Internal assurance and cross-organisational cooperation key to cyber risk management

There was even a presentation on the mostly forgotten threat of electronic eavesdropping, just to prove that while the attention of IT security and risk managers may be mostly focused on the threats from worldwide hacking groups, there remains the chance that a man in overalls may be planting listening devices into the illuminated exit sign in the company boardroom. The internal IT auditor may have a different approach to that of a corporate risk manager and insurance buyer, yet the issues remain the same—the growing reliance on technology and the greater threats to its effective use, whether they be malicious or accidental, internal or external. Admittedly, the greatest challenge for the cyber insurance market (both the insurers and the insureds) is around the quantification of the risk and, consequently, the pricing of an insurance policy.hideThe Isaca conference was notable for the lack of references to quantification, or to insurance or risk transfer of any kind. Instead the focus was on managing these risks internally, on assurance rather than insurance. And given that the cyber insurance market is still in a state of relative immaturity, many risk managers are taking an internal approach to managing their cyber risks rather than relying on the insurance market. Furthermore it is constantly stressed that there needs to be greater communication between the different staff members responsible for managing an information security programme—from the IT team to the chief financial officer. Therefore a closer working relationship between internal auditors and risk managers to help deal with cyber security concerns is most likely long overdue. GLOBAL RISK PERSPECTIVES Back in 2009, the Lloyds 360 Risk Insight survey, a global risk chart that ranked risks in terms of priority and preparedness, did not include cyber risk anywhere in its top ten—number one priority was the cost and availability of credit. Information security breaches and cyber attacks came in at numbers 16 and 20 respectively. The 2011 risk chart shows a slightly different picture. Firstly all risks in all regions were given a higher score in terms of priority and preparedness. And, in terms of risk ranking, loss of customers/cancelled orders is perceived as the number one threat, while malicious cyber attacks climbed up to number 12. More interestingly though, the Risk Insight survey shows a clear disparity between global regions in both the priority and preparedness designated to cyber risk. North America ranks cyber risk far higher than both Europe and Asia Pacific, although the level of preparedness assumed by North America and Europe is very similar and noticeably higher than Asia Pacific. According to Marcus Alldrick, Chief Information Security and Risk Officer at Lloyds, a swifter evolution of technical solutions is required but information security is still about people, process and then technology. “Increased expenditure does not necessarily mean reduced exposure. Better quantification of risk through improved security breach reporting and emphasising the need to protect themselves should be the priority for organisations if they are to prevent customer loss and aid retention,” he said. Mr Alldrick also added that risk managers need to do more to ensure that the importance of information security is communicated throughout the organisation. “Power is shifting from the physical to the virtual and technology complexity and hyper-connectivity are increasing our vulnerabilities to cyber threats and digital disruptions. Existing safeguards are not keeping up to provide effective and timely risk management. Incentives are misaligned, leaving organisations ignorant of the true level of risk and the investment required. Greater cooperation and collaboration is needed for a healthy digital space.” MOBILE DEVICES, MOVABLE RISKS Cyber security experts are active in highlighting the vulnerabilities of mobile devices. The mobile sector has a faster adoption rate and wider penetration than any other technology sector—PCs, tablets, laptops etc—and an increasing number of people now have more than one mobile device. For corporates it is inevitable that they will be faced with integrating these various devices into their corporate networks and then managing the risks this creates. Yet many risk managers are failing to recognise the full extent of the information security risks they face through mobile devices, said Stephen Ackx, a Director at PwC Technology. “Do you really know what your mobile is doing? What tools or apps are you running? How sensitive is the information? Where is it stored on your mobile device? How do they collect information? Do you have the information backed up? What would happen if it was stolen? People are not thinking about these issues—certainly not as much as they would if it were a laptop rather than a mobile device. They are more interested in features and functions so you have to impress upon them the importance of security,” he said. Challenges with mobile security are exacerbated by the Bring Your Own Device (BYOD) trend, whereby employees expect to be able to plug their mobile devices into the company network. This dangerous mix of personal and business data raises a number of risk issues covering technology (firewalls), legal issues (software licensing and data ownership), fiscal issues (tax implications if the device is provided by the company in kind) and HR issues (policies and processes). There are, of course, advantages to allowing a BYOD policy, said Mr Ackx. Staff morale should be enhanced and the company should be more attractive to potential employees. There are also operational benefits given that employees will be using their own devices—reduced training and support costs, allowing IT teams to focus on more strategic issues. But there is a downside. There is less consistency in the devices and less control over users’ decisions to change carriers, upgrade devices or download new software. There are also network performance issues given that mobile usage tends to double after 4.00pm when employees connect their devices to check Facebook before going home. A lot of software for mobile devices is developed on open platforms and, generally, the more open the platform the more security weaknesses. It is possible to separate business data from personal data, but there are then liability issues and the question becomes whether that device is for personal use or work. Companies can always ban the use of personal devices. But this not only