- Adrian van Hest of PwC on the opportunities and risks for New Zealand organisations in the digital economy.
- David Kennedy, CIO/CISO consultant, on ensuring security across channels.
- Bradley de Souza, global CTO, on building a culture of security.
- Simon Arcus of the Institute of Directors on elevating cybersecurity issues to the Board.
- NZ snapshots: Global State of Information Security Survey 2016
The growth of the digital economy has spurred the need for cybersecurity to be higher on every organisation’s radar.
“Digital business models are coming in that require you to be more agile and catch up,” says Adrian van Hest, cyber practice leader at PwC New Zealand.
“What drives the need and the trend for cybersecurity to become more of an issue is the fact most organisations are still going digital at a great pace. They are moving more of their capability to the cloud, to digitise their data, their processes, to re-shape their business models.
“All of these drivers mean technology is becoming more important to these organisations. Their dependence on them is greater and therefore, their risk is greater, particularly as they rush to adopt that change.”
Going digital, he says, presents a raft of opportunities for organisations. These include leveraging the economies of the cloud and doing data analytics that provide better insights for engaging with customers.
But he points out a holistic approach is needed as organisations move into digital platforms and channels.
“Opportunity and risks are two sides of the same coin. You just have to be mindful of that.
“If you are moving into digital, you need to bring the person who helps you manage the risks associated with the opportunity.
“That can be hiring your own CISO or getting competent people on board is one way to start the journey.”
Van Hest raised these points in the context of the findings from the 2016 Global State of Information Security Survey.
CIO, CSO and PwC interviewed more than 10,000 respondents across the globe, including 102 business and technology executives from New Zealand, for the 2016 report. The survey was conducted online from May 7, 2015, to June 12, 2015. Readers of CIO magazine and CSO and clients of PwC from around the globe were invited via email to take the survey.
Van Hest says if you are a digital business, the more you digitise, the bigger the impact of a cybersecurity breach, he stresses.
He cites the impact on two organisations involved in high profile breaches.
The first was Target, which suffered a massive data breach in 2013.
The organisation survived but its sales volume dropped, where it lost hundreds of millions of dollars. The company has lost customers it will never get back, its entire management team was replaced and the CEO resigned.
“It was not a non-negligible impact,” he says. They survived but they were certainly not uninjured by it.
“It depends on what you do. Target was a big box shifting retailer where a chunk of what they did was online. They were hammered by the data breach but they are still a physical business.
“If you are a digital business, it is not the same impact.”
The second data breach involved the infidelity website Ashley Madison.
“If you are a digital business, your customers are a click away from your competitor.”
If you are a digital business, your customers are a click away from your competitor.
Security across channels
“When creating a digital strategy, organisations must exert the same amount of effort on the security as on any other part of the strategy. After all, no other single event has the ability to reduce customer confidence than being frivolous with their information,” says CIO/CISO consultant David Kennedy.
“You need to make sure the hardware and software you are using to become digital contains minimal vulnerabilities. It is the vulnerabilities that the criminals are leveraging to gain access into systems.”
He says if you release new digital channel containing vulnerabilities that are quickly compromised, then confidence in that channel is obliterated.
“Security and confidence are closely linked together. If you do not have that security aspect, solid vulnerability management, it will be very difficult for you to successfully launch that channel.”
He has a ‘three-fold advice’ for people looking at digital strategies. This is to focus on encryption, solid vulnerability management and privileged access management.
The number one is having a good, solid understanding of the encryption you are using for data at rest, in transit or to the browser. Strong algorithms and adequate key management will deter a potential attacker.
He likens the second area, solid vulnerability management, to building a house.
“When building a house we do not triple glaze each window and fit blast doors at each entrance. It does not need it, but we must consider that a window with no glass at all is not fit for purpose.
“It is okay to have vulnerabilities but you must have visibility of these vulnerabilities. It is the ones you do not know about that the attackers will take advantage of. That is where you are blindsided.”
