We are too often self-defeating when it comes to cyber security. In part one of this series, we took a hard look at how a lack of ownership and accountability lowers our defenses and increases our risks. In part 2, we take a look at our communications breakdowns, our unwillingness to share, and underestimation of human behavioral change.
Read Part 1
We don’t realize the core dynamic has changed
Cyber puts us all on the digital front lines. Everyone, every system, and every device is vulnerable. This disrupts the traditional market dynamics of customers, vendor/supplier, and competitors. Long established expectations, tensions, and transactions that created the rules of engagement are being disrupted.
Tried and true business axioms, such as the “customer is always right,” and “the first to market wins,” have shaped how we innovate, communicate, and operate. Cyber security is changing all of that. Cyber attackers are the new player in the market, and they are going after everyone. They exploit our traditional dynamics. Have you ever received a phishing email from someone pretending to be from your bank? The cyber attacker is capitalizing on your trusted relationship. Companies are so busy trying to rush to market that they regularly skip basic cyber security steps. Cyber threats depend on that for their attacks.They hope we don’t share cyber security information or collaborate. They count on that confusion and lag in response time to launch their exploits – more on this later.
The biggest problem is that we don’t realize there is a new dynamic. In the old dynamic, the customer is king, and those who don’t understand that are quickly replaced by those who do. So, when it comes to cyber security, customers naturally have expectations that their vendors/suppliers are fully responsible for protecting them. This is both unrealistic and impractical. The dynamic has shifted from provider-to-consumer to provider-and-consumer vs cyber attackers.
The new cyber world order relies on a much more collaborative relationship between vendors/suppliers and customers. Whether the customer is an individual consumer, or a small, medium, or large enterprise, the dynamic needs to be redrawn. Once a customer purchases a device, service, or even a component, they are accepting responsibility over its cyber security. The provider simply does not have the visibility or control to ensure strong cyber security. This means that it is incumbent on the customer to understand and use cyber security best practices. When a cyber event does occur, the providers and customers need to know how to effectively communicate and collaborate to remediate the incident.
Until we reset the dynamic, cyber attackers will use our confusion and lack of coordination against us. We need to figure out what the new dynamic looks like and how to best operate within it. The first step, however, is acknowledging that we need one.
What We Can Do:
- Reset expectations: We need to acknowledge that there is a new cyber dynamic that requires a rethinking of how we traditionally interact. We need to understand that there are bad actors out there that are actively trying to do us harm. We need to accept that we are all targets, and it’s only through better collaboration that we can protect ourselves. We need to raise expectations for how providers integrate cyber security into their development and delivery. We must find it unacceptable for companies to skip or skimp on cyber security, even if that impacts time-to-market, convenience, or profit margins. Market demand is a powerful driver for change and making cyber security a key purchasing criteria will go a long way to reshape the cyber dynamic. Customers also need to understand that they play a critical role in cyber safety. They need to clearly understand the cyber best practices they need to adopt, and that cyber security is a collaborative effort between them and their providers.
- Redraw the dynamic: We will need to define new roles and responsibilities in the cyber dynamic. Providers will need not only to provide highly secure products and services, they also need to provide information, education, and resources to help customers understand and adopt cyber best practices. They should also provide self-service tools and embedded security features to help customers manage their cyber responsibilities – anything to make cyber security easier on the customer. Customers need to engage their providers in discussions and take advantage of the cyber resources that are available to them. They need to understand how to practice basic cyber hygiene and what to do in case of a potential intrusion. Ultimately, customers must understand that they also play a critical role in cyber security–they are often the only ones with the visibility and control to prevent attacks.
- Create trusted cyber communication channels: Aside from overall cyber security marketing, communications, and engagement, companies need to establish trusted cyber communications channels with their customers. These should be authenticated communications channels that are only used for cyber incident management (i.e., they are free of sales, marketing, and promotions). Credit card companies have been spearheading these kinds of channels. If a card is stolen or presumed compromised, they reach out directly to a customer and begin a coordinated discussion to manage the incident. Many companies use multi-factor authentication (e.g., text, email, and/or a call) to establish authenticity. The customer knows that the incident is real, and that they have certain responsibilities in the incident’s resolution. This type of model should be expanded and adapted to other industries.
We Don’t Share, But Cyber Attackers Do
Sharing is hard. It doesn’t come naturally to many of us. It’s even harder when you have to share a vulnerability. So, it’s little wonder that companies do not like sharing their cyber security information. In order to share, they have to navigate legal and regulatory challenges, consider brand impacts, and weigh the risk of being attacked by new threats. Even if CISOs see the value in sharing, it’s hard for them to make the business case to their senior leadership. That’s why most incidents go unreported, and most companies keep cyber exploit and threat intelligence information to themselves. According to a Barclays analysis, only 28% of cyberattacks against businesses were reported to the police.
