CISOs must rise beyond the technical when it comes to real business risk

PC security

The true toll of a cybersecurity incident is not felt during the attack, it may take a business weeks, months or even years to truly recover.  While data might be recovered, a significant breach impacts employees and forces changes on your entire business.

Attack effects last well beyond the cause

Ransomware attacks may seem passé but they are still a significant issue with the Australian government saying it is likely to introduce a mandatory reporting scheme for attacks. Criminals are constantly updating their attack tools and focusing on different targets they believe are vulnerable.

The effects can linger far beyond the initial attack and response. In many cases, organisations may elect to pay the ransom –but that is not necessarily the end of the problems. When 500 machines are hit, the decryption process to recover those systems often means entering a separate key to each machine. This can create a resourcing nightmare as organisations and CISOs scramble to identify and agree on which systems need to come back online first.

If an organisation chooses to not pay the ransom, they then face the task of either recovering those systems from backups if you have backups of those endpoints, rebuilding those systems from scratch, of losing valuable business data. Either way, the impact on productivity and the cost of recovery can be significant.

More recently, ransomware has been backed up with extortion. Before encrypting an organisation’s data, criminals exfiltrate valuable information and threaten to make it public unless they pay the ransom. Even if there are robust processes in place for recovery, organisations may find confidential information published in the public domain. The goal here, for the threat actors, is to put more pressure on the organisation to pay.

Business email compromise, or email fraud, is a huge earner for cybercriminals. The immediate impact is the loss of funds – the ACCC says losses suffered by Australians are five times higher in 2021 than the year before with most experts agreeing this figure is substantially underreported. The toll it takes on the victims is significant. When a person is fooled by some very clever tactics to handover large sums of money, they feel the impact personally.

Organisations need to ensure they have adequate counselling services in place to support staff in the aftermath of a significant cyber-attack. The mental impact on IT staff and those who have the pressures of recovery cannot be understated. Many IT admins feel personally responsible and the staff who are duped can feel shame and extreme guilt.

The biggest weapon criminals have in their armoury is their ability to take advantage of our trust. This is why supply chain attacks are so pernicious. When the likes of Solarwinds and Accellion saw their hardware and software exploited by criminals and the CIA was able to embed their own chips into Cisco routers, it highlighted that the trust we have for these critical endpoint devices is overrated.

For years businesses have had these devices act as gateways between their private networks and the internet. As they were critical infrastructure, outages were not tolerated which meant patching was often ignored or indefinitely delayed. And while a scheduled outage may be inconvenient, an unscheduled outage caused by an attacker can be devastating.

What can CISOs do?

These and other attack vectors create a significant challenge of CISOs and CSOs. With a finite pool of money, people and time, the challenge is how to balance those resources while meeting the needs of the business.

The first step is in understanding the risks and articulating them to your colleagues in the c-suite and boardroom in language they understand. For example, rather than talking about ransomware being about a loss of access to information and systems, describe the recovery process and that the disruption may last weeks or longer and put a dollar figure on the recovery time.

These discussions need to take place at all levels up to and including the board. There are legal, technical, regulatory, marketing/comms, human resources, vendor management and other areas that need to be carefully considered with plans in place so decisions are not made in the heat of an incident. Having an agreed response plan now will save tremendous headaches and panic when an incident occurs.

If data is exfiltrated in an attack, ask them whether there is data that they would not put into the public domain. There is also the associated cost of reporting the loss of personal information to the Office of the Australian Information Commissioner, notifying customers if they are affected and keeping suppliers and partners in the loop. For companies doing business in other jurisdictions, there may be requirements to also report incidents to other governments. For example, the GDPR in Europe, the PDPA in Singapore and others all require reporting of data breaches.

The human impact of business email compromise cannot be underestimated. But the risk of such an attack can be mitigated by putting appropriate process checks in place such as non-email checks. For example, adding an actual phone call to verify significant payments can ensure that an accounts payable clerk does not make a fraudulent funds transfer.

Staying ahead of the evolving threat landscape requires the right processes, not just technologies. As the CISO, you are in a unique position to drive change across the whole organisation to minimise the risk of future attacks by making process recommendations.

For over a decade, the Australian Signals Directorate has been touting the importance of patching systems. Now part of its Essential Eight, businesses must accept that the risk of not patching systems outweighs the cost of a short outage. For CISOs, the message needs to be about the risk of not patching rather than the impact of a short outage.

Even for businesses that believe they need 24/7 access to all systems, a short outage during a non-peak period is a small cost compared to a multi-day outage or significant data loss caused by not patching a known vulnerability.

With businesses highly dependent on digital technologies, the impact of an attack cannot be underestimated. CISOs need to stand above the technical minutiae of the risks and present them in business terms. That may mean reallocating resources towards supporting business units creating more secure processes. It may mean articulating the entire attack cycle and how long a complete recovery will really take. Businesses need to understand that a short, scheduled outage, even of a critical system, is a better outcome than a long-term, unplanned outage.

Copyright © 2021 IDG Communications, Inc.