creates staff morale issues, it is also often counter-productive as employees will change the SIM cards on their work and personal devices, making it harder for IT management to track the usage. Companies may standardise on a single mobile device, but this can be problematic when you start telling employees what personal devices they can buy. An alternative approach is to actually provide the personal devices, thereby ensuring standardisation but also creating confusing issues over who owns the data on that device. Whatever approach is taken, Mr Ackx encourages companies to consider the long-term implications of allowing BYOD usage. “Will it cut costs and make life easier for the IT department? Or will it create new security issues and will it increase the cost of insurance? And remember that once you allow BYOD usage, it is very difficult to turn back time,” he asked. EU DATA DIRECTIVE TO CHANGE RISK AND TRANSFER LANDSCAPE The take-up of cyber insurance policies varies significantly between the US and Europe and much of this disparity is attributed to the different treatment of data privacy in each region. In the US, companies must notify their customers (or data subjects) in the event of a data breach, a considerable cost that has led a number of corporates to consider insurance. It is anticipated that a planned EU directive on data protection will also include mandatory notification in the event of a data breach and thereby herald a greater take-up of cyber insurance, as well as a greater focus on information security. The proposed draft amendments to the data protection framework were published in January 2012. The main change in the draft is that the new rules will be a directive rather than a regulation, meaning that all member states will have to implement the law in the same way. This change is generally welcomed by data protection officers, especially those working for corporates operating in multiple member states. “Currently there are twenty-seven EU states and twenty-seven data protection agreements and when we have an event we have to notify twenty-seven different authorities using twenty-seven different forms,” says Yves La Roux, Head of Governance, Risk and Control, EMEA at CA Technologies. “It is a nightmare and that is why we want a directive.” “The main argument for the directive is that it will save money,” continued Mr La Roux. “It will cut bureaucracy, data controllers will be able to get answers from one place and there will be enhanced cooperation between Data Protection Authorities to ensure consistent application.” However, issues remain. Not least the fact the new directive will not likely be implemented until 2015, and in the meantime several of the proposed amendments may be amended further or simply removed—such as mandatory notification in the event of a data breach. And then there is the problem of the data subjects themselves, the different perceptions and expectations of people in different countries. These differences exist not just between European countries, but also between Europe and the US. “In Europe privacy is a human right, in the US it is a customer expectation—that is the difference,” says Christos Dimitriadis, Head of Information Security at Intralot, the operator of the Greek national lottery. Personal data is being seen as a new currency thanks to social networking sites like Facebook that are busy building a value for the personal data of its users. Then there is the issue of the numerous e-commerce sites that use personal data to enhance the website’s ease-of-use—an issue that has been highlighted by the recently introduced cookie law that calls for explicit rather than assumed consent from users. But it is the contradictory expectations of users that may cloud the development of a workable privacy framework, said Demosthenes Ikonomou, Senior Expert for Security Tools at the European Network and Information Security Agency (ENISA). For example, a recent ENISA survey conducted in Germany showed that 93% of people were concerned about the security of their privacy, but 87% were prepared to disclose their email address for a 50 cent discount on their cinema tickets. Nevertheless there are general steps that can be taken and principles that can be adopted—the main one being to strike a workable balance between preventing data leakage and respecting employees’ privacy. “Companies should prepare an adequate information security concept,” said Markus Bittner, Executive Director at IT consultant Straight Advisor. “They should perform prior checks when implementing new software or systems and use partly anonymised data wherever possible. And there should be more communication between the IT security staff and the data protection officers.” HEAD IN THE CLOUDS—BUSINESS CONTINUITY RISKS Cloud computing may be viewed as a great leap forward in terms of obtaining IT services but it adds enormous complexity to the task of ensuring information security and data privacy. It is also an area rife with misconceptions and underestimations, said Mike Small, Senior Analyst with Germany-based information security analyst firm Kuppinger Cole. For example, many companies that adopt cloud computing wrongly assume that they will be able to easily change provider whenever they like, said Mr Small. “But there is a risk and you should not assume that you cannot get locked into a cloud provider.” Risk managers must take into account exactly what kind of cloud model they have adopted—whether it is software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS). The first model offers the least flexibility, highest risk of lock-in and least clarity over data ownership. The last model offers the most flexibility, but a higher onus on the customer to ensure business continuity. There is also the nature of the cloud delivery model itself and whether it is public, private or a hybrid/community model—a prescient concern for managing the physical risks. Companies may wrongly assume that traditional business continuity risks such as fire and theft no longer apply because the system infrastructure and data is held with a third party and because the ‘cloud’ term conjures connotations of a celestial cyber centre rather than the more prosaic reality. A number of cases have illustrated this point, often involving firms that are using a public rather than a private cloud that is therefore susceptible to the behaviour of their co-tenants. In June 2011, the FBI raided a data centre as part of an investigation into hacking group Lulz Security and consequently caused several servers to go offline, affecting a number of