The following post is the second in a series authored by Rob Dannenberg intended to educate readers about the nature of cyber risk and assist in assessing and improving organizational ability to effectively prepare for and respond to the evolving threat. Rob wrote on “The Rapidly Changing World of Cyber Risk” in his previous post. Here he examines how companies must consider their political, foreign policy or national security activities as part of cyber risk management.
In the context of the cyber risk environment with nation-state actors such as Iran and North Korea (and non-state actors such as Anonymous) attacking targets for political and propaganda reasons, it is important for enterprises to make an honest assessment of their risk of being targeted by one of these mal-actors as a first step in preparing to manage the risk.
It is also advantageous to understand that nation-state cyber actors devote a significant amount of resources surfing the Internet and media for potential targets. While not infinite, the resources countries like Russia, China, Iran and North Korea can devote to Internet-based targeting are considerable and far more in depth than commonly imagined. Very few private sector companies devote adequate resources to understanding what is said or written about their firm and its activities on the Internet. Fewer still examine that information from the perspective of a potential nation-state mal-actor.
By suggesting awareness of political/foreign policy exposure I am not suggesting a firm should not be engaged in those activities. However, a firm should understand the risk of it being targeted if those activities come to the attention of a potential adversary.
Let’s start with some basic questions that should help you understand where your firm might be on a potential targeting matrix. It may not be necessary to explore in-depth the answers to all of these questions, but a general assessment of this risk should be available to the firm’s risk managers.
The framework for these questions lies in asking why you would be targeted for political or propaganda purposes.
Are the firm’s senior executives publicly engaged in political, foreign policy-related or national security policy-related activities?
- If so, does the firm routinely monitor the activities to assess how they would be perceived by a potential adversary?
What is the firm’s international profile? In which countries does it operate and is it engaged in political, foreign or national security policy activities abroad?
Is there awareness in the firm of the political/foreign policy/security policy activities of the firm’s major clients? Is the firm part of the critical infrastructure or does it have enterprise significance for those clients?
- What information is publicly available about the relationship between the firm and clients?
In addition to having little awareness of political risk exposure, many firms fail to do an honest triage of their data and systems and fail to understand what may be at risk. The executive correspondence compromised in the Sony Pictures and Entertainment attack is a classic example of failure to apply The Washington Post test* to data. Here are some basic questions to consider in that triage.
What data, if exposed, would cause significant reputational damage to the firm?
What data/systems critical to your enterprise would interrupt or halt business operations if compromised?
What client/customer data does the firm hold and what would be the effect on the firm or the firm’s clients if this information was compromised or lost?
What is the firm’s reliance upon subcontractors for critical enterprise operations and what would be the effect on the firm if an attack was directed at critical subcontractors?
- Does the firm have any knowledge of the cybersecurity or resiliency discipline of critical subcontractors?
What information is publicly available on the firm’s senior executives, the firm’s organizational hierarchy and client/subcontractor relationships? (This is key targeting data for a potential adversary.)
What sort of redundancy does the firm’s information and data processing architecture have?
- How much is managed internally and how much is outsourced?
Does the firm have any closed systems, i.e., systems not accessible by the Internet?
How is executive correspondence processed and retained?
Does the firm have an insider threat program?
Does the firm monitor the social media activity of current and former employees — especially those who have/had access to critical systems and data?
Does the firm periodically review access privileges and adjust to a strict “need to know” standard?
Use these starter questions to help develop an understanding of how the firm could become a target and what may be at risk.
*Organizations are regularly counseled to ask whether they would mind reading about data they possess on the front page of The Washington Post.
By Robert Dannenberg, SDI Cyber Risk Practice
In an upcoming post we will take a look at cyber crisis management planning and strategies.
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
March 31, 2015