Cybercrime: The Next Entrepreneurial Growth Business?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.wired.com/2014/10/cybercrime-growth-business/

Cyberspace is constantly evolving and presenting organizations with new
opportunities, as the desire of businesses to quickly adopt new
technologies, such as using the Internet to open new channels and adopting
cloud services, provides vast opportunity. But, it also brings
unanticipated risks and inadvertent consequences that can have a
potentially negative impact.

Hardly a day goes by without news of a new cyber threat, or major data
breach, arising from “malspace” — an online environment inhabited by hacker
groups, criminal organizations and espionage units. Regularly we’re
reminded that these international groups have access to powerful, evolving
capabilities, which they use to identify, target and inevitably, attack.

The recent revelation that a Russian crime ring has amassed the largest
known collection of stolen Internet credentials, including 1.2 billion
username and password combinations and more than 500 million email
addresses simply reinforces the fact that cybercrime is something that has
the potential to affect all of us, from the individual to the largest
corporations.

With Opportunities Come Serious Risks

Cyberspace has become an increasingly attractive hunting ground for
criminals, activists and terrorists motivated to make money, get noticed,
cause disruption or even bring down corporations and governments through
online attacks. In this day and age, organizations must be prepared for the
unpredictable so they have the resilience to withstand unforeseen, high
impact events.

McAfee recently reported that cybercrime is a growth industry where the
returns are great and the risks are low. In fact, McAfee estimates that the
likely annual cost to the global economy from cybercrime is more than $400
billion, a number that is more than the national income of most countries.
Unfortunately, governments and businesses tend to underestimate how much
risk they face from cybercrime and how quickly this risk can develop.

Cybercrime, along with the increase in online causes (hacktivism), the
increase in cost of compliance to deal with the uptick in regulatory
requirements coupled with the relentless advances in technology against a
backdrop of under investment in security departments, can all combine to
cause the perfect storm. With cyberspace so critical to everything business
related, from supply chain management (SCM) to customer engagement, holding
back adoption or disconnecting from cyberspace completely is not realistic.
But the commercial, reputational and financial risks that go with
cyberspace presence are real and growing every day.

If senior executives don’t understand cyberspace they will either take on
more risk than they would knowingly accept, or miss opportunities to
further their strategic business objectives such as increasing customer
engagement or market leadership. These organizations are more likely to
suffer embarrassing incidents, and when they do, they will suffer greater
and longer-lasting impact.

Understanding cyber risks and rewards is also fundamental to trust. If
organizations can’t maintain a trusted environment in which to communicate
and interact with their customers, their business could suffer or even
collapse.

Cybersecurity Is Not Enough

So all businesses need to do now is establish cybersecurity within their
organization, right? Wrong!

Establishing cybersecurity alone is not enough. Today, risk management
largely focuses on achieving security through the management and control of
known risks. The rapid evolution of opportunities and risks in cyberspace
is outpacing this approach and it no longer provides the required
protection. Organizations must extend risk management to include risk
resilience, in order to manage, respond and mitigate any damaging impacts
of cyberspace activity.

As I alluded to earlier, cybercrime often involves sophisticated, targeted
attacks against an organization, and additional security measures are
required to respond to specific cybercrime-related attacks and to put in
place cyber resilience programs that anticipate uncertainty. There is an
ever increasing need for a prepared and comprehensive rapid-response
capability, as organizations will continue to be subject to cyber-attacks
regardless of their best efforts to protect themselves.

Cyber resilience anticipates a degree of uncertainty: it’s difficult to
undertake completely comprehensive risk assessments about participation in
cyberspace. Cyber resilience also recognises the challenges in keeping pace
with, or anticipating, the increasingly sophisticated threats from
malspace. It encompasses the need for a prepared and comprehensive
rapid-response capability, as organizations will be subject to
cyber-attacks regardless of their best efforts to protect themselves.

Above all, cyber resilience is about ensuring the sustainability and
success of an organization, even when it has been subjected to the almost
inevitable attack.

Re-Examine Existing Cyber Resilience Assumptions

The first action businesses must take is to re-examine the assumptions the
organization has made about the Internet and adapt their cyber resilience
to this new paradigm. For example, one of the threats describes how a key
component of Internet security — encryption — may fail to hold up. This
points to the need to take action immediately. Waiting for the ball to drop
is not advisable.

Secondly, resilience to ongoing threats of operating in cyberspace must be
reassessed regularly as:

"Cybercriminals are still well ahead of information security professionals.
The bad guys are getting better at what they do faster than ever before. At
the same time, the good guys often struggle merely to respond. The
situation is made worse by cybercriminals having no budget restrictions,
nor having to conform to legislation or comply with regulations — an
increasing burden for organizations.