businesses that had no link to the FBI’s investigation, other than the fact that they used the same data centre. Of course they suffered regardless. “Ultimately you are responsible for cloud risk, so not only do you need a plan to deal with a potential loss of business, you also need to know what business continuity plans the cloud provider has,” said Mr Small. He also stressed the importance of contractual risks in any business continuity plan for cloud computing. Contracts or service level agreements (SLAs) tend to focus on service availability, which is, of course, different to business continuity. ENISA has released a document titled Procure/Secure to advise local government agencies on designing SLAs—clearly defining what constitutes unavailability and establishing independent testing and constant monitoring. Above all, many standard contracts from cloud providers are very light on liability. The standard contract from Amazon Web Services states the client must ‘accept that your service may be temporarily suspended for any reason or suspend access to the service at any time with no liability for loss of data or profits as a result of the suspension’. As Mr Small states, it is imperative that cloud customers get a lawyer to look at any contract. “Read the white papers, the security statements and the publicity but then read the contract because that is what is enforceable. But there has to be some trust towards the cloud provider if you are going to get anywhere with the service.” There are publicly available standards for firms to adopt when formulating business continuity plans. In fact the problem is that there are too many. At the last count there were 35 separate cloud standards from assurance frameworks like ISO 27005 to best practice documents from the Jericho Forum. “Everyone is jumping on the bandwagon and customers don’t know where to go,” said Mr Small. Ultimately though, despite all the checklists, controls and certificates, business continuity comes back to business needs, said Mr Small. “It is no good insisting that you need 100% availability unless it relates to your business needs. Otherwise you’ll end up paying too much. If you do use the cloud, then makes sure that you know who is responsible for what and that you have some level of assurance.” SILENT MENACE—ELECTRONIC EAVESDROPPING Risk managers are underestimating the risk posed to their business by electronic eavesdropping and are failing to include audio-based data as part of their information security programmes, according to Richard Hollis, Director at data risk management consultant Risk Factory. Furthermore, the increased attention on cyber risk and the threat of computer hackers and malicious software has led risk managers to prioritise the data in their computer systems far above the threat of audio-based data theft, he said. For example, many risk managers would identify USB keys fitted with Trojan horse devices as more effective espionage tools than concealed listening devices, not least because they can be used to access networks and take data from IT systems rather than taping a conversation in a room. Similarly, said Mr Hollis, many risk managers recognise the threat posed to information security by employees’ personal devices but few appreciate that these smartphones and tablets can also be unwittingly activated as bugs. Mr Hollis said that risk managers should recognise the value of verbal data and ensure that it is included as part of an information security programme. “There is the information that is on the network but there is the information that comes from the men’s room or the board room that never makes it onto the system,” said Mr Hollis. “And if you talk to any director, they will say that the most sensitive information is what is not written down. It has become the risk that dare not speak its name and it is so sensitive and valuable that risk managers do not know what to do with it.” The case for raising awareness of electronic eavesdropping is not helped by the lack of statistics in this area. “What few statistics are available related to the estimated value of the tools purchased and suggest that activity is rife. The US Homeland Security department estimates that more than $900m of illegal bugging equipment is brought into the US every year, while more than $500m is invested in legal bugging equipment,” explained Mr Hollis. Nor are the few risk managers that appreciate the risk helped by the typical attitude of directors who are content to confine the risk management of audio data to the boardroom, said Mr Hollis. “Risk managers say they are not being allowed in to cover this risk. When we get a call to perform a security sweep, the order comes from the very top. It is not run through the procurement department or the risk manager. So in many cases, it is a recognised threat but it is taken to the sidelines and dealt with separately.” Despite the numerous challenges, Mr Hollis anticipates that the situation will change in the next ten years. There will be a high profile breach involving audio data, or a corruption case that hinges on verbal evidence, and this will attract the attention of legislator and regulators. “Law-makers will push for this evidence to be more admissible in court and Sarbanes Oxley could call for board meetings to be recorded. The corporate conversation is the last frontier in information security but we have to address it,” he warned.

Internal assurance and cross-organisational cooperation key to cyber risk management

Want to read this article?

Read Next

AXA P&C increases premiums by 7% as rates rise at AXA XL

Hong Kong and Shanghai to cooperate on captives and ILS

Swiss broker Kessler names head of special risks

Supply chain cyber risk concentrated in 15 top vendors with ‘below average’ cybersecurity

US insurers expected to increase casualty pricing as social inflation rises

AXA P&C increases premiums by 7% as rates rise at AXA XL

Hong Kong and Shanghai to cooperate on captives and ILS

Swiss broker Kessler names head of special risks

Supply chain cyber risk concentrated in 15 top vendors with ‘below average’ cybersecurity

US insurers expected to increase casualty pricing as social inflation rises

Want to read this article?

Read Next

AXA P&C increases premiums by 7% as rates rise at AXA XL

Hong Kong and Shanghai to cooperate on captives and ILS

Swiss broker Kessler names head of special risks

Supply chain cyber risk concentrated in 15 top vendors with ‘below average’ cybersecurity

US insurers expected to increase casualty pricing as social inflation rises

Related Articles