October is National Cyber Security Awareness Month

National Cyber Security Awareness Month (NCSAM) kicks off this week. And in the wake of last month’s Equifax breach announcement—in which nearly 145.5 million Americans learned their personal information may have been compromised, coupled with the government’s recent efforts to combat cyber threats—NCSAM’s timing could not be better.

The Department of Homeland Security (DHS) hosts the annual NCSAM and will provide online and in-person tools to engage and educate the private and public sectors about cyberrisks. The DHS will also offer mitigation tips and techniques in tandem with this year’s campaign, which is divided into five different weekly themes:

Week 1: Oct. 2-6         –Simple Steps to Online Safety

Week 2: Oct. 9-13       –Cybersecurity in the Workplace is Everyone’s Business

Week 3: Oct. 16-20     –Today’s Predictions for Tomorrow’s Internet

Week 4: Oct. 23-27     –Consider a Career in Cybersecurity

Week 5: Oct. 30-31     –Protecting Critical Infrastructure from Cyberthreats

But NCSAM’s nationwide events are not limited to those themes and will cover topics that run the cybersecurity gamut through formats like workshops, webinars, twitter chats and conferences – some of which can be livestreamed. One major highlight will be the day-long global launch of NCSAM’s international adoption on Oct. 3 in Washington D.C. Featured speakers at other events include FTC Acting Chairman Maureen Ollhausen, White House Cybersecurity Coordinator Rob Joyce, Senate Homeland Security Chair Ron Johnson, and Palo Alto Networks CEO Mark McLaughlin. Visit here for an event calendar.

NCSAM is part of the ongoing DHS cybersecurity awareness program, Stop.Think.Connect., which began in 2009 as part of President Obama’s Cyberspace Policy Review. Non-profit organizations, government agencies, colleges and universities are encouraged to join Stop.Think.Connect. as “partners,” while individuals can become “friends” to engage their respective communities and memberships. The program also offers handy toolkits organized by topics such as mobile security and phishing, and by audiences, which range from corporate professionals to young children and law enforcement.

Increasingly, the government is taking cyberrisk seriously. In September, the SEC announced two initiatives to enhance its enforcement division’s efforts to combat cyber-based threats and protect businesses, investors and the public. A new Cyber Unit will focus on targeting misconduct which includes market manipulation schemes involving false information spread on social media, violations involving initial coin offerings and distributed ledger technology and hacking, among others. Its Retail Strategy Task Force will combat fraud in the retail investment space, from everything involving the sale of unsuitable structured products to microcap pump-and-dump schemes.

In August, President Trump elevated the United States Cyber Command’s status to Unified Combatant Command, with a focus on cyberspace operations. The elevation, he said, will increase “resolve against cyberspace threats, reassure our allies and partners and deter our adversaries,” by streamlining operations under a single commander, which will also ensure adequate funding. In connection with the elevation, the president said Secretary of Defense James Mattis would examine “the possibility of separating United States Cyber Command from the National Security Agency” and will eventually announce recommendations.

RIMS Survey Reveals Continued Confidence in Cyber Insurance

Cyber insurance is still a priority for risk professionals and stand-alone policies continue to gain international prominence, according to the 2017 RIMS Cyber Survey.

The survey’s 288 respondents represented industries ranging from financial services, government and non-profit and manufacturing to retail, health care and more.

Based on survey insights it is clear that cyber exposure is a primary concern, with nearly half of respondents confirming they are spending more now than they did last year to protect against it. The most alarming elements of risk continue to include business interruption and its consequent expenses, reputational harm, and notification and response costs. In light of recent ransomware attacks, 72% indicated that cyber extortion is also an important and growing first-party exposure their organizations are facing—a 9% increase from 2016.
Key findings from this year’s RIMS Cyber Survey include:

  • Organizations with a stand-alone cyber insurance policy increased 3% (to 83%) from 2016.
  • Of the organizations without a stand-alone cyber policy, 84% indicated that other insurance policies include cyber liability coverage.
  • Nearly three-quarters (72%) of respondents transfer cyber exposures to a third-party (up 3% from 2016).
  • Only 34% of respondents thought that the government should mandate cybersecurity standards.

