This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite.  Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Many takeaways this month from articles that further our understanding of cybersecurity concerns and issues starting with:

Rethinking cybersecurity

Cyber Defenses Should Emphasize Resilience As Well As Protection
The rise of digital has revolutionized how business work and serve their customers, but it has also added new dimensions of risk for financial services firms.  Five out of every six large companies – those with more than 2,500 employees – were attacked in 2014, a 40% increase over the previous year.  The costs of digital attacks are also increasing; the average annual cost per company of successful cyber-attacks increased to $20.8 million in financial services last year.  And many incidents go undetected for long periods of time, so the true scale of the problem is even greater.

Data Insecurity: Flawed Technology or Outdated Business Process?
Dark Reading
Are data breaches caused by flawed security or outdated business processes? If we want to truly shift the momentum in the cybersecurity fight, as an industry we need to drastically change how we conduct business and think about securing business processes first. Only then can we focus on the IT systems in which they reside. To be clear, this is more than implementing a few processes. Getting to the crux of this global problem will require a top-down audit of how a specific business operates. From there, we will need to undertake a complete overhaul of each and every function. The reason: in many cases, when business processes were “automated” the process was not altered — just transformed into digits.

Cyber Security Isn’t Working- Security Breaches are Inevitable
Security News Desk
Paul German, VP EMEA, Certes Networks, insists it is time to face up to the futility of breach detection and protection alone, and that organisations must make a change to avoid the fate of the organisations that have recently hit the hacking headlines. Cyber security isn’t working. Too many companies are being breached; and governments globally are recognising the need to invest heavily to protect vital services and infrastructure. However, today’s defence in depth security models is not completely flawed; they are, perhaps, naïve.

Deloitte: For CyberSecurity – Offense Can Be the Best Defense
Integration Developer News
As 2016 begins, organizations are going on the offense to combat cyber threats, according to a report this month by Deloitte LLP.  Companies and government agencies are no longer satisfied with simply “locking the doors” where cybersecurity is concerned, said the 2016 Deloitte Analytics Trends report. “Organizations with a sophisticated approach to cybersecurity are no longer satisfied with locking the doors after the robbery has been committed. [They] are beginning to employ more predictive approaches to threat intelligence and monitoring—in short, going on the offensive,” the Deloitte report found.

Organizations are Spending Ineffectively to Prevent Data Breaches
Net Security
A new report by 451 Research, which polled 1,100 senior IT security executives at large enterprises worldwide, details rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans. Critical findings illustrate organizations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organizations certified as compliant. Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.

Key Changes to the Cybersecurity Landscape in 2016
IT ProPortal
Cybercrime will not go away or be defeated in 2016, and will instead continue its spread into all sectors of the economy as the digital revolution brings more and more firms into the firing line. Simon Viney, a director of Security Science at Stroz Friedberg, the investigations, intelligence and risk management company, believes the threat will increasingly have ramifications for corporations, boards, governments and regulators, and is predicting a number of key changes to the cybersecurity landscape in the year ahead.

Are we safe on land?

The ‘Mind-Boggling’ Risks Your City Faces from Cyber Attackers
Market Watch
During a 2014 cybersecurity drill New York City officials held with intelligence agencies in 2014, the Federal Bureau of Investigation posed several scenarios. What if the city noticed that the 911 system had shut down? What if criminals attempted to coordinate a computer attack on emergency infrastructure with a physical attack? The city often had the same response: They’d call the FBI. Unfortunately, they were told, that might not help. “That’s not what we do,” Leo Taddeo, former head of the Federal Bureau of Investigation’s cyber and special operations division in New York, said he told them.

US Utilities Warned to Boost Defenses After Blackout in Ukraine
The Hill
A pseudo-governmental electricity industry group in the U.S. has advised its members to boost their network security after reports emerged that a cyberattack downed a Ukrainian utility for six hours, Reuters reports. The Dec. 23 incident left roughly 700,000 homes without power and is thought to be the first major blackout caused by hackers. The Electricity Information Sharing and Analysis Center (E-ISAC) called the blackout a “coordinated effort by a malicious actor” and last week urged its members to “do a better job” at layering digital security to keep out hackers.

Malware Alone Didn’t Cause Ukraine Power Station Outage
A new study of a cyberattack last month against Ukrainian power companies suggests malware didn’t directly cause the outages that affected at least 80,000 customers. Instead, the malware provided a foothold for key access to networks that allowed the hackers to then open circuit breakers that cut power, according to information published Saturday by the SANS Industrial Control Systems (ICS) team. Experts have warned for years that industrial control systems used by utilities are vulnerable to cyberattacks. The Dec. 23 attacks in Ukraine are the most prominent example yet of those fears coming to fruition.

Or on the sea?

Cyber Attacks – Coping with New Threats to the Maritime World
Seatrade Maritime
“From rock and tempest, fire and foe, protect them where so ever they go” is an all-encompassing list of maritime hazards which is usefully encapsulated in the seafarers’ favourite hymn –“Eternal Father”. A very 21st century addition to these timeless risks of maritime commerce might now be that of cyber attack, which conceivably could be as serious and damaging as any of those on this list. Ships are no different to any other facet of modern life and have become, in recent years, horribly vulnerable to malicious or criminal external interference, with all the sophisticated electronics that keeps them operating efficiently. The fact that nothing really terrible has happened (at least that which has been made public) probably owes more to the general ignorance of marine technology and the plethora of other tempting targets, than the efficacy of shipping’s own defences.

BIMCO Releases First Cybersecurity Guidelines for Shipping Industry
SC Magazine
The Baltic and International Maritime Council (BIMCO) today launched the first set of cybersecurity guidelines for the global shipping industry to prevent issues that could arise from cyber incidents at sea. The guidelines were developed by international shipping associations including BIMCO, Cruise Lines International Association (CLIA), International Chamber of Shipping (ICS), International Association of Dry Cargo Shipowners (INTERCARGO) and International Association of Independent Tanker Owners (INTERTANKO), according to a Jan. 4 release. The guidelines also contain information on understanding cyber threats, how to assess and reduce risks, how to develop contingency plans, and identifying vulnerabilities and potential targets for cybercriminals.

Is anybody safe?

The Flaw in ISIS’s Favorite Messaging App
The Atlantic
In some corners of Washington, D.C., cryptography is becoming a dirty word. Since the rise of the Islamic State, hardly a day goes by that politicians don’t raise the specter of a terrorist attack planned on encrypted messaging platforms. In December’s Democratic debate, viewers heard Hillary Clinton call for a “Manhattan-like project” to ensure that law enforcement would always be able to implement a wiretap. For more and more lawmakers, encryption is that perfect, pitch-black night in which radicalized things go bump.

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

January 26, 2016