Attackers sit in systems for weeks or months just listening all the time. Then, all of a sudden there is a big explosion of data leakage or a system outage. The use of a Security Operations Centre to review logs and provide “Threat Intelligence” is a good practice to follow, Kennedy says.
Operational teams lack the ability to spend time reviewing logs so the attack often goes unnoticed for many weeks or months, he says.
Verizon, Symantec, BT and others have specialist global Security Operational Centres that are attuned to provide this threat intelligence. This will be a growing technology for to address the cyber threat, Kennedy says.
“Vulnerability management will allow you to see an acceptable or known position. If that known position changes beyond a certain threshold, you can identify that and know something has changed.”
He says an integrity file management solution can be used for this. If someone attacks a file and that file changes, you can be notified. This works especially well with configuration files or batch file processing of sensitive information.
He says the third area, privileged access management or PAM, is focusing energy on keeping an eye on the accounts with the most access. These are the ones the criminals are after. PAM is essentially about defining the parameters by which accounts can be used and monitoring for any deviation from a known pattern.
For instance, a local team can only access the system between 9am to 5pm, and has to be linked to a NZ IP address and usually goes to systems A then B.
Monitoring the activity allows you to spot when the account is acting suspiciously and perform a challenge response to ensure that the account has not been compromised.
“You can significantly reduce the risk of major information leakage by someone outside of your realm of control abusing that access because you are proactively managing the privileges.”
When creating a digital strategy, organisations must exert the same amount of effort on the security as on any other part of the strategy.
Levels of confidence down
One of the key findings this year was New Zealand organisations have far less confidence in their own information security activities, as well as their suppliers, than they did last year.
Last year, 83 per cent of New Zealand respondents were confident or somewhat confident that their organisations’ information security activities were effective, compared to 65 per cent this year.
The drop in confidence is even wider in the security activities of New Zealand organisations’ partners and suppliers – last year 82 per cent of New Zealand respondents were very or somewhat confident, compared to 57 per cent this year.
Van Hest says while confidence has dropped, this year’s report is likely a more accurate picture of real versus perceived risks.
As to what accounts for this shift in perception, Van Hest notes the work a lot of organisations have done in terms of risks analysis, and testing and adoption of the security risk based approach
The latter, he says, means organisations “understand what is important, and then assess the risks around it.
“As soon as you have done the work, as soon as you have done a first pass at a risk assessment or even security testing, it throws up things you have not thought of and gives you confidence in an area.”
A key message for organisations is to “focus on your core business”.
“What are the digital assets, the core business functions that could be impacted by a cyber risk?” he asks.
“What are the things you do that are digitally dependent? What are your digital assets, your critical information assets… because that is the place to start.
“We have historically talked about prevention, to stop it [cyber-threats] coming in through technology. We have moved on to, ‘Okay, let us be strategic. Let us focus on, not everything, but on the most important thing and let us have the inbuilt ability to detect, respond and recover.’
“If you just focus on the external threats, the threats everyone faces, and what everyone else is doing, you are likely to make poor investment decisions.
“It is a business intelligence message which is, understand your problem before you spend money,” he says.
He says there is no technology or blanket approach which will allow organisations to “skip that bit of work, of identifying what is important” to the organisation.
“They really need to do that because a blanket approach [to cybersecurity] is really inefficient, it is not going to work and it does expose you.
Steps to advance cybersecurity
Amidst significant technological advances, cybersecurity is ultimately a people business.
Bradley de Souza, a CIO/CTO who has worked on transformation projects across the globe, observes: “Focus on securing and hardening services has never been stronger but the weakest link still remains the end-user and how people manage and maintain their accounts.
“Despite an increasing number of high profile data breaches, most people remain oblivious to the risks they face by using weak login credentials and mechanisms.”
People continue to use the same password and login credentials across many services, he says. Criminals are now focusing on soft targets like discussion boards and forums, hoping to obtain login credentials which can be used to gain access to other, higher value services.
Changing people's behaviours will take a long time and won't be easy, says de Souza. Moving to two-factor authentication, token based authentication like the one used by banks, and biometric solutions will help in some cases, he says, “but will still take time”.