Cyber attackers, on the other hand, share information much more willingly. They do it out in the open, using most forms of social media to post, tweet, and blog about their exploits. They also share behind closed doors, using the dark web to sell techniques, coordinate attacks, and even run training sessions. There are dark web markets where data brokers sell everything from stolen data to cyber-attacks-as-a-service. This is not to say that cyber threat environment, nor the dark web, is in perfect harmony and order. As a completely unregulated environment, it can be pretty chaotic. Trend Micro did a recent analysis on how cybercriminals regularly battle it out on the dark web.
In many ways, the threat environment is a mirror image of the corporate environment. Cyber attackers operate in a space that is high-energy, chaotic, and disruptive, while corporate executives focus on order, control, and predictability. This gives an advantage to cyber threats. They more openly share their attack tactics, techniques, and processes, even tweeting how they successfully execute an attack. Cyber threats will often use the same attack methodology across industries, knowing that corporations are reticent to share information or even admit that they were attacked.
Looking at the stark differences in why cyber threats are better at sharing than the companies they victimize further highlights our need to work together lower the collective cyber risk.
Companies are, however, making strides to share cyber security information. Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) are working within industries to help companies understand what to share, how to share, and why they should be sharing in the first place. ISACs formed first, and focus on industries that impact critical infrastructure (e.g., financial, energy). The first ISAC, the Financial Services ISAC (FS ISAC), was formed in 1999. Since then, a number of industries have formed similar sharing centers. In 2015, the Executive Order Promoting Private Sector Information Sharing paved the way for ISAOs. ISAOs broaden the information sharing reach to other industries, as well as geographic regions. Both types of entities help reduce legal exposures for sharing information, promote education, communication, and coordination. In May, 2017, President Trump signed the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This order reinforces the need for federal agencies to coordinate, standardizes cyber risk management, and updated antiquated systems.
While ISACs and ISAOs are a good first step, they are slow to form and develop. These are voluntary organizations that must navigate legal and competitive challenges. Unlike the threat environment, expansion is deliberate, formal, cautious, and methodical. Until these fully formalize, expand, and integrate, threat attackers will have a communications and collaborative advantage.
What We Can Do:
- Learn from the intelligence community: After 9/11, the intelligence community needed to take a hard look at their information sharing practices. They realized that terrorist threats were much more agile than they were, and that each part of the Intelligence Community (IC) had a piece of the puzzle that needed to be shared. As a result, they changed their long standing “need-to-know” approach to an “obligation-to-share.” The IC needed to address everything from cultural to logistical challenges as they dealt with various levels of clearances, disparate organizations, and legal obstacles. The cyber community can learn a lot about how the IC has been able to collaborate and communicate. Although it is not a perfect system, they have a number of lessons, tools, resources, and techniques that companies can use to create an integrated threat picture, pool resources, and coordinate incident responses.
- Cultivate ISACs and ISAOs: ISACs and ISAOs are good building blocks, but they need greater participation, standardization, and integration. Both ISACs and ISAOs have formed international organizations to help guide standardization and sharing between individual entities: National Council of ISACs (NCI) and International Association of Certified ISAOs (IACI). However, the overall effort needs to form much more quickly in order to bring companies up to parity with the threat environment. It will take additional protections against regulatory and legal repercussions, higher incentives to participate, and more focus from corporate executives to help progress these organizations.
- Share across the value chain: ISACs and ISAOs share across industries and geographies. However, they do not focus on a critical cyber security risk for most companies – their value chain. Whether it be a supply chain, a cadre of vendors, or key service partners, companies need to reshape the cyber dynamic of their relationships from design to delivery of products and services. Members in a value chain should share threat intelligence, incident and vulnerability data, and cyber performance reporting. They should also help each other develop their cyber program maturity, conduct joint training, and jointly conduct incident response preparation. Value chains should also enhance how they authenticate the exchange of data, components, and services so that there is increased confidence in the cyber security from design to delivery. Stronger cyber coordination and hygiene across the value chain will greatly reduce risks from cyber threats.
We Talk Past Each Other
Cyber Security has steadily risen to a top tier priority and CISOs are regularly asked to report directly to the Board of Directors. There is a lot of pressure for security executives to show progress, but there is often a disconnect between cyber security and other business functions. Senior security executives often talk in too technical terms for their leadership and can struggle to make connections between cyber security and business value. In fact, according to an Osterman study, 85% of board members felt that the information from IT and security executives is too technical.
This miscommunication happens in part because cyber security executives often come from an IT operations background. They have been trained to work the technical details and report on operational metrics. Thus when they are called in front of other leadership, they default to these roots and fail to make the connection between cyber security and business operations. Common communications mistakes include:
- Not making clear links between corporate strategy and cyber investments
- Failure to convey the business impacts of cyber breaches
- Not clarifying which cyber responsibilities are under the cyber department’s direct control and which ones need to be assigned to other parts of the organization
- Reporting risk in terms of technical exposure rather than business impacts
- Not clearly connecting cyber metrics to business operation and strategic goals
There are instances when cyber executives do not report key information at all. For example, SentinelOne conduct a study that revealed 39% of organizations globally failed to report a ransomware attack to the CEO or Board. With such a competitive environment, cyber executives might fear how the news would reflect on their ability to prevent it in the first place, and are concerned for their jobs as a result.
