Cyber Resilience:
It Takes A Community

A report by the Center for Strategic and International Studies and McAfee estimates the cost of cybercrime and cyber espionage to be $100 billion annually for the U.S. economy and $300 billion for the global economy. 1

These amounts include: In addition to these losses, cyber attacks can also slow innovation. To mitigate the risk of a cyber attack, some companies could be compelled to delay the adoption of cloud and mobile technologies and implement new policies and controls that carry the unintended consequence of hampering employee productivity.

The optimal approach to achieving cyber resilience in a hyper-connected world requires collaboration and information sharing. Rather than going it alone, firms have the opportunity to rally together in building a cyber-resilient network that can promote innovation and protect value.

The Price of Failure

Failure to attain robust cyber resilience is an expensive proposition. In the absence of a coordinated movement to clamp down on malicious cyber activity, the price tag is certain to become costlier.

Organizations seeking to guard against the loss or theft of personal protected data have been losing ground. In its 2013 Cost of Data Breach Study, the Ponemon Institute evaluated detection, response, containment and remediation costs associated with data breaches recorded by 277 organizations in nine countries. 2

In a separate study, Ponemon conducted research looking at the tab organizations have had to pick up for a broad range of criminal activity conducted via the Internet. Its 2013 Cost of Cyber Crime Study, looked at cyber attacks including everything from stealing corporate IP to confiscating online bank accounts and interfering with critical national infrastructure. This study covered 234 organizations across six countries. 3

The two studies revealed a dark backdrop for cyber resilience. For the companies surveyed, it was concluded that from 2011 to 2012: The payouts that have been made to address data breaches and cyber crime may only be a fraction of the economic cost to society for suboptimal cyber resilience. The potential drag on innovation and productivity that could accompany additional regulations and corporate policies may prove to be much more expensive than the types of adverse cyber events captured in the Ponemon studies.

In its data breach study, Ponemon disclosed that human error and system glitches accounted for the majority of data breaches.

A recent report published by the World Economic Forum in collaboration with McKinsey & Company presents three alternative scenarios estimating the impact to technological innovation by 2020 for varying cyber resilience environments. 4

In a baseline scenario, as much as $1.02 trillion in value is left unrealized as cyber attackers maintain the upper hand over defenders. In a more ominous scenario, as much as $3 trillion in innovation is unrealized as international cooperation to prevent attacks comes up short and government cyber resilience regulations lead to a deceleration in digitization. In the third scenario, coordinated efforts between the public and private sectors beat back attackers. Resulting innovation and digitization creates between $9.6 trillion and $21.6 trillion in value.

Under Siege on All Fronts

The third scenario is achievable, but corporations will face an uphill battle with cyber resilience efforts under siege on all fronts. To come out ahead, companies will have to fend off external attacks, prevent against misdeeds by insiders and address complexities introduced when doing business internationally.

The cyber crime study by Ponemon also underscores the threat presented by insiders. Although only 37 percent of the companies sampled reported attacks attributable to malicious insiders, this category of attack proved to be much more costly than more common attacks such as those from malware which 99 percent of the companies reported. “While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious,” said Larry Ponemon, chairman of Ponemon Institute, to CSOonline.com of the findings. 5

When weighted by attack frequency, malicious insider attacks topped the list from a price standpoint costing companies an annualized average of $154,453. Malware on the other hand came out as the least expensive category of attack with an annualized average of $491.

For companies that conduct business across international borders, the challenge of preventing and responding to these attacks has an added degree of complexity. The focus of cyber resilience extends to operating within the bounds varying regulatory requirements and differing cultural norms.

It is not uncommon for corporations to face a wide range of data residency and privacy regulations. It is plausible that a multinational company could find itself in a situation where it is forced to navigate a different set of requirements for each location where it has data stored.

The challenge of meeting these legal requirements may actually pale in importance when compared with conforming to cultural norms. In the United States for example, companies have not experienced the same magnitude of public outcry for better data protection as has been witnessed in other countries. On a comparative basis, data breaches have become more widely acceptable to consumers in the U.S. where the typical response is to provide identity theft protection policies to the consumer affected.

Even for multinational corporations that have been able to adequately address compliance concerns and adapt to cultural norms, the challenge of bringing attackers to justice remains.

In Europe however, a heightened sensitivity to privacy could translate into a data breach having significantly costlier consequences for a company. Rather than striking a stance of indifference, European consumers could be much more likely to keep a data breach in the public eye. This sentiment has rippled through legislative arenas as the European Union Commissioner for Justice recently went on record seeking heftier fines for companies that breach data privacy laws. 6

With attacks originating from all ends of the globe, cyber criminals are destined to remain elusive without advances in cross-border legislation and concerted efforts between companies, governments and law enforcement agencies to combat cyber crimes. Attempts have been made in recent years to spur international cooperation. For instance, forty one countries have ratified the Convention on Cybercrime treaty. However, a great deal of work still lies ahead in enhancing a criminal justice system that can retain an advantage over cyber attackers.

