Stress Testing Your Cyber Risk Management
"You can't write an entry about stress testing. People will think your article will be about regulatory control and the survival of companies, especially in the financial sector", said my colleague. It is!
Before the recession, the term 'Stress Test' was not a household word (unless one was referring to marital bliss ;-). Enter the new breed of financial regulators and politicians looking to justify the use of public funds for the banking bailout, not to mention the growth in compliance teams. Now stress testing is well-known and common-place.
But is it really fair to use this term when it comes to assessing an organisations risk management and incident response capability? In my view it absolutely is! Many organisations fail the cyber stress test and increasingly are likely to expose their business to unnecessarily high losses as a result.
But surely it's about capital adequacy, not cyber?
Yep. and many organisations suck so much at cyber risk management that their capital and that of their insurers are increasingly bending under the strain of putting things right when the inevitable occurs. If they are not quite at this critical point yet many are slowly and surely heading that way.
Recent news that businesses are folding and making increasing demands on their insurers, and also that insurers are challenging some of these claims; often because clients have not covered cyber specifically but are looking for other policies to respond on some of their losses, is beginning to show that some organisations may have considerably underestimated the actual impact of cyber breaches on their balance sheet.
Show me the money!
Experience from the breach notification regulations in the US and also the fines levied under the PCI regime show that increasingly the regulators are using the power of hefty fines to drive home the message that compliance needs to be taken seriously. Sure, the PCI fines are way below the cost bands required for capital allocation required under operating and financial risk regulations but certainly some of the fines levied by regulators stateside have grown considerably in the last few years. In 2010 the maximum fine levied was to Zurich for a breach was $2.275m. Fines levied purely by the UK ICO, not renouned for having teeth, more than tripled to £2.6m in 2012/13 and the US HHS fined Cignet $4.3m. Recent fines for privacy breaches have topped $6.8m in Puerto Rico and class action lawsuits resulting in claims at $20m and even as high as $4bn. With the EU pushing for tougher privacy and breach notification laws, a proposed 5% of global annual turnover for failure to notify and manage breaches effectively puts the maximum fine levels into the many hundreds of millions. Remember this is even without the growing response and business relationship management costs.
It seems that both insurers and their customers need a better way to understand the value of information assets and how well they are protected in order to properly understand the associated risks.
Stress testing is not an easy task
Where the trouble really lies is in the reliable and effective performance of stress testing organisations for their cyber risk management capability. Many of the breaches that have occurred have been in organisations that have spent budget on security controls. Take a look at literally each and every vendor product and put a hacker in a room with it to see how quickly it takes the expert to break. Just don't put any money on it!
However, the problem is not so much with with the security capability of individual products but more with the actual building blocks of network technology. Whilst security has been considered in network design for many years, the expertise needed to implement truly secure networks is in very short supply. Perhaps though, the biggest single problem with standalone computers and networks alike is the concept of superuser accounts which are the main target of choice for literally all successful cyber attacks.
More fundamentally though, much of the cause of insecurity in technology stems from a lack of real investment in cyber security skills and resources. Many business leaders have 'sleep-walked' into the IT era; almost expecting that the limited investment they have given to support what is now the lifeblood of their business should have security 'baked in'.
The delivery of our ground-breaking CYBER3 (Rapid Risk Review) service consistently reveals this under-investment as one of many key risk indicators.
Perhaps it's simply a matter of time?
One question I hear asked on a regular basis. Business leaders, Politicians, IT Directors, Chief Police Officers, Regulators..."Surely it is possible to make our systems secure and resilient to attack?" I have the honor of attending and speaking at many meetings. Blue chip security summits, conferences focused on SMEs, round-tables on cyber security. I find that few of the speakers and decision-makers, perhaps those that ask this question, have experience of configuring network and computer security functions, penetration testing, digital forensics and other aspects of a complex information and IT security world . If they did, I suspect that they would unfortunately be a little less convinced that systems can be secure whilst remaining as available and functional as businesses and the public currently demand. Furthermore, breaches are often effected because the users themselves are easily tricked and simply don't know or don't care about data security.
The complexity of IT, combined with the openness of access for superuser accounts, coupled with the lack of skills and resources needed for secure configuration and laced with the business needing accessibility over security means that all cyber attackers need is just a few mistakes in the configuration of network and security components for their unauthorized access to be guaranteed. Moreover, now that many systems also process and store financial data, it means that attackers are happy to invest their time figuring out ideal methods of attack, many of which are a combination of technical agility and social engineering.
For those who are persuaded, this time is the best time to be a cyber criminal and organisations have an increasing need to ensure that they have arranged for cover when this time becomes the worst time for them to lose their shirt.