WHO SHOULD BE RESPONSIBLE FOR CYBERSECURITY?

By Andrew Douthwaite, Contributor, CSO | JAN 16, 2018 6:20 AM PT.

Clearly, cybersecurity is everybody’s problem. It’s high time this truth was recognized, starting with the executive suite on down.

The news today is flush with salacious stories of cyber-security breaches, data held hostage in brazen ransomware attacks, and compromised records and consumer information. So too has the fallout become increasingly familiar: broken trust, ruined brands, class-action lawsuits, and prolonged periods of finger pointing.

In September 2017, news broke that consumer credit reporting agency Equifax had suffered a catastrophic breach the preceding May. Hackers gained access to the personal data of nearly 150 million American citizens – roughly two thirds of the country’s population – including full names, Social Security numbers, addresses, and dates of birth. The swiftly unfolding scandal sent the company’s stock plummeting 33%, a market value loss of approximately ten billion dollars. Currently, three Equifax C-Suite managers are under federal investigation for allegedly dumping stock prior to disclosing the breach.

The digital sphere has always been rife with pathogens. Elk Cloner ravaged Apple IIs by way of contaminated floppy disks in 1981, and Brain infected IBM PCs in 1986. Initially little more than nuisances concocted to spread chaos and frustration, today malware is a primary tool of lucrative (if fragmented and decentralized) criminal enterprises whose foremost goal is financial gain through extortion and embarrassment.

The high-profile nature of certain attacks – Equifax, Anthem, Home Depot, Yahoo, Sony, and Uber, to name a few – obscures the fact that while the form, scale, and intent of attacks tend to vary, the threat looms over organizations of every stripe and size – private, public, and not-for-profit alike – in every corner of the globe. Colleges and universities have fallen prey to costly ransomware attacks, havoc has been wreaked on banks in Italy, Canada, and Bangladesh, and Russian hackers hijacked the 2016 federal election through a simple phishing scam. Such attacks are alarmingly easy to design and deploy. Phishing, for example, requires only a single distracted click on a link in an email or text. Once the automated malware has gained a toehold, systems and networks can be crippled in a matter of minutes.

Standing vulnerabilities are being exacerbated by the growing centrality of digital media in our day-to-day lives. The proliferation of devices means a multiplication of exploitable entry points, as does data stored across networked, hardware and cloud-based platforms. The more sprawling the company or organization, the more exposed it may be, necessitating cyber-security strategies that cover partners, manufacturers, and suppliers. Not only are new dangers always emerging, but they can occur because of easy to make mistakes such as forgetting to update your OS, or through portals as unlikely as an IOT enabled fish tank.

The crisis is as widespread as it is confounding to combat. Perpetrators not only employ an ever-expanding suite of tools and tactics, and target bounties ranging from consumer data to proprietary assets, but they are driven by mercurial motives. Some hackers espouse anti-corporatist ideologies, some are astutely transactional, and others still – Anonymous for example – are first and foremost retaliatory. Add to these slippery intentions a lack of territorial affiliation, and one can see how present-day cyber-foes are diabolically tricky to identify, much less apprehend and prosecute.

All indications are that cyber-crime is in its infancy, a phenomenon that will only intensify. CNBC recently reported that in the first half of 2017, the number of attacks spiked 164% compared to the same period in 2016, entailing 918 disclosed data breaches resulting in nearly two billion compromised records. The report suggests that this increase is partly attributable to new regulations pertaining to corporate transparency, including the EU’s GDPR and the UK’s Data Protection Bill. This legislation coincides with the establishment of government agencies tasked with policing these fraught digital landscapes, such as the Cyber Threat Intelligence Integration Center in the U.S.

Yet the urgency with which governments are working to enforce transparency and security stands in stark contrast to the reluctance demonstrated by businesses to recognize and react to so significant a threat. One need only look at the typical IT budget to recognize how little the gravity of the crisis has sunk in. Even though companies across all sectors rank cyber-security as their most pressing issue, and despite an upward trend in spending, the typical cyber-security budget is profoundly underfunded. According to Steve Vintz of the Harvard Business Review, “IT budgets are typically 3-7% of a company’s revenue, and security budgets are typically 5% of IT spend.” In other words, the average company allocates just over 1% of revenue safeguarding against potentially catastrophic attacks.

This lopsided spending reflects, perhaps, a longstanding disinterest exhibited by financial stewards toward IT issues. It’s the number crunches versus the nerds, the former obsessed with spending and bottom lines, the latter always on the lookout for shiny new toys to tinker with. The VP Finance or CFO, therefore, assumes the attitude of a parent reining in an indulgent child, rather than a collaborator working toward mutual goals. Fissures such as these have the unfortunate effect of relegating cyber-security to the IT silo, with the CFO punting the ball to (often already overtaxed) technical divisions and managers, then washing their hands of further responsibility.

C-suite abdication reveals a central but oft-overlooked error, one baked into the term “cyber-security” itself: though traditionally tucked away under the IT umbrella as a security concern, many if not most of the consequences of cyber-attacks are monetary, with severe and long-lasting financial implications. Though difficult to tally, a 2017 study by Centrify and the Ponemon Institute pegged the average cost of a data breach at $4 million, the average stock price drop at 5%, and the average revenue decline at $3.4 million. And this is to say little of the embarrassment of suffering an attack – looking weak and ill prepared, the erosion of consumer trust and confidence, and a tarnished reputation and brand – much less lawsuits. Target paid $18.5 million after a cyber-attack put the data of sixty million of its customers in peril, and Anthem was slapped with a $115 million penalty. Fortune magazine writer Jeff Roberts predicts that Equifax will pay out approximately a billion dollars to settle suits resulting from its attack.

Moving forward, a chief concern must be not only how CFOs can participate in the design and implementation of cost-effective cyber-security systems and protocols, but more importantly how they can take the lead in fostering company-wide cultures of cyber-awareness, vigilance, and preparedness. Clearly cybersecurity is everybody’s problem. High time this truth was recognized starting with the executive suite on down.