A Step Forward

The goal is to establish a trusted network of organizations in this hyper-connected world that will improve the cyber resilience of each of these trusted counterparties. This objective will not happen overnight. In order to achieve this vision, we must set ourselves on a path that will enable organizations to improve tactical capabilities in the near term while building the foundation of trust necessary to fight cyber-attacks in a coordinated fashion. Achieving this coordination across organizations will enhance the cyber resiliency of all member organizations.

Near-Term Activities

While the objectives are aligned for all organizations looking to fight cyber attacks, the path taken will vary. Some organizations will necessitate more extensive counter measures in order to improve their resiliency. For all companies the starting point for determining the extent of measures necessary for each organization is to evaluate the risk related to their intellectual assets (IA). We have seen that many companies do not have a formal process for the identification and tracking of IA. By not having a formal process for managing their IA inventory a company cannot then evaluate the risk related to those assets.

Once a company has adopted a formal process to track and risk-rank their IA inventory, the company can then both drive cultural awareness of the importance of those assets and align cyber protection activities to provide improved protection to the areas that provide the greatest benefit. This is a different approach than most organizations use today where all information assets are treated in a similar manner.

The short-term activities that companies will need to consider include the following:
Define the risk appetite for the company relative to IA categories. Senior management should initiate an effort to formally define its risk appetite. This undertaking should be a collaborative, cross-functional endeavor.
Establish quantitative methods for risk evaluation. Companies should quantify the likelihood of occurrence of cyber risks and the cost in the event of an occurrence. Such an approach will allow the organization to better prioritize the focus of its cyber resilience efforts.
Drive cultural awareness through training and change management activities that reinforce the importance of these assets. The best cyber resilience programs are led by a good offense. The proactive engagement of employees in training and change management initiatives will establish a shared understanding of the value of IA and the need to safeguard them.
Employ a risk-based approach for cyber resilience. Companies should establish policies that treat a variety of categories in different ways. These categories do not limit access to information based upon hierarchy, but rather on a need-to-know basis.
Establish defined roles and responsibilities for the ongoing management of IA inventory. Organizations should ensure roles and responsibilities for safeguarding IA inventory have been clearly defined and communicated. This process will instill accountability and help to align the actions of employees with strategic objectives related to the protection of IA.
Establish a security element to the company’s standard Data Management Program. The security element of a Data Management Plan is vital to securing the sensitive data and IA of a company. This component should be periodically reviewed and adapted to address changes in risk.

Long-Term Activities

Companies can independently carry out the near-term activities presented to protect IA and improve cyber resilience capabilities. The successful execution of these activities is necessary for companies to have a fighting chance against cyber threats. Over the long term, coordination between organizations will be required to accelerate the implementation of innovative technologies and give companies the upper hand over attackers. The pursuit of the recommendations that follow will empower organizations to build a potent network of trusted counterparties that can endure. The long-term activities that companies should strive to achieve include the following:
Fortify communities of resilience. Collaboration is needed between entities in effectively utilizing and improving the quality of information sharing venues such as Information Sharing and Analysis Centers (ISACs). These partnerships will foster a macro environment that encourages and protects innovation and roots out cyber threats. Active participation by all member organizations will be required for this endeavor to succeed.
Establish a trusted-counterparty database. The development of a formal trusted-counterparty database will be crucial for effectively tracking counterparty relationships and building trust between participants. An automated solution will result in the efficient exchange of information between counterparties and enable organizations to become more agile in their response to emerging cyber threats.
Develop comprehensive law enforcement capabilities. To better anticipate and respond to cyber attacks, an increased level of cooperation is needed between the private sector and law enforcement agencies. Law enforcement capabilities should be sufficiently funded to prosecute cybercrime and protect technological innovation.

Summary

Building a unified front is no small undertaking. Determining root causes of cyberattacks, prioritizing responses, developing law enforcement mechanisms that pack a punch and establishing effective information sharing channels are just a few of the more notable challenges facing cyber security stakeholders. It takes a community. Synergies resulting from companies working together will enhance response capabilities, protect corporate brands, spur innovation and deter future attacks. These developments are unlikely to materialize through independent efforts.
Share this page:



1 Center for Strategic and International Studies, The Economic Impact of Cybercrime and Cyber Espionage, July 2013, http://csis.org/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf

2 Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, May 2013, http://www.ponemon.org/library/2013-cost-of-data-breachglobal-analysis

3 Ponemon Institute, 2013 Cost of Cyber Crime Study: Global Report, October 2013, http://www.hpenterprisesecurity.com/register/2013-fourthannual-cost-of-cyber-crime-study-global

4 World Economic Forum and McKinsey & Company, Risk and Responsibility in a Hyperconnected World, January 2014, http://www.mckinsey.com/insights/business_technology/risk_and_responsibility_in_a_hyperconnected_world_implications_for_enterprises

5 CSOonline.com, Most Data Breaches Caused by Human Error, System Glitches, June 17, 2013, http://www.csoonline.com/article/735078/most-databreaches-caused-by-human-error-system-glitches

6 Naked Security, EU Commissioner Calls for Larger Data Breach Fines, January 22, 2014. http://nakedsecurity.sophos.com/2014/01/22/eucommissioner-calls-for-larger-data-breach-fines/