By Rich Baich, Executive Vice President, Chief Information Security Officer, Wells Fargo
As your company relies more on technology to run the business, it’s mission-critical to understand cyber risk
The threat of a cyber attack is pervasive. A breach can hit any company of any size. It’s no wonder 63% of U.S. CEOs are extremely concerned about cyber threats.Footnote 11 It’s mission-critical to understand the drivers of cyber risk and use this knowledge to strategically approach cybersecurity as a risk management discipline.
As your company relies increasingly on technology to run its business, it can become more difficult for your organization to know itself and potential security weaknesses.
- Interconnectivity. Technology is an enabler of our connected world and all its benefits, but interconnectivity heightens the risk of a cyber attack. Today, a business, its partners, suppliers, customers, and third-party providers connect through a web of systems, apps, and information via the Internet. The Internet of Things links objects, goods, and services to this network. If you think of your Internet footprint as a building, then each access point is a window to your enterprise. The number of windows cyber criminals can crawl through has expanded exponentially.
- Complexity and compressed development cycles. Today, technology expansion requires a team of developers in which each team member specializes in an aspect of a system. Different teams contribute pieces to a technology solution and interface these components together. It’s difficult to understand the full solution in detail. Managing technology assets has become a major challenge, including identifying all your assets, the services they provide, what they connect to, and who uses them. In addition, pressure for fast time-to-market and reduced overhead costs leads to retrofitting security rather than integrating it upfront in the development process.
The enemy at the window
Organizations and individuals around the world are online. Criminals, too, have migrated from the physical to the virtual world, and these realms are interwoven.
The #1 cyber threat remains phishing. Email’s underlying technology has changed little in the past decade, but what has changed is the availability of the technology and the criminal recognition of its value as a conduit for criminal activity.
In parallel, cyber threat is continually evolving. For example, hacker focus has broadened from web applications to the cloud and mobile apps, and techniques have expanded from a single attack to include distributed denial of services.
Today, the know-how to enable cyber crime is easily accessible. The instruction manual for your mainframe, along with a simple how-to video, could be an Internet search away. This unprecedented level of accessibility and availability of information, combined with the sophistication of criminal techniques, makes it challenging to know the enemy and the nature of the unfolding threat.
Employees as entry points
No matter how secure your technology, the human link is always the weakest. If your employees do not protect their identity and security credentials, or they open a malicious attachment or link in a phishing email, your employees become entry points into your company, putting your business and its critical data at risk.
Three ways to reduce the risk of cyber attack
How can you address each of these cybersecurity challenges head on to reduce the risk of a breach?
- Know yourself. Understanding your technology environment is essential to protecting it. The first step is to conduct a risk assessment to pinpoint your weaknesses. The next step is to establish the appropriate control governance for your key assets. Finally, your organization should continually test its footprint to identify and correct weaknesses.
- Know your enemy. Keep abreast of the techniques hackers employ, analyze cyber threat intelligence, and enhance your defense strategy. Threat modelling is key to knowing the enemy. Every angle of possible attack should be assessed, including at the business, systems, components, and engineering levels. Otherwise, all risk management and subsequent actions, remediation, and associated costs may not be effective in managing cyber risk. If you lack the resources to perform threat modelling internally, consider partnering with a provider of this service.
- Put your employees in the know. Your staff must become part of the defense process. First, employees must be aware of the latest hacker techniques, which requires training and security awareness. Second, the best security teams foster internal talent that’s well-versed in the environment, key assets, and company user behavior. This team will build its own security solution tailored to business need. Finally, system developers also require training so they work to integrate security into technology solutions development and continuously test their coding. Investing in people provides a far great security return than off-the-shelf solutions that are one-size-fits-all.
Knowledge is power
Hacker techniques continue to change, as do the best practices for thwarting attacks. Maintaining vigilance requires knowing your company and the enemy while empowering your employees through training for a risk-aware culture. Knowledge becomes a source of power for protecting your business.
Approaching cyber risk in this manner means treating it similarly to more established business risks so CEOs and senior managers can strategically manage cybersecurity.
1.“21st Annual Global CEO Survey, US supplement,” PwC, 2018.