Arby's. InterContinental Hotels Group. Equifax. Deloitte. The U.S. Securities and Exchange Commission. Saks Fifth Avenue. UNC Health Care. Gmail. These are just a handful of the organizations that experienced a data breach in 2017.
But as these major cyber incidents grabbed international headlines week after week, were mulled over by regulators and legislatures across the globe, and spawned a slew of
lawsuits, many organizations continued to struggle to comprehend and manage emerging cyber risks, according to PricewaterhouseCooper's (PwC's) recent report, The Global State of Information Security Survey 2018 (GSISS).
The survey of more than 9,500 CEOs, CFOs, CIOs, CISOs, CSOs, vice presidents, and directors of IT and security practices from more than 122 countries found that the biggest potential consequences of a cyberattack were disruption of operations (40 percent), compromise of sensitive data (39 percent), harm to product quality (32 percent), physical property damage (29 percent), and harm to human life (22 percent).
"Yet despite this awareness, many companies at risk of cyberattacks remain unprepared to deal with them," the survey said. "Forty-four percent of the 9,500 executives in 122 countries surveyed by the 2018 GSISS say they do not have an overall information security strategy. Forty-eight percent say they do not have an employee security awareness training program, and 54 percent say they do not have an incident response process."
That's not to say, however, that executives assessed their preparedness uniformly across the globe.
For instance, in Japan 72 percent of organizations said they had an
overall cybersecurity strategy—possibly because cyberattacks are seen as the leading national security threat in the country.
But high preparedness does not translate into low risk for cyberattacks or incidents. The survey explained that while the United States is ranked second—behind Singapore—as the nation most committed to cybersecurity, it's still vulnerable to the number one business risk in North America: "large-scale cyberattacks or malware causing large economic damages, geopolitical tensions, or widespread loss of trust in the Internet."
The survey further explained that, based on U.S. Department of Homeland Security assessments, if more than 60 U.S. critical infrastructure entities were damaged by a single cyber incident, it "could reasonably result in $50 billion in economic damages, or 2,500 immediate deaths, or a severe degradation of U.S. national defense."
Because of this threat, PwC found that cyber resilient organizations will be those "best positioned to sustain operations, build trust with customers, and achieve high economic performance," according to the survey.
"Many organizations need to evaluate their digital risk and focus on building resilience for the inevitable," said Sean Joyce, PwC's U.S. cybersecurity and privacy leader, in the survey.
To achieve this level of resiliency, the survey results suggested seven initiatives: having leaders assume greater responsibility for building cyber resilience, digging deeper to uncover risks, engaging the board, pursuing resilience as a path to rewards, leveraging lessons learned, conducting stress-test interdependencies, and focusing on risks involving data manipulation and destruction.
Leadership. Most organizations' boards are not shaping their security strategies or investment plans—just 44 percent of GSISS respondents said that their corporate boards actively participate in their companies' overall security strategy.
"Senior leaders driving the business must take ownership of building cyber resilience," the report said. "Establishing a top-down strategy to manage cyber and privacy risks across the enterprise is essential. Resilience must be integrated into business operations."
The board and the CEO must drive this philosophy from the top down to accomplish this, says Ryan LaSalle, security growth and strategy lead at Accenture.
"If security is kind of an outsourced risk manager, where you throw risk over the wall and hope security catches it, it fails," he explains. "The only way security becomes more effective after all the innovation and investment's gone into it is if the business is accountable for it, and it's across the business."
Risks. Cybersecurity threats change daily, and organizations that want to increase their resiliency will need to uncover and manage new risks in new technologies. One of those risks includes those associated with the Internet of Things (IoT) ecosystem.
But few survey respondents said their organizations are planning to assess IoT risks. Respondents were also divided on who was responsible for assessing IoT risk in their organization: 29 percent said it belonged to the CISO, 20 percent said it belonged to the engineering staff, and 17 percent said it belonged to the chief risk officer.
"Many organizations could manage cyber risks more proactively," the survey found. "Many key processes for uncovering cyber risks in business systems—including penetration tests, threat assessments, active monitoring of information security, and intelligence and vulnerability assessments—have been adopted by less than half of survey respondents."
One reason this might be the case is because many organizations are only addressing cybersecurity in a reactive manner, said Christopher Valentino, director of joint cyberspace programs and technical fellow at Northrop Grumman, in a presentation at CyberTalks in Washington, D.C.
Most cybersecurity technologies are all about reacting "to a breach, to a threat, to some event" based on something that we already know, such as a signature or pattern, Valentino explained. To be more resilient, organizations have to make a fundamental shift to being proactive in addressing cybersecurity threats.
One way to do this is by training employees about cyberthreats through awareness campaigns and even spear phishing testing, Valentino said. Northrop Grumman does this, and Valentino, even with a vast background of cyber experience, said he failed his first test.
Companies also need to engage in better information sharing and coordination with stakeholders to address cyber risks, the PwC survey found.
"Only 58 percent of respondents say they formally collaborate with others in their industry, including competitors, to improve security and reduce the potential for future risks," the survey said. "Trusted, timely, actionable information about cyber threats is a critical enabler for rapid-response capabilities that support resilience. Across organizations, sectors, countries, and regions, building the capability to withstand cyber shocks is a team effort, the effectiveness of which will be diminished without greater and more significant participation."
Healthcare institutions, for instance, have been reluctant to share cyberthreat indicator information due to fears that regulators might come after them, said Christopher Wlaschin, CISO at the U.S. Department of Health and Human Services (HHS), at CyberTalks.
Some larger institutions that are sharing information are doing so through automated methods, but Wlaschin said most of the healthcare industry in the United States is not capable of machine speed sharing at this point because it lacks both the funding and the staff.
Because of this, HHS is working with Information Sharing and Analysis Centers (ISACs) to make shared information as meaningful as possible for those who choose to participate—especially in small, medium, and rural settings, Wlaschin explained.
The "collective awareness and preparedness of the healthcare sector relies on information sharing," he said.
Lessons. Leaders from all sectors must work together to test cyber dependency and interconnectivity risks, and address accountability, liability, responsibility, consequence management, and norms, the PwC survey said.
To do this, the survey suggests that leaders take advantage of resources that offer insights into these issues, such as disaster response case studies, the National Association of Corporate Directors' 2017 Cyber Risk Oversight Handbook, and emerging guidelines from the Information Sharing and Analysis Organization standards body.
The survey also recommends leaders look at emerging research to learn lessons on how to increase resiliency. For instance, the U.S. Department of Energy awarded $20 million to its National Laboratories and partners to develop cybersecurity tools to increase resilience and risk management of the U.S. electric grid and oil and gas infrastructure.
Testing. When patching a system, IT professionals typically engage in a testing period to make sure it works and to see what the patch's effect will be on the network. Industry sectors need to take the same approach to cybersecurity to boost resiliency.
"All key industry sectors across the world would do well to stress-test their interdependencies with simulated cyberattack scenarios designed to inform risk management," PwC found. "Dan Geer, CISO at In-Q-Tel, has advocated developing cybersecurity stress test scenarios aimed at answering the following question: 'Can I withstand the failure of others on whom I depend?'"
Some sectors are already conducting these tests, such as the North American energy sector in its biennial GridEx exercise which simulates cyber and physical attacks on the electric grid, but more can be done to see how a widespread cyberattack would impact the sector—and others.
"Case studies of non-cyber disasters have shown that cascading events often begin with the loss of power—
and many systems are impacted instantaneously or within one day, meaning there is generally precious little time to address the initial problem before it cascades," the survey said. "Interdependencies between critical and non-critical networks often go unnoticed until trouble strikes."