This year’s survey finds more organisations embarking on security focused training – 50.5 per cent of New Zealand respondents are investing in employee training and awareness program.
“It is such an effective strategy if you get it right,” notes Van Hest. “When I look at some of the incidents I was involved in over the past 24 months, the real saving of the organisation from a cataclysmic event was somebody identifying it to be an issue at an appropriate time.”
And this insight does not have to come from a technology person, says van Hest.
“We are seeing an enormous uplift of phishing attacks,” stresses CIO/CISO consultant David Kennedy. “Criminals want to attack your system, but they know security is very hard to get through these days.”
Rather than break into the system, they just go after credentials, through phishing attacks.
Kennedy says one way enterprises can effectively train their staff to recognise a phishing email is by including a security behaviour management provider or training effectiveness provider. These providers will measure the effectiveness of the annual security training.
That’s an imperative that many companies are not completing today and are leaving themselves open to compromise,” he says.
This provider will allow the company to create an internal phishing scam. This is usually done after the security training. You can identify how effective the training is by looking at the metrics provided by the provider on:
- How long it took for people to click on a phishing link
- How many users provided their user name and password
- How many people reported the potential phishing attack.
You can then understand the vulnerable areas in your company, and adjust your training needs accordingly, advises Kennedy.
Van Hest, meanwhile, notes that as incidents get media coverage, there is increasing education of propensity for fraud, and on the various threats and how they come about.
“It is always good to be quite mindful of education,” says van Hest. “Targeted education is the next step.”
Make education relevant to someone’s function, he says, and this applies to training for the boards, management, general population and practitioners.
“If you are an operator of a system that is quite critical to an organisation, then you need more than just general training."
Focus on securing and hardening services has never been stronger but the weakest link still remains the end-user and how people manage and maintain their accounts.
Read more: Agility comes with maturity
Summarising the 2016 results, van Hest states:
“There is no magic bullet for effective cybersecurity. It’s a journey towards a culture of security, not a solution in and of itself. It is a path that starts with the right mix of technologies, processes and people skills.
“The organisations that will flourish in tomorrow’s interconnected world are those which recognise that good cybersecurity is good business; and by managing their risks, they can use digital technologies and their information assets to realise opportunity with confidence.”
Sidebar: Cybersecurity at the top table
This year’s report finds across the globe board engagement and the impact of board involvement increased over last year. The board is most likely to participate in overall security strategy, security budgeting, security policies, and security technologies.
Boards historically were composed of financial and legal people but that is changing very much, as more IT leaders are becoming board members, states CIO/CISO consultant David Kennedy.
Cybersecurity is now becoming much more known at the board level, says Kennedy, who also holds board positions where he advises on digital and cybersecurity strategies. He also works with the Institute of Directors on getting cybersecurity risk issues discussed at board level.
Enterprise risk management or ERM is a very common tool for the boards in determining the financial and business risks for various events. “Why not have a cyber risk aspect to enterprise risk management?”
He says some boards are already using a “security lens” alongside the financial and business lenses of their ERM.
But from his personal experience, this is not true for the majority of boards.
“Most businesses use or rely on technology to operate – cyber risk is a reality of our times – so the ability of boards to consider it as part of enterprise risk is critical in ensuring directors are confident about business resilience,” says Simon Arcus, CEO at the Institute of Directors.
Technological advances are disrupting many traditional business models, he says, forcing businesses to find ways to adapt to the rapidly changing environment.
“How they deal with disruption is going to be a big question for the future,” says Arcus.
He says one of the positive trends he is seeing is that directors are recognising there is a gap in the area of business technology for a lot of people on traditional boards.
“They are realising how important information security is, how fundamental it is becoming to the business model.
“The boards are there for a strategic role, they determine the strategy going forward. Because of that we are seeing cyber risk entering the strategy agenda in a way that we have never seen before,” says Arcus.
At the same time, he says, boards are recognising information security has both external and internal elements. You can have the structure in your company, but you also need to understand the external environments which include third party providers.
