Cybersecurity Partnerships: A New Era of Public-Private Collaboration

It is generally understood that the public and private sectors need to collaborate to address the nation’s cybersecurity challenges, yet there remain significant questions regarding the circumstances, nature, and scope of those relationships. Legal, strategic, and pragmatic obstacles often impede effective public-private sector cooperation, which are compounded by regulatory and civil liability risks. Different government agencies have competing roles and interests, with the government serving dual roles as both partner and enforcer, influencing how companies facing cyber threats view public authority. These domestic cybersecurity challenges are complicated further by cross- border issues, including inconsistent laws and perspectives regarding, in particular, privacy norms and restrictions, data transferability, and divergent political interests in combating cyber threats.

A welter of issues involving technology, business, law, and policy affect the strategic cybersecurity relationship between the government and the private sector. And many of those issues are evolving and unclear. Because cybersecurity’s challenges are multifaceted, traditional modalities of interaction between government and private sector— between regulators and regulated—do not always capture the nuanced ways in which the nature of the cybersecurity challenge has fundamentally altered these relationships.

In an effort to better understand and, hopefully, help address the challenges of institutionalizing effective cooperation, this paper will explore four key areas that should be clarified as a necessary step in adopting a strategic approach to cybersecurity:

  1. Why is cybersecurity different from other threats, and why is public/private collaboration uniquely valuable to address cybersecurity challenges?
  2. What barriers—including, for example, the evolving regulatory and civil litigation landscape, and cross-border challenges—impede e ective cybersecurity collaboration, and themselves generate additional layers of uncertainty and cost for institutional victims of cyber attacks?
  3. In light of those barriers, and available private-sector resources, should companies focus on self-help for addressing cybersecurity issues? When and to what extent can companies more effectively combat cyber threats without government assistance?
  4. What methods of public-private sector collaboration have been more successful than the traditional models of governance, and what roles can, and should, different parts of the government play in a comprehensive cybersecurity strategy?

While the problems are difficult, the answers may, in some respects, be astounding in their simplicity—solutions grounded in basic principles of organizational communication, teamwork, trust and relationship building, accountability, and foresight to prepare for and invest in mitigating risk before disaster strikes. These approaches are critically important and readily attainable, for those within industry and government who are willing to invest time, thought, and resources proactively, to avoid the far greater costs of an ill-prepared cyber response strategy.

Yet, in other ways, the challenges to effective cybersecurity solutions are confounding. The technology is often complex and constantly evolving, the vulnerabilities are vast and elusive, and the laws are fragmented and unclear. Perhaps the greatest challenges emerge from the significant, sometimes competing, domestic and foreign policy consequences impacting both government and business that ow from any proposed policy or legal response. These issues emerge at the intersection of technology, risk management, business, law, and strategy; successfully navigating them requires a sophisticated understanding of each of those diverse areas.

Government and industry bring a diverse range of resources, priorities, and perspectives to these issues that can sometimes compete. But, at a strategic level, they often are fundamentally aligned in their shared desire to develop effective strategic solutions to cybersecurity challenges.The key is determining how best to maximize the collective resources of business and government at that point of alignment.

Ultimately, the short answer is that no single actor (or group of actors) can figure it out alone. A strategic cyber- security solution mandates the combined resources and coordination of government and industry, within a practical framework that balances effectiveness with efficiency, and security with privacy and innovation. To reach that solution, we first need to understand the benefits, barriers and alternatives to effective coordination, and why the nature of the problem demands new and innovative forms of collaboration. In doing so, we will come to realize that the government and private sector already are innovating in the forms of collaboration necessary to address the cyber- security threat; next, the challenge will be to institutionalize and expand these means of working together […] Read more »

 

After the Breach: Cybersecurity Liability Risk

Cybersecurity’s evolving regulatory and liability landscape compounds the challenges that companies face from cyber attacks, and further complicates the ability of corporate executives and their advisors to understand and effectively manage cyber risk. Companies must prepare for and respond to a potential cyber attacks direct damage, including financial and data loss, system and service interruptions, reputational harm and compromised security. Cyber attacks also expose companies to diverse and uncertain regulatory and civil liabilities. Although these risks generally become apparent post-breach, they must be contemplated and managed proactively, before a breach occurs.

The decision-making of companies that are facing systematic and strategic cyber threats is, therefore, fraught with legal uncertainty about the implications of how they prepare for and respond to the threat. With piecemeal statutes and regulations, and emerging technologies, companies must navigate myriad potential sources of civil and criminal liability related to cyber incidents whose doctrinal contours are unsettled. Concerns include, for example, how to: Institute and monitor security protections; implement cyber incident response policies and procedures; disclose threat, vulnerability and incident information; and determine when, whether and how best to inform, and potentially cooperate with, government. In addition to the inherent difficulties in determining how to address these concerns, companies also must evaluate how each of those decisions may impact litigation risk.

