Companies Must Evolve to Keep Up With Hackers

If you ask a CFO if their company’s current cybersecurity strategy is working, it’s very likely that they do not know. While at first they may think it is, because the company’s bank accounts are untouched, an adversary could be lurking in their network and collecting critical data to later hold for ransom—threatening to destroy it if the money isn’t paid. The truth is that many organizations are lacking effective risk management that ensures the integrity and availability of their most essential data.

Corporate America needs to take the power back and stop hackers before they compromise networks and exfiltrate data for criminal uses, or simply threaten to destroy it for financial gain. To shift the power back in their favor, they must safeguard data, implement an effective risk management program, and invest in risk reduction activities. Organizations need to assess the maturity of their cybersecurity efforts, determine if they have any pre-existing conditions, and focus on risk reduction efforts that truly protect their data, while ensuring the ability to deliver products and services.

The fastest way to check for pre-existing conditions is by doing a compromise assessment to identify any current suspicious activity within their network. From there, they can determine what exactly needs to be done to reduce their organization’s cyber risk and develop a risk management plan that outlines clear steps for protecting their most critical assets.

To develop a cybersecurity risk management plan, executives need to first define the company’s “crown jewels”—the things that if compromised, would cause the most damage or inhibit the ability to deliver products or services that generate revenue. For instance, for a bank, this could be access to funds by their individual or business customers, or banking information that could be used for fraudulent purposes. Once an organization knows what it’s protecting, the executives can then create a security roadmap that ensures the secure delivery of products or services.

The security roadmap should start with a business impact assessment that identifies those crown jewels that are needed for delivery of essential services or producing products. These can include the data itself, technical architecture or systems used by their customers to transact business. Once these have been identified a prioritized risk reduction plan needs to be developed and tracked by the company’s leadership. Every facet of risk should be considered, from legal risk, to the consequences of a data breach, or inability to deliver services resulting from an intrusion or denial-of-service attack.

While security assessments and roadmaps are essential for defining an organization’s adequate cyber defenses, one of the biggest mistakes we see businesses make is being reactive when it comes to their defenses—relying on traditional technologies that only identify known threats and leverage Indicators of Compromise (IoCs). This method does not capture new exploits fast enough, nor versions of malware or other obfuscation techniques that are introduced by sophisticated adversaries. A great example is the sheer speed at which WannaCry ransomware spread to organizations of all sizes across the globe. Adversaries are capitalizing on this reactive security shortcoming by taking advantage of this window of opportunity to comprise data or networks.

Instead, organizations must take a proactive approach that focuses on indicators of attack (IoAs) that identify adversary behavior indicating malicious activity, such as code execution or lateral movement. IoAs can alert businesses to adversary activity before any damage is done. To effectively make use of this data, businesses also need to leverage threat intelligence for deeper insights into these IoAs.

Threat intelligence provides a crucial layer of information on adversary motives, tactics, techniques and procedures. For instance, a bank could look at a threat and see if this particular adversary typically targets the financial services industry, which regions they operate in and the motive behind their attacks.

Going one step further, organizations should leverage technology that enables threat intelligence to be shared rapidly and can protect numerous customers at once. At the end of the day, effective security requires a community effort. Corporate America needs to come together and truly leverage the power of crowdsourced intelligence—to keep from becoming victims of the next big attack.

From a lack of risk management plans, to reliance on reactive security measures, there are a number of areas where companies are falling short of having an adequate cyber defense. By putting the necessary plans in place to secure the integrity of their critical data, taking a proactive approach to cyber threats and working together across industries and businesses, corporate America can collectively build a stronger cyber defense.

Combating Risks to the Electric Grid

Electricity is the foundation of society, making the electric grid one of our most critical infrastructures. It is also one of the most vulnerable, and is subject to a number of variables, according to, Lights Out: The risks of climate and natural disaster-related disruption to the electric grid, a study by students of Johns Hopkins University’s School of Advanced International Studies, funded by Swiss Re.

According to the report, in recent years there has been a trend of more natural disasters globally, with 191 natural catastrophes in 2016 and a 24% increase from the level in 2007. In the United States, 43 natural catastrophes caused huge property losses in 2016, almost double those of 2007.