“What we are seeing happening is more and more companies are saying, ‘I need to know about your security infrastructure before I can join with you, or before I deal with you.’ That awareness at board level has shot up.”
“What we are seeing structurally is the rise of the role of the CIO,” he adds.
The CIO is taking a whole new role at the senior team reporting into the board, he says, and this is true locally and internationally.
Boards are asking, “Have we got a 21st century business model or are we still dealing at an old fashioned model? How do we understand the value of our IP? How do we understand how to get to our customers faster? How do we respond to disruption? We are seeing a strategic thinker in those technology areas are becoming a prized commodity.”
'More and more companies are saying, ‘I need to know about your security infrastructure before I can join with you, or before I deal with you.’ That awareness at board level has shot up.
For a CIO, there has never been a better time to raise the issue of cybersecurity to the board in a strategic way, he says.
“Put it on the agenda, make sure it is up there, get boards to understand they don’t need to know the detail of the technology.
“They need to understand cyber risk as a risk like any other,” says Arcus. “It needs to take its place at the board table as health and safety, finance, people risk, all of those things.
“Make sure it is well discussed and is not a specialised area that is handled by management and operations.
“Talk their language, start talking about the cyber risk management framework, start talking about a whole of organisation cyber risk management framework that serves the enterprise widely,” concludes Arcus.
Indeed, says Kennedy, the worst question from the board is, ‘Are we secure?
“We need to change the mantra for security to match today’s complex environments that have limited security budget,” he stresses.
“Security is not about being secure, it is knowing exactly how insecure you really are.”
Global State of Information Security Survey 2016: New Zealand snapshots
Read more: No shortcuts to becoming a digital business
Where/to whom does your CISO, CSO or equivalent senior information security executive report directly? Nearly half (49.2 per cent) of NZ respondents cite the CEO, with a quarter reporting to the Board of Directors.
Cyberattacks have become the new normal in today’s digitally connected world.
Where do the attacks come from? Forty two per cent of New Zealand organisations that had a security incident in the past year said the source was a current employee, compared to 33.6 per cent globally.
In the case of external attacks, the top sources were organised crime (globally, the top sources were competitors) activist organisations/hacktivists and foreign entities.
How was your organisation impacted by the security breaches?
Data impact: 28 per cent of NZ respondents that experienced a security incident suffered a loss or damage to internal records.
Business impact: Around 18 per cent reported financial losses resulting from a breach, while 22 per cent do not know how their organisation was fully affected.
Most organisations have adopted a risk-based cybersecurity framework, which lays the foundation for an effective security program.
The two most frequently implemented frameworks are ISO 27001 and the NIST Cybersecurity Framework. PwC reports 29.4 per cent of New Zealand respondents said adoption of a risk based framework has better prepared them to operate and compete across global markets.
In New Zealand, about a quarter 24.5 per cent of respondents have no plans to implement a strategy for IoT, compared to just 9.9 per cent globally who have no plans for such strategy.
Increasingly, CEOs are taking a hands-on approach to information security. In New Zealand, there is an enthusiastic interest from boards and executives for more education and information about their respective organisation's information security activities, says PwC.
Data suggests New Zealand is slightly behind the curve in the boardroom, reports PwC. Globally, 34.8 per cent of organisations say a chief information security executive delivers risk updates at least four times a year to the board. Locally, only 20.6 per cent of boards receive regular updates.
This year, 59 per cent of respondents (37 per cent in New Zealand) said their organisation has purchased cybersecurity insurance to help mitigate the financial costs of incidents. The most common types of incident-related losses include protected personally identifiable information, payment card data, intellectual and property/trade secrets, and damage to brand reputation. A quarter of New Zealand organisations with cyber insurance made a claim in the past year, compared to 50.4 per cent globally, reports PwC.
In New Zealand, cyber insurance is new but has a growing market, says Adrian van Hest of PwC. He stresses though, that “cyber-insurance does not prevent anything from happening. It does not help you with addressing the ‘here and now issue’ and it does not help you with recovery. You still have to do the work."
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Click here to read the Spring 2015 edition of CIO New Zealand
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.