With too many cyber executive presentations relying on fear, uncertainty, and doubt and not enough relating business value, senior executives are getting cyber fatigue. They are becoming worn out from not fully understanding cyber security and are becoming impatient with spending money on capabilities they cannot see. As long as cyber executives and other senior leaders talk past each other, corporations will be overexposed and under protected from cyber attacks.
What We Can Do:
- Connect the dots: Cyber security executives need to connect their operations, metrics, and capabilities to corporate strategy, business operations, and market value.They need to make their cyber communications clear, concise, and compelling without the use of jargon and with layman explanations of the business impacts. This kind of clarity in communications is not easy and will likely need a fundamental overhaul of how they communicate with other organizations in their company. Cyber executives will need to involve other leadership and business units in the development of their reporting and metrics. They will also likely need help from professional advisors who have experience bridging the technical gap. If cyber executives can be more clear, they can shape the dynamics with executive leadership and obtain the resources and support they need to be successful.
- Establish Cyber Strategist role: Cyber security organizations should consider developing a specialized role to address the business dimensions of cyber. This cyber strategist role would connect with other organizations in the business to provide both consulting support and increase overall engagement in cyber security best practices. The strategist would also be responsible for aligning the cyber program with corporate strategy and creating compelling reporting to help drive conversations with executives forward. The profile for a strategist would be a broad business background, strong communications skills, and a proven ability to drive engagement between various organizations.
- Distinguish between technical risk vs business risk: Cyber security organizations often report on risk, but it is usually presented from a highly technical perspective. Although this might be valuable for cyber operations, it does not translate well to the rest of the organization. Cyber executives need ways to clearly define business risks and then report on those risks using their cyber security data. Although a challenge to develop, this kind of reporting resonates with senior leadership and goes a long way to helping cyber organizations define accountability, show progress, and convey value.
We confuse training for human behavioral change
People are the single biggest cyber risk companies have. An IBM study found that human error contributed to more the 95% of cyber incidents. Ask CISOs what keeps them up at night, and many will tell you that mistakes made by their own people are at the top of the list. With issues such as poor passwords, phishing attacks, unauthorized downloads of software, and other careless practices, cyber attackers know that people are the easiest way into corporate networks.
Poor cyber habits contribute directly to increased cyber risk. Consider the following:
- 556 million individuals fall victim to cybercrime annually or 12 people every second
- 53% of mobile professionals carry confidential company information and 65% of those who carry confidential company information don’t take steps to protect it
- 60% of fired employees steal important corporate data after departing their position
- 30% of phishing messages were opened by the receiver
- 63% percent of confirmed data breaches involve weak, default or stolen passwords
The evidence is clear – people are our weakest link. Yet, with all of this exposure, we do not do a lot to impact human behavior. Many companies either do not have cyber security training, or only conduct training on an annual basis in order to comply with a regulation. Cyber security needs to move beyond annual training and focus on human behavioral change. This means providing the consistent reinforcement, communications, and incentives to instill best practices and cultivate a culture of cyber security.
What We Can Do:
- Leadership sets the tone: Change starts at the top. Senior leaders across an organization need to take direct accountability and control over instilling cyber security best practices in their employees. The need to set the expectations, ask for the support, and constantly promote cyber security as a key priority. Senior leaders cannot push this responsibility to the training or cyber security organizations. They must lead these efforts themselves. They also should be held accountable for the cyber performance of their organizations. It should be part of the executive reporting, their performance evaluation, and their compensation. People in their organizations are contributing directly to cyber risk. They need to take ownership of that risk.
- Make cyber a safety issue: Cyber security should be considered a safety issue. Many companies have a deep emphasis on personal safety. Cyber fits well into those programs. Promoting cyber security as a safety issue will not only help employees at the office, but also in their personal lives.
- Embed cyber into policies and procedures: Make cyber security a key part of policies and procedures. New and existing policies should include cyber standards and guidance, where applicable. Making cyber a part of policies will help make cyber security a part of doing business.
- Provide continuous learning and engagement: People learn in many different formats. Aside from annual training, companies should instill internal communications and engagement campaigns to reinforce best practices. This can range from advertising, to short video reinforcement. The cyber department can also run phishing and social engineering exercises. For example, sending fake emails to employees and if an employee clicks on a link in the email, they must take additional training. The more venues and channels companies can use to reinforce best practices, teach cyber lessons, and provide resources for its employees, the more they will directly reduce their cyber risk.
- Make cyber security part of the brand: Featuring cyber security as a key part of a company’s brand makes it an important part of their culture. Making a brand promise to customers forces the company to use cyber security best practices in every day operations.
When it comes to cyber security, we don’t have a technology problem – we have a people problem. Whether we have challenges with accountability and responsibility, or with communications and information sharing, we have a lot of work to do within our own organizations. Cyber attackers will continue to exploit our weaknesses until we take a hard look at ourselves and make the right decisions, changes, and investments. Until then we will be our own worst enemy.