With 61% of respondents considering purchasing cyber coverage in the next two years, it is likely the industry will continue to see slow-but-steady growth. But with 83% of respondents reporting that their companies have stand-alone cyber insurance policies, up 3% from 2016, the survey suggests that the market for these policies may be nearing maturity.

“At any given moment, cyber predators can unleash a new hack to infiltrate an organization’s system, steal or lock critical data and cause significant business interruption damages,” said RIMS President Nowell Seaman. “RIMS Cyber Survey shows that risk professionals continue to invest in cyber insurance products and must work in tandem with their insurers and IT professionals to help develop innovative and adaptable solutions for the next generation of cyber threats.”

Manufacturers Vulnerable to Cyberrisk

Manufacturing companies face a serious threat from cyber criminals. According to IBM’s latest intelligence index, theirs is now the second-most targeted sector, after attack numbers increased significantly year-on-year. This heightened risk is compounded by increased vulnerability: the connectivity that manufacturers have embraced to bring about greater operational efficiencies is accompanied by significant and largely uninsured exposures, such as physical damage arising from cyber incidents or loss of income due to stolen intellectual property.

Part of the vulnerability lies in process control and supervisory control and data acquisition (SCADA) systems. Previously deemed impenetrable, due to their proprietary and highly customised networks, the convergence of these industrial control systems with enterprise infrastructure, particularly web services and ethernets, has created a potentially catastrophic risk. Such connections and the increasing Industrial Internet of Things (IIoT) can drive through great advantages, but also simultaneously produce weak links that manufacturers can not afford to overlook.

For example, expensive capital assets such as production machines will be retrofitted with technology that allows them to be connected to corporate networks. But they were typically built without the sophisticated measures to afford cyber-protection, or have operating systems that are incompatible with current cyber-security products. All these factors make manufacturers’ industrial control systems particularly vulnerable to cyber-attack.

Physical damage
Physical damage arising from cyberattacks has to date been relatively rare. Early high-profile events, such as claims that Russians hacked into U.S. water treatment facilities to damage pumps, or the Israeli-U.S. ‘Stuxnet’ attack on Iran’s nuclear centrifuges were believed to be state-sponsored.

One of the most underestimated threats to manufacturers is the rogue employee, disillusioned with their employer or falling victim to blackmail. One such attack involved a German steel mill. Hackers, thought to involve a rogue employee, took over its industrial control systems via its enterprise system, preventing employees from shutting down a blast furnace. This caused irreparable damage to expensive equipment and yet physical damage, as well as bodily injury caused by a cyber event, is typically excluded on most policies. The rise of the hackers-for-hire phenomenon further multiplies potential sources of attack, with competing companies looking to use third parties for corporate espionage, for example.

Stolen Innovation
Other rising areas of threat revolve around the significant non-physical assets residing in manufacturers’ information systems. Cyber theft of intellectual property (IP) has been difficult to insure properly, despite the extraordinary value of items such as the technical specifications of a new product, or the composition of a new pharmaceutical. PwC reports that the number of such thefts, notably of product designs, has doubled.

While competition is a big driver of IP cyber theft, risks such as the loss of income due to stolen IP or the legal pursuit of it are not currently insurable. When you consider the degree to which a manufacturer’s value will be directly linked to their IP, this represents a considerable risk but also one where evidencing and quantifying a loss is very difficult.

Cyber attacks are now identified as the leading cause of supply chain stoppages but supply chain risk is also largely uninsured. Some losses, like business interruption arising from a cyber incident on an IT provider’s network, can sometimes be covered but an interruption caused by a product supplier’s cyber-event typically cannot. Upstream supply risk, associated with liabilities arising from failure to supply goods following an attack, is also difficult to insure.

Market developments
According to research by consultancy BDO USA, 92% of manufacturers cited cyber-security among their top 10 risk concerns in 2016, up 44% from 2013. Another study, however, found only 8% of manufacturers “very confident” in their ability to prevent an IT breach.

