Executive Insight by George Patsis | Published on SC Magazine UK
Though long-term estimates are notoriously tough to pin down, contested assessments on the cost of cyber attacks range from approximately £300 billion for 2014 to more than £2.2 trillion by 2020 (a figure, if true, larger than the global illegal drugs market).
Despite the fact that according to analysts, year-on-year spending on cyber-security is growing, there is no decrease in cyber-attacks and no stabilisation in the industry. Despite the best efforts of the cyber-security industry, the absolute number of breaches continues to increase remorselessly.
At the same time, companies are unable to keep pace. According to McKinsey’s Cyber Risk Maturity Survey, large companies are reporting cross-sector gaps in their risk management capabilities. 90 percent had nascent or developing capabilities, leaving only five percent at a mature state.
Notably, there is no correlation between spending levels and risk management maturity. Corporations are suffering overkill from the plethora of seemingly endless technologies required to protect their enterprise. Although they have invested in the latest technology, clients still are still unable to detect cyber-threats early in the attack lifecycle.
To address those challenges, the focus has been to integrate data into one single data pool structured or unstructured independently of the underlying technology. A huge market (MDR, Analytics, SIEM) is now evolving which is centered around analysing data to identify and detect targeted or mass focused cyber-attacks. At the same time, extremely valuable security-related structured and unstructured data and metadata within the organisation remain unused, fragmented, isolated and mostly static.
Clearly technology on its own can never be the sole solution, as organisations cannot rely entirely on security products to identify and prevent threats without taking account of other risks such as the human factor. Technology will never be sufficient to prevent security incidents from happening, as it is a mathematical certainty that systems will fail at least once within their lifetime.
Forced to follow a technology-based approach, companies assess threats purely from a threat and technology context and run the danger of over-protecting, and overreacting against what may be low-risk threats while letting through far more serious attacks. Obvious implications are high operating expenditures, ineffective resource allocation, increased compliance risks and vulnerable security architectures.
And when there is a cyber-breach, some companies, who have initially mistaken the nature of the cyber -they face, fail to react in time. In Obrela’s experience, some companies can take up to 200 days to identify and respond/contain a breach – by which time, it is, of course, too late and far too expensive.
Not ‘if’ but ‘when’ and how often’?
Very few companies invest enough in being able to respond to a successful breach. It is no longer a question of ‘if’ but rather ‘when?”. Immediate containment of breaches when they do occur is essential to save costs, damage and reputational loss.
When an emerging security breach has been identified, quantifiable risk assessment is essential in deciding how to proceed. The legal decision that has to be made urgently is whether to gather data for a legal case or limit damage by stopping the attack but at the same time risk losing the case. Most organisations need third-party advice when making this kind of evaluation.
It is essential that companies design their security as a continuous process of awareness, preparedness and readiness that enables them to assess the danger posed by each threat they can respond commensurately to the business risk. Risk management has to be the core of any such process not the aftermath, as with any other business function.
Effective cyber-risk management is also a key enabler for the evolution of the cyber-security market, as evidenced by the fact that companies find it almost impossible to hedge their risk through insuring against the consequences of a successful cyber-attack.
“When considering the impact of potential cyber exposures, underwriters need to focus on the potential changes to frequency, severity, and systemic risk that cyber-exposure may cause. Unfortunately, the current lack of data and loss experience in many classes makes assessment difficult,” says the Lloyd’s Market Association (LMA).
The recently-published LMA report, “Cyber Risks & Exposures Model Clauses: Class of Business Review” found that malicious and/or non-malicious cyber incidents were excluded in most classes covering physical damage losses. Outside the specialist cyber-market, less than three percent of conventional contracts underwritten at Lloyd’s last year explicitly included cyber-risks.
Neither enterprises nor the cyber-security industry itself have had any way of quantifying the level of risk any particular organisation faces at any specific time. Without efficient integrated cyber-risk management, companies are protecting themselves from some attacks and letting others through, with no real grasp of the potential consequences.
Monitoring and evaluating cyber-risk, however, requires properly balanced preventive and reactive controls that engage technology as much as people. Human intelligence is still the heart of every security system. People are indispensable to evaluate an incident and decide the response strategy during a crisis. Cyber-security cannot, however, rely on human judgement without essential procedures to mandate the conditions under which people and technology interact with each other. In fact, cyber-criminals and fraudsters base their attack strategies on weak process models and unaware people.
Clearly a mindset shift is required. Integrated Cyber Risk Management is all about integrating people, process and technology and managing risks in real time. Emerging Integrated Cyber Risk Management (ICRM) solutions can deliver 3D (three dimensional) information security primarily through the integration of people, process and technology and can greatly improve an organization’s information security posture, by controlling and monitoring not only technology related aspects but also human actor procedures. By bringing all three elements together, information security becomes a single system – one that can be measured and monitored holistically.
But it is crucial that control can be centralised. Centralisation and automation can substantially improve visibility, while also enable process monitoring and the introduction of sophisticated controls that focus and minimise the human factor and process-related risks. This risk management and assessment in real time is a vital component on almost every engineering achievement of critical nature (aerospace, defence).
A new era for information security will emerge as soon as vendors and the market realise that methods, products and services must be challenged to address the enterprise and the root causes of vulnerable infrastructures rather than developing painkillers for the emerging security threats. Cyber Risk Management technology evolution will enable new market players – Cyber Security Operators and their role will be to manage cyber-risk (rather than threat) with cyber-risk management at the core of their service provisioning.
By buying in cyber-risk-management-as-a-service, companies will be able to manage cyber-risk in the same way as any other risk in order to achieve visibility across their business. It will further enable companies to incorporate cyber-security into the core of product and service design.
It will further allow the insurance market to enter the cyber-world, this time leveraging a down-to-earth (rather than inherent) risk underwriting process and even create new innovative cyber-insurance products jointly with the cyber-security industry to address a wider market. The insurance market will work as a catalyst for the market to self-regulate and things will finally start to improve.