"The cost of investigating, managing and containing incidents will rise as
they grow more complex and regulators’ demands increase.

"The insider threat will continue to challenge organizations, because
people will remain the weakest link in information security. Whether it is
through deliberate or inadvertent actions, organizations will still face
threats from within."

Finally, although government’s have a role in securing cyber space, it’s
highly unlikely that they will clean up the mess they’ve made over the next
two to three years. Regulations and law enforcement can’t keep up with the
speed of technology, and for this reason, organizations need to give
immediate consideration to additional actions they may wish to take to
counter possible impacts from the recent disclosures.

Frankly, no one can better protect an organization’s information than the
organization itself.

Creating a Cyber Resilience Team

Cyber resilience requires recognition that organizations must prepare now
to deal with severe impacts from future cyber threats that cannot be
predicted or prevented. Traditional risk management is insufficient to deal
with the potential impacts from unforeseen activities in cyberspace. That’s
why enterprise risk management must be extended to include organizational
risk and cyber resilience — just ask Target, Neiman Marcus, Michaels and so
many others.

To achieve this goal, I strongly recommended that your organization
establish a crisis management plan which includes the implementation of a
formal Cyber Resilience Team. This team, made up of experienced security
professionals including employees, investors, customers and others, will
become the driving force behind your cybersecurity initiatives. The Cyber
Resilience Team will be charged with ensuring that necessary communication
takes place between all relevant players, and making sure all facts are
determined for each incident in order to put a comprehensive and
collaborative recovery plan in place.

Today’s most successful, and cyber-resilient organizations, are appointing
a coordinator, such as a Director of Cybersecurity or a Chief Digital
Officer (CDO), to oversee all activities in cyberspace and to apprise the
board of its responsibilities for operating in cyberspace. This coordinator
also highlights the board’s obligations to establish cyber resilience
programs that protect the organization’s assets and preserve shareholder
value. Such efforts are especially important due to all of the legal facets
of doing business in cyberspace.

Do I Need Cyber Insurance?

Privacy exposure has been a key motivator for some organizations to
purchase cyber insurance. Others are motivated by growing regulatory
exposure. It’s no longer just the organizations that we’ve traditionally
focused on, including financial institutions, retail, healthcare and higher
education. These industry groups have been buying insurance for a long
time. The healthcare industry players have been particularly large buyers
of cyber insurance, due to the enormous volumes of customer data they have
to handle. I’m also seeing players in a number of new industries, such as
manufacturing and supply chain, who are purchasing cyber insurance because
it’s a regulatory concern.

But remember: cyber insurance is no replacement for sound cybersecurity and
cyber resilience practices. On the contrary, well-resourced and industry
and standards compliant practices can oftentimes positively reduce the
associated premiums for cyber insurance. Secondly, look very carefully at
the small print — many policies do not cover state sponsored attacks and
may not provide you with the full financial cover that you would wish.

Next Steps

Data breaches have become a regular feature of modern life. This will
continue as long as efficiency and ease of data access trump security, a
state of affairs which makes economic sense for many organizations, that
is, until they suffer a breach of their own. Once a breach happens, the
value of security as a business enabler becomes clearer. Prevention and
detection will evolve, but will continue to rely on technical and
intelligence-based solutions. This will involve a discrete number of
stakeholders and departments who implement the basics and thereby manage
the majority of information risk.

The real difficulty lies in acknowledging that breaches are inevitable, and
that resources invested in advance can pay dividends when a crisis occurs.
It takes maturity for an organization to recognize it cannot control the
narrative after a data breach goes public, and that leadership involves
being honest and transparent with customers to maintain credibility in
difficult circumstances. A robust breach response begins before things go
wrong, including the development of a plan, regular scenario planning,
taking decisive action and managing the message. These actions will involve
a wide range of internal stakeholders, and may involve the services of
external crisis management and media experts.

In a world where data breaches are becoming all too common, organizations
that produce an imaginative and credible response will have a comparative
advantage over those that are slow and confused, and this will translate to
tangible business value. By instituting a Cyber Resilience Team, and
adopting a realistic, broad-based, collaborative approach to cybersecurity
and resilience, government departments, regulators, senior business
managers and information security professionals will be better able to
understand the true nature of today’s increasing cyber threats and respond
appropriately.

Remember: Don’t think cybersecurity. Think cyber resilience…in everything
that you do.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!