This rising risk issue demands action from all parties. Manufacturers must invest further in heightened security and control for their operating technologies, while cyber insurance specialists must continue to develop further sophisticated solutions to more effectively transfer manufacturers’ unique exposures. Insurance carriers are starting to work together more effectively across lines to more sufficiently underwrite the complex cyber risks facing the sector. Failure to respond to this new era of cyber threats and vulnerabilities will leave manufacturers exposed to reputation and physical damage, bodily injury, severe business interruption, loss of intellectual property, and significant financial loss.

Companies Must Evolve to Keep Up With Hackers

If you ask a CFO if their company’s current cybersecurity strategy is working, it’s very likely that they do not know. While at first they may think it is, because the company’s bank accounts are untouched, an adversary could be lurking in their network and collecting critical data to later hold for ransom—threatening to destroy it if the money isn’t paid. The truth is that many organizations are lacking effective risk management that ensures the integrity and availability of their most essential data.

Corporate America needs to take the power back and stop hackers before they compromise networks and exfiltrate data for criminal uses, or simply threaten to destroy it for financial gain. To shift the power back in their favor, they must safeguard data, implement an effective risk management program, and invest in risk reduction activities. Organizations need to assess the maturity of their cybersecurity efforts, determine if they have any pre-existing conditions, and focus on risk reduction efforts that truly protect their data, while ensuring the ability to deliver products and services.

The fastest way to check for pre-existing conditions is by doing a compromise assessment to identify any current suspicious activity within their network. From there, they can determine what exactly needs to be done to reduce their organization’s cyber risk and develop a risk management plan that outlines clear steps for protecting their most critical assets.

To develop a cybersecurity risk management plan, executives need to first define the company’s “crown jewels”—the things that if compromised, would cause the most damage or inhibit the ability to deliver products or services that generate revenue. For instance, for a bank, this could be access to funds by their individual or business customers, or banking information that could be used for fraudulent purposes. Once an organization knows what it’s protecting, the executives can then create a security roadmap that ensures the secure delivery of products or services.

The security roadmap should start with a business impact assessment that identifies those crown jewels that are needed for delivery of essential services or producing products. These can include the data itself, technical architecture or systems used by their customers to transact business. Once these have been identified a prioritized risk reduction plan needs to be developed and tracked by the company’s leadership. Every facet of risk should be considered, from legal risk, to the consequences of a data breach, or inability to deliver services resulting from an intrusion or denial-of-service attack.

While security assessments and roadmaps are essential for defining an organization’s adequate cyber defenses, one of the biggest mistakes we see businesses make is being reactive when it comes to their defenses—relying on traditional technologies that only identify known threats and leverage Indicators of Compromise (IoCs). This method does not capture new exploits fast enough, nor versions of malware or other obfuscation techniques that are introduced by sophisticated adversaries. A great example is the sheer speed at which WannaCry ransomware spread to organizations of all sizes across the globe. Adversaries are capitalizing on this reactive security shortcoming by taking advantage of this window of opportunity to comprise data or networks.

Instead, organizations must take a proactive approach that focuses on indicators of attack (IoAs) that identify adversary behavior indicating malicious activity, such as code execution or lateral movement. IoAs can alert businesses to adversary activity before any damage is done. To effectively make use of this data, businesses also need to leverage threat intelligence for deeper insights into these IoAs.

Threat intelligence provides a crucial layer of information on adversary motives, tactics, techniques and procedures. For instance, a bank could look at a threat and see if this particular adversary typically targets the financial services industry, which regions they operate in and the motive behind their attacks.

Going one step further, organizations should leverage technology that enables threat intelligence to be shared rapidly and can protect numerous customers at once. At the end of the day, effective security requires a community effort. Corporate America needs to come together and truly leverage the power of crowdsourced intelligence—to keep from becoming victims of the next big attack.

From a lack of risk management plans, to reliance on reactive security measures, there are a number of areas where companies are falling short of having an adequate cyber defense. By putting the necessary plans in place to secure the integrity of their critical data, taking a proactive approach to cyber threats and working together across industries and businesses, corporate America can collectively build a stronger cyber defense.