These concerns are particularly acute because many of the most serious cyber vulnerabilities reside in privately- owned networks and systems, those systems often contain some of the most valuable information available about the nature of the threat, and, ultimately, steps to prevent and mitigate harms must be implemented largely by the private sector. Unless we understand better the factors shaping the private sector’s response to cyber harms, including the ways in which litigation risks shape strategic decisions about cybersecurity, it will be di cult to comprehensively address the threat. And while governments traditionally have been charged with protecting the national interest, that role, in a digital era, is increasingly also played by private companies. To the extent that an unsettled liability landscape shapes private sector decisions about investing in cybersecurity protections, disclosing cyber incidents to the public, and cooperating with government, the problem is no longer exclusively one of legal rights and remedies, but also one of strategic cyber preparedness.

Managing this shifting landscape requires executives, including at the board and senior leadership level, not only to con rm that adequate technological defenses are in place, but also to think strategically regarding how to create and implement corporate governance, and communication and response structures, to manage cyber risk. This means ensuring that the organization effectively can identify and address emerging regulatory and liability issues on both a proactive and responsive basis. Moreover, because systems can be compromised at any level, it also involves communicating (through training and protocols) the significance and means of properly managing cybersecurity risk […] Read more »

 

Is Your Vendor Risk Management Program Working?

As the saying goes, you can outsource most anything, but you can’t outsource responsibility.  Companies remain on the hook for ensuring their vendors are up to task when it comes to cybersecurity, privacy compliance and continuity of operations. This checklist can help determine the maturity of your vendor risk management program.

✔ We understand the vendor’s role relative to our business risk.

Knowing if a vendor is reliable requires knowing how they are being relied upon. It is worth considering how a particular vendor’s security failure might impact the confidentiality, integrity or availability of your employee records, customer data and business secrets, and whether their failure could put a halt to your operations altogether.

✔ We understand the vendor’s security relative to our requirements.

Just because a vendor is well known, does not mean their standard offering meets your company’s legal, regulatory, contractual and business security needs. Companies often take advantage of a cross-functional team of information security, legal, compliance, procurement, privacy and risk experts when making important vendor decisions.

✔ We ask the right questions and understand the response.

Vendor questionnaires are all the rage, but they are resource intensive for both parties. If your company uses them, do it right by assigning appropriate personnel to assess the answers, recognize gaps and potential remediation measures, follow your organization’s risk acceptance procedures and document decisions. Alternatively, consider accepting independent third-party audits and certifications, supplemented only as necessary for unique requirements.

✔ Our contracts are rock solid.

The Federal Trade Commission put it succinctly: “Insist that appropriate security standards are part of your contracts.” But, what are appropriate standards? Among other things, strong contracts take into account a company’s legal and regulatory environment, and often have provisions relating to specific security controls, compliance with industry standards, third-party certifications, data rights and privacy requirements, audit rights, insurance coverage, incident notification (and cooperation and information sharing if there is an incident), responses to legally compelled disclosure, data localization requirements, choice of law, restrictions on subcontracting, data destruction, SLAs and indemnification […] Read more »

 

 

Atlanta Municipal Systems Hit with Ransomware Attack

Atlanta city employees coming to work this morning were handed an unusual notice: don’t turn on your computers. The municipal systems had been hit with a ransomware attack on Thursday, and employees at City Hall were not to use their computer until they were cleared by the municipal IT group.

According to the Atlanta Journal-Constitution, city officials have been struggling to determine how much sensitive information may have been compromised in the attack. Atlanta Mayor Keisha Lance Bottoms told employees to monitor their bank accounts.

“Let’s just assume that if your personal information is housed by the City of Atlanta, whether it be because you are a customer who goes online and pays your bills or any employee or even a retiree, we don’t know the extent, so we just ask that you be vigilant,” Bottoms said.

The attackers demanded the equivalent of $51,000 in digital currency to unlock the system, and the attack is affecting applications customers use to pay bills or access court-related informationUSA Today reports.

According to Craig McCullough, AVP, U.S. Federal for data protection and information management solution provider Commvault: “The recent ransomware attacks on Atlanta’s computer systems is another wake up call for the U.S. Government to be better prepared to defend against cyber-attacks. Unfortunately these attacks are not isolated incidents and will continue across Federal […] Read more »

 

 

Only 39% of Breached Companies Can Confidently Identify Source

Nearly four in five companies (79%) were hit by a breach in the last year, according to new research from Balabi. The report, titled The Known Unknowns of Cyber Securityalso revealed that seven out of ten (68%) businesses expect to be impacted by further breaches this year, with more than a quarter anticipating a breach to occur within the next six months.

The Unknown Network Survey, deployed in the UK, France, Germany and the US, reveals the attitudes of 400 IT and security professionals surrounding their IT security concerns, their experience with IT security breaches, their understanding of how and when breaches occur, and the strategies they’re using to combat hackers.

