volition and go way beyond their call of duty to protect the enterprise.

3. They bake cybersecurity into innovative programs

Cyber-resilient enterprises recognise that, if properly governed, emerging technologies – such as big data, cloud, internet of things (IOT), Blockchain, artificial intelligence (AI) and so forth – have strong potential to accelerate innovation, revitalise customer experience and boost competitive advantage. They actively resist the urge to defer security work, making it an enduring and inescapable facet of all digital transformation programs. They are constantly thoughtful and diligent about the security decisions they make as they embrace disruptive technologies, anticipating major pitfalls early and embedding security deeply into design work. Cyber-resilient enterprises also maintain clear road maps to ensure security capabilities keep up with an ever-changing threat landscape.

4. They implement a risk-based assurance program over suppliers

Cyber-resilient enterprises acknowledge that in today’s fast-paced business environment, businesses need to partner with external suppliers to access innovative solutions, lower costs or enable them to refocus on their core areas of differentiation. But they don’t enter these alliances blindly – the majority of debilitating cyber attacks have emanated from poorly secured third-party environments. Cyber-resilient enterprises manage this complexity by implementing risk-based cyber assurance programs over suppliers, enabling the enterprise to adapt quickly to changing market opportunities, stimulate innovation and access unique capabilities, all while minimising exposure to cyberthreats that emanate from poorly secured business partners.

5. They create highly effective, lean and efficient governance structures

Cyber-resilient enterprises acknowledge that board oversight and C-suite leadership are essential to driving any transformational change, and that cybersecurity is no exception. Their most senior business officers and the board of directors provide unwavering support for cybersecurity programs. They role model expected behaviours and uphold the virtues of their cyber-risk appetite. They embed cyber-risk governance into the bloodstream of their enterprises, making it an inevitable and inconspicuous part of strategic and operational decision-making, and, as a result, foster transparency and accountability. Cyber-resilient enterprises reject needlessly complex and rigid decision-making structures that impede prompt strategy execution. Instead, they favour lean and efficient structures that can rapidly and flexibly adapt to reflect changing market needs or business circumstances.

Granted, every enterprise is different – there is no universally right cybersecurity strategy. This is a consistent message throughout this book. Like any risk management framework, The Five Anchors of Cyber Resilience methodology does not claim to eliminate cyber risk completely, but does intend to help business and technology executives across different sectors focus on some of the most pressing challenges they face in the current business landscape.

There is certainly no one-size-fits-all approach to cyber resilience – there are still more controls enterprises can implement – but I believe these five are the most essential. By embracing the practical guidance provided by this book, enterprises can significantly improve their chances of defending against cyberthreats. Thus, the Five Anchors of Cyber Resilience methodology complements good practice frameworks – it doesn’t replace them.

2

The rise of

CYBERCRIME

It is clear that the stakes couldn’t be any higher; cybercrime is costing the global economy more than US$500 billion annually, and the costs are soaring. This cost is bigger than the gross domestic product of 82 combined economies, using the World Bank 2016 Gross Domestic Product Statistics.⁵ A growing body of evidence suggests cybercrime costs could be as high as US$1 trillion. In their 2016 report, the Atlantic Council and Zurich Insurance Group predicted that ‘the global economy is reaching the tipping point when the annual costs of cyber disruptions begin to reduce the incentive for doing business in a connected world’.⁶ The report projected that this scenario, driven by increased security risks to the infrastructure, could eventuate as early as 2019.

In the early years of the 21st century (2000–2005), the cybercrime world was dominated by juvenile hackers, commonly known as ‘script kiddies’. Script kiddies defaced public websites from the comfort of their parents’ basements using borrowed hacking tools to earn bragging rights or out of intellectual curiosity. The effects of their activities were largely annoyance, and enterprises were able to contain them with minimal damage to their bottom lines. Most technology firms never envisaged the cybercrime world beyond these lone and unsystematic reprobates. The cyber landscape certainly looks very different today.

In the ensuing decades, the cybercrime industry has grown into a thriving, multibillion-dollar industry dominated by highly organised, capable, well-funded and merciless criminal organisations. These syndicates operate from several jurisdictions to anonymise their activities and evade prosecution. They are increasingly agile and inventive, developing stealthy programs that can easily evade traditional security defences, thanks to a growing base of resources and absence of regulation, factors that often stifle innovation for legitimate enterprises. In 2014 alone, cyber threat actors published more than 317 million new pieces of malware, equating to approximately one million new threats per day.⁷ During the same year, McAfee Labs, a cybersecurity research firm, detected 638,000 new ransomware variants. Ransomware is a nasty form of malware that blocks access to critical files using heavy duty encryption before demanding the victim pay ransom in the form of a cryptocurrency (mostly Bitcoin). In 2015, that number shot up to nearly 3.8 million.⁸

Cyberthreats continue to grow in frequency and impact each day. No wonder Warren Buffet, the respected Chief Executive Officer and Chairman of Berkshire Hathaway, stated in his 2017 annual address that cybercrime is one of the gravest risks facing humankind, even ranking it above nuclear attack.⁹

The breadth and depth of this menace has escalated far more rapidly than many pundits had predicted, further deepening concerns that, as time passes, the ability for enterprises to defend themselves will further weaken. Cybercrime has certainly emerged as an unavoidable priority for business leaders across all sectors.

Effective implementation of each Anchor of Cyber Resilience requires business leaders to have a good understanding of the complex infrastructure behind soaring cybercrime, as well as related impacts to enterprises, economies, vital institutions and the public. In this section, we will look at the relationship between cybersecurity and innovation, how cybercrime has evolved, and then explore in further detail the fundamental factors that I believe have fuelled the explosion of cybercrime. Understanding these factors is essential for enterprises seeking to strengthen their cyber-resilience, and has been the key to my own development of The Five Anchors of Cyber Resilience framework.

Cybersecurity and innovation: A double-edged sword

The traditional enterprise network perimeter – historically protected by firewalls, antivirus software and segmented networks – is fast dissipating. More and more enterprises are migrating mission-critical applications into the public cloud, fuelled by the promise of greater financial flexibility, ability to provision infrastructure on the fly and faster time to market. Cloud benefits are unquestionable, but this also means the cybersecurity game changes dramatically. By sharing virtualised infrastructure with unknown entities and ceding vital responsibilities to cloud service providers, enterprises are exposing themselves to a new breed of cyberthreats and vulnerabilities. As businesses move to the cloud, merge or acquire unrelated entities, the task of protecting high-value digital assets becomes complex and daunting, particularly as they integrate with smaller organisations that lack sufficient capabilities to defend themselves.

On top of the effects of cloud computing and outsourcing there is another factor dissolving network perimeter security: the ‘bring your own device’ (BYOD) concept, whereby businesses allow employees to connect their personal devices – including smartphones, tablets or laptops – to corporate networks. The upside of this policy shift is straightforward – a lower total cost of ownership, the creation of flexible and collaborative workplaces with the potential to attract and retain top talent, and a boost to productivity by allowing employees to work anywhere, anytime. But unmanaged mobile devices are now a major source of cyberthreats, particularly through malware hidden inside poorly vetted mobile applications (apps). A 2016 report by the security firm McAfee noted