Lights Out focuses on the Pacific Northwest, which is an “illustrative case study in climate and natural disaster related electric grid disruption. The region is prone not only to high-frequency, low-intensity natural disasters such as droughts and flooding, but also at risk of catastrophes like the Cascadian Subduction Zone (CSZ) event, an earthquake-tsunami combination that is expected to devastate the coastline from northern California to southern British Columbia,” according to the report.

As climate change alters the seasonality of water runoffs in the Pacific Northwest, the study found that electricity generation and the operation and maintenance of hydroelectric dams face greater challenges. What’s more, different parts of the grid are vulnerable to different perils. For example, above-ground lines are vulnerable to weather events, while underground lines are susceptible to earthquakes. In Oregon, for example:

More than 50% of substations would be damaged beyond repair in the event of a magnitude 9.0 earthquake. In addition, the vulnerability of the electric grid is highly interdependent with other critical infrastructure systems, including roads, water and sewage treatment, and natural gas pipelines. In the event of a major earthquake, damage to road networks can make it impossible to repair transmission and distribution lines, thereby preventing the restoration of all other electricity-dependent lifeline services (water, sewage, telecommunications).

The costs of outages for construction and restoration of the grid are estimated to be 1.59 times higher in highly populated locations versus flat land areas with fewer inhabitants. Costs are also higher when infrastructures such as emergency roads are destroyed, which would slow down repairs to roads, in turn delaying restoration of electric power and impacting telecommunications, water and sewage services.

There may be long-term financial implications as well, as entire communities would be impacted, leading to a possible migration of residents to areas not effected by the disaster. Following Hurricane Katrina in 2005, for example, the population of New Orleans dropped dramatically, and 10 years later, had only returned to 90% of its pre- 2005 levels.

Total population of New Orleans 2000-2015; Hurricane Katrina hit New Orleans in 2005:

With the increase in natural disasters, the recent destruction caused by Hurricane Katrina and Superstorm Sandy as well as the prospect of a magnitude 9.0 Cascadia earthquake, “It is imperative that public and private sector entities explore potential solutions for combating and mitigating damage to the electrical grid and disruption from power outages.” The report urged utilities to increase the resilience of their systems in a number of ways, beginning with conducting utility vulnerability assessments to identify vulnerable infrastructure and develop resilience plans. While many utilities have taken the initial step of identifying the resilience and mitigation strategies that they intend to implement, their implementations after these assessments vary widely by utility.

Utilities have several options for hardening the resilience of their systems, depending on the specific types of natural hazards they face. For example, checking poles for rot and moving infrastructure out of flood zones and landslide-prone areas helps to maintain distribution and transmission infrastructures, keeping them from going down in regions with heavy rainfall and flood risk. Pruning trees to protect wires from falling branches is also important in regions experiencing higher intensity storms, according to the report.

Highlighted trends:

  • Climate change is causing more severe and frequent natural disasters, meaning power systems face increased strain from catastrophes.
  • The interdependence of systems creates further complications: if the electric grid is down for an extended period, collateral effects can lead to disruptions in other services such as water, sewage and telecommunications.
  • The economic implications are challenging governments and energy providers. Not only do they require pre-disaster financing provided by insurance, they must address how to make their systems more resilient to future flooding, droughts and earthquakes.

Protecting Your Business from Wildfires

There are currently about 60 large wildfires burning in the United States, mostly in western states. But a combination of high temperatures and dry and windy conditions can make wildfires a threat almost anywhere. Adding to the situation is the fact that more and more businesses are expanding into the wildland-urban interface (WUI)—wildfire-prone areas where homes and businesses are located. This creates a growing wildfire risk to businesses, according to the Insurance Institute for Business and Home Safety (IIBHS).

The Property Casualty Insurers Association of America lists the most expensive U.S. wildfires to date, all in western states:

To protect buildings from wildfires, IIBHS recommends that businesses survey the materials and design features of their structures; as well as the types of plants used, their location and maintenance.