Knowing your Environment

The majority of businesses know very little about the nature of the security breaches that take place within their organizations. Whilst a high percentage of companies have experienced a breach, less than half of respondents (48%) feel fully confident that they would know if a breach had even happened, meaning that more could have taken place without their knowledge. Furthermore, only 42% of respondents feel very confident about what data was accessed during a breach, and a mere 39% were fully confident that they could identify the source of a breach.

Privileged users, who are granted the most access within an organization, are vulnerable to attack and can open the door to insider threats, leading to internal tension around the development of cohesive security strategies. With half of all security breaches being employee-related, 69% of senior IT professionals agree that an insider data breach is the biggest threat they are facing in network security.

“Attacks are becoming more and more sophisticated and every organization is at risk,” said Csaba Krasznay, security evangelist, Balabit. “Security is no longer about simply keeping the bad guys out. Security teams must continuously monitor what their own users are doing with their access rights, as part of a comprehensive and cohesive security strategy.”

“What’s really alarming, though, is that the majority of businesses know very little about the nature of the security breaches that are happening to them. Many even admit that a security breach could quite feasibly go unnoticed. That’s how loose a grip we’ve got on them, or how little we really understand them. We know about breaches, sure – but we really don’t know enough,” Krasznay continued […] Read more »

 

 

4 Trends Driving Security Operations Center

Today, the need for organizational trust has been amplified by cyber threats that continue to grow in variety, volume and scope. According to the Cisco 2018 Annual Cybersecurity Report, 32 percent of breaches affected more than half of organizations’ systems, up from 15 percent in 2016. Network breaches shake customer confidence, and it’s essential that organizations protect intellectual property, customer records and other critical digital assets. A strong cybersecurity strategy is today’s foundation for creating confidence among partners and customers.

The Security Operations Center Gains Prominence

A key factor in establishing trust is the presence of a Security Operations Center (SOC). This is true whether the SOC functions internally or is provided by a third party, such as a managed security service provider (MSSP).

This team monitors, detects, investigates and responds to cyber threats around the clock. The SOC is charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems and brand integrity. This includes the connected controls found in networked industrial equipment. The SOC assumes overall responsibility for monitoring, assessing and defending against cyberattacks.

SOCs have grown in importance due to four primary trending needs:

  1. Departmental collaboration: It’s more important than ever that organizations maintain an environment where skilled people with the right tools can react quickly and collaborate to remediate system-wide as well as local problems.
  2. Cross-functional collaboration: People and cybersecurity tools must work together with other critical IT functions and business operations. These departments align with business objectives and compliance needs for a high-performing operation that is efficient and effective.
  3. Company-wide coordination and communication: As a security event takes place, it’s essential that there’s a centralized team to communicate with the rest of the organization and ensure efficient resolution. In turn, it’s also important that the organization knows who to turn to in the event of an incident.
  4. A holistic view: A view of all digital assets and processes that is centralized and real-time makes it possible to detect and fix problems whenever and wherever they occur. Centralization is critical for IoT systems. The sheer number of devices and the likelihood that they are widely dispersed make local monitoring impractical and inconsistent.

As security operations have changed, the associated job roles and responsibilities have evolved as well. Having the right team with the right skills in place is essential to optimizing an organization’s front-line defense.

SOC Member Roles

Within the SOC, there are many roles. While SOC teams are not all the same, these roles typically include:

  • Cybersecurity SOC Manager: Manages the SOC personnel, budget, technology and programs, and interfaces with executive-level management, IT management, legal management, compliance management and the rest of the organization.
  • Incident Responder: Investigates, evaluates and responds to cyber incidents.
  • Forensic Specialist: Finds, gathers, examines and preserves evidence using analytical and investigative techniques.
  • Cybersecurity Auditor: Monitors compliance of people, procedures and systems against cybersecurity policies and requirements.
  • Cybersecurity Analyst: Identifies, categorizes and escalates cybersecurity events by analyzing information from systems using cyber defense tools.

These individuals work together to identify and respond to cybersecurity incidents in real time.

Building a SOC: A Challenge and an Opportunity

As networks expand and grow in complexity, SOCs are emerging as the enterprise’s front and best line of defense. The SOC is a strategic, risk-reducing asset that strengthens the security of an organization’s systems and data. Building a SOC isn’t as easy as simply hiring new team members, however […] Read more »

 

 

The US Cities that are Best at Password Security

New research reveals the US cities that are best at password security, with Minneapolis topping the list.

A study by password manager Dashlane scores cities based on several metrics, including average password strength and average number of reused passwords.

The cities best at password security are:

  1. Minneapolis, MN
  2. Seattle, WA
  3. San Francisco – Oakland, CA
  4. Detroit, MI
  5. Chicago, IL
  6. Denver, CO
  7. New York, NY
  8. Saint Louis, MO
  9. Washington, DC
  10. Miami – Fort Lauderdale, FL
  11. Riverside, CA
  12. Boston, MA
  13. Philadelphia, PA
  14. San Diego, CA
  15. Tampa – St. Petersburg, FL
  16. Los Angeles, CA
  17. Dallas, TX
  18. Phoenix, AZ
  19. Houston, TX
  20. Atlanta, GA

Mess With Texas

Things might be bigger in Texas, but not when it comes to passwords: All of the Texas locations scored near the bottom in both rankings, the study said.

NorCal vs. SoCal

According to the study, NorCal officially takes cybersecurity bragging rights as their scores were dramatically better across the board. The trend does not follow a straight North-South progression, however, as San Diego came out on top of LA.

Southern Discomfort

Four out of the six lowest-scoring cities hail from the south: Dallas, Atlanta, Houston, and Tampa […] Read more »

 

 

Investors Put Cybersecurity Top of the Business Threat List

Cyber attacks are the now the biggest threat to business in the eyes of investors, mirroring growing global concern from business leaders, according to a new study by PwC.

In the PwC Global Investor Survey 2018 the views of investors and analysts are compared with those of business leaders. The study found that 41% of investors and analysts are now extremely concerned about cyber threats, seeing it as the largest threat to business, rising to first from fifth place in 2017. A similar amount (40%) of business leaders see it as a top three threat, but business leaders rank over-regulation and terrorism higher in the global study.

To improve trust with consumers, investors believe businesses should prioritize investment in cyber security protection (64% investors; 47% CEOs).

Investors rank geopolitical uncertainty (39% extremely concerned), speed of technological change (37%), populism (33%) and protectionism (32%) in the top five threats to growth.

Hilary Eastman, head of global investor engagement at PwC, said: “The top concerns of investors and CEOs emphasise the different internal and external perspectives on, and day to day experiences of, businesses. While on-the-ground challenges such as finding the right skills are high on business leaders’ agendas, investors are preoccupied with the impact that wider societal trends, such as geopolitical uncertainty, populism and protectionism, have on businesses generally.”

Overall, PwC finds that both investors and CEOs are more confident about the global growth outlook than they were last year. 54% of investors (+9%) believe global economic growth will improve and 57% of CEOs (+19%) […] Read more »

 

Beyond Talking the Talk: Building Cybersecurity into a Company’s DNA

Security is constant. It’s fast-paced with a high burnout rate, and many companies continue to struggle with implementing basic security controls. Given the overwhelming reality of resources and time that are already being dedicated to a company’s security strategy, how can organizations begin to build security into a company’s DNA in a realistic way?

While it may seem onerous or unrealistic to some, it is possible to create more than a cyber-aware culture. Changing the fabric of a company’s DNA is more than just a Pollyanna goal, it’s a necessary reality. But it will take time and leadership buy-in. The very basic building blocks require a shift in the way companies think about accountability. It starts with making everyone in the organization responsible for cybersecurity.

Let’s be clear that there is a difference between corporate culture and a company’s DNA. The DNA encompassing everything that relates to the very fibers of the organization. All those aspects of the company that we don’t think about it. When we talk about building cyber into the company DNA, we want it to be part of the normal day-to-day operations. Security needs to be part of what we are investing into the organization and people throughout the year. So that limited resources of time and money never diminish the way the company values security, it must be part of the corporate development life cycle.

When security is a part of the profit and loss statement, it inherently becomes a priority of the company’s goals. These are the ideas and behaviors we need to be going after in order to make security a priority for the organization.

So, what are some realistic steps you can take today? Here are a few ways to rebuild a company’s DNA and make a real difference in the way employees, the C-Suite, and the board value security[…] Read more »

 

 

Study Shows Which Phishing Attacks are Most Successful

A new phishing study of six million users shows insurance organizations and not-for-profits lead all other industries with greater than thirty percent of users falling for baseline phishing tests.

The study shows these types of organizations rank higher (in the low 30 percentiles) than the overall average of 27 percent across all industries and size organizations. Large business services organizations had the lowest Phish-prone benchmark at 19 percent.

The Phish-prone percentage is determined by the number of employees that click a simulated phishing email link or open an infected attachment during a testing campaign using the KnowBe4 platform.

The study, drawn from a data set of more than six million users across nearly 11,000 organizations, benchmarks real-world phishing results. Results show a radical drop of careless clicking to just 13 percent 90 days after initial training and simulated phishing and a steeper drop to two percent after 12 months of combined phishing and computer based training (CBT).

The study anonymously tracks users by company size and industry at three points: 1) a baseline phishing security test, 2) results after 90 days of combined CBT and simulated phishing, and 3) the result after one year of combined CBT and phishing […] Read more »