Organizations also should determine their fire hazard severity zone (FHSZ) by evaluating the landscape, fire history in the area and terrain features such as slope of the land. Organizations can request the FHSZ rating from local building or fire officials in their area.

IIBHS notes three sources of wildfire ignition:

  1. Burning embers, or firebrands, generated by a wildfire and made worse in windy conditions.
    • Embers can ignite in several ways: By igniting combustible construction materials directly when accumulating on or immediately adjacent to them. Combustible construction materials are those that ignite and burn such as wood, plastic, and wood-plastic products used in decking and siding. By igniting nearby plants and accumulated debris such as pine needles or other combustible materials such as a wood pile. By entering a building through openings, such as an open window or attic vent, and ignite combustible items inside the building.
  1. Direct flame contact from the wildfire
  2. Radiant heat emanating from the fire

It is critical to assess a building’s construction, including roofs, windows, vents and exterior walls, also important is the area surrounding a structure, including trees and plants, IIBHS said.

A defensible space zone around the building will reduce the risk of fire. This includes consideration of specific types of plants and how they are grouped and maintained.

Plant characteristics associated with higher combustibility include:

  • Narrow leaves or needles (often evergreen)
  • Volatile resins and oils, as indicated by leaves that have an aromatic odor when crushed
  • Accumulation of fine, twiggy, dry, or dead material on the plant or on the ground under the plant
  • Loose or papery bark that often falls off and accumulates on the ground (such as palms and eucalyptus).

Corporate Culture and Risk Management

According to an April New York Times article, “Uber’s core company values included making bold bets, being “obsessed” with the customer, and to “always be hustling.” The company emphasized meritocracy, setting employees up as rivals and overlooking transgressions of its high performers. At its worst, Uber maintained an “unrestrained culture” that has since resulted in several allegations of harassment. A published blog post by engineer Susan Fowler, indicated that “the culture was stoked—and even fostered—by those at the top of the company.”

Adoption of a strong risk culture
An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of “conviction” – a corporate state of mind where human beings can take well-informed risk decisions because they want to, not because they have to.—@RiskCultureBuilder on Twitter

The “tone at the top” describes the climate and overall philosophy set by the board of directors and executive team to drive the culture and behaviors of all employees. In companies ranging from Uber to small businesses, this tone permeates the enterprise in a number of ways, including executive communications and onboarding and learning programs, as well as the policies and procedures designed to empower and/or control employee decision-making. The right tone stresses a high standard of ethics and a culture of compliance, but should be balanced with a message that empowers managers to take risks—appropriately—in the pursuit of short- and long-term rewards for the business.

Translating the tone into a strong risk culture requires reinforcement to employees defining how their decisions and actions affect the broader mission of the company. Then, through change management and strong accountability, culture and risk management can be aligned to keep everyone “rowing in the same direction.”

Drivers of risk culture
Many companies today have defined a “culture statement,” put it down on paper, and socialized it to employees. This is only the first step in driving employees to make the right risk management decisions, however. Consider a few of the levers that companies can pull to drive behaviors towards a stronger risk culture:

  • Performance management and compensation – Are corporate and employee goals tied to desired risk management outcomes?
  • Corporate governance – From the board of directors down, are enough questions being asked? Is there too much reliance on historical data?
  • Management reporting – Is attention to certain metrics—often short-term in nature—driving decisions that could cannibalize long-term outcomes?
  • Investor Relations – Are reasonable expectations being set with a company’s shareholders when it comes to risk versus reward?

While company leaders can help drive the desired corporate culture, this alone will not guarantee good risk management decisions every day. All employees must be taught risk management techniques, and relevant risk management skills should be built into the company’s overarching competency model. A risk culture that positions employees as an integral part of risk management will drive more successful and predictable business outcomes.

During his keynote presentation at the 2016 TMG Executive Summit, cybersecurity expert Brian Krebs reinforced this point when referring to the risk culture needed to deal with cyber risk: “…layers of technology are not enough to stop a data breach…security is only as effective as the people managing it.” Although achieving a strong risk culture is no small undertaking, the benefits will be significant as more and more risks are mitigated before impact.