Professional Documents
Culture Documents
1
Managing threats from within
Cyber insecurity:
Managing threats
from within
Briefing paper
Sponsored by:
Contents
3 About this report
4 Introduction
Introduction
Data breaches, defined broadly as the intentional or unintentional
release of secure or private/confidential information into an untrusted
environment, are a rapidly growing problem for businesses worldwide.
People-centric threats—from phishing to lost or stolen devices to
activity on an unsecure network to lost or stolen passwords—can be
at least as crippling as more arcane technical glitches and oversights.
To gauge the frequency and severity of such weaknesses, their causes and
the steps companies are taking to address them, The Economist Intelligence
Unit surveyed more than 300 corporate executives, including CIOs, CISOs
and other IT executives, finance and line-of-business leaders, with roughly
equal portions located in North America, Europe and Asia/Pacific.
Data breaches are having increasingly disastrous loss of clients (30%); and termination of
consequences for business. As a result of a staff involved (30%).
massive 2017 data breach that exposed the
The problem is only growing. Not everybody
personal identity information of more than 148m
people, Equifax in July agreed to pay US$425m to Nearly half of survey respondents (47%) say it’s understands
help the victims and US$275m in civil penalties— very or extremely likely that they will face yet that a huge
the largest such monetary settlement to date. a major data breach in the next three years. company can
Not surprisingly, companies that have be brought to
An overwhelming majority (86%) of survey experienced one or more data breaches in its knees by
respondents say their organisation has the past three years are far more likely to one of these
experienced at least one data breach in the past anticipate another one in the next three years attacks.
three years, with well over half (60%) saying they than companies that haven’t (53% vs. 9%1).
have experienced at least four. Large companies Prasanna
Many companies, however, are still in the early Ramakrishnan,
(US$500m or more in annual global revenues)
stages of devising an effective strategy for global head of
are especially vulnerable; more than two-thirds
preventing and responding to data breaches— information security
(68%) have experienced at least four data
mitigating their effects. “Not everybody risk, Signify
breaches in the past three years, compared with
understands yet that a huge company can be
53% of smaller companies.
brought to its knees by one of these attacks,”
Data breaches disrupt businesses in a variety of says Prasanna Ramakrishnan, global head of
ways. Survey respondents most frequently cited information security risk at Signify (formerly
the following in their top three: loss of revenue Philips Lighting). “We have to be able to get to a
(33%), especially at large companies (38%); predictable structure of security.”
Loss of clients
30
28
1 This figure was taken from a small base, but trend is directional.
23
Cyber insecurity:
6
Managing threats from within
While companies in all industries are growing Where do attackers look to exploit
ever-more technology-driven, their exposure vulnerabilities? Clients and customers
to people-centred threats also continues to are the group most often targeted in
worsen. Even at an industrial company like data breaches (48%); the next most likely
Signify, these internal threats are among are all either employees, contractors or
the most serious, says Mr Ramakrishnan. people closely connected to them.
“Intellectual property is our most important
This finding underscores the reality that
asset,” he says. “As a global company, we have
network vulnerabilities can easily extend
a significant presence all over the world, and
beyond the company’s area of direct control.
so we must constantly balance managing the
It also highlights the need for companies
potential threats with running our business
to understand the degree to which some
without interruption.”
employees, because of their visibility, work
Most cyber-security breaches are the result of routine or level of data privilege, may be
human vulnerabilities, not a failure in technology more vulnerable to attacks than others.
or process. Most serious are people-centric
A high-profile employee may be the target
threats, phishing, ransomware and other
of more sophisticated malware attacks;
malware, business email compromise and
one who has access to the CEO may be hit
wire transfer fraud, which nearly half (48%) of
by phishing attacks that spoof the CEO or
respondents cited as collectively a top-three risk.
other executives. Assessing vulnerability
While system misconfigurations and accidental involves considering such factors as what
exposures are the second most frequently cloud apps the employee uses, how many
cited vulnerability, others that our respondents and what devices, their level of access, how
mention are all driven by human error: frequently they are targeted and, of course,
whether they practise good digital hygiene.
• Lost, stolen or otherwise hacked devices (33%);
Clients/Customers
48
On-site employees
43
Remote employees
35
Third-party vendors/suppliers
33
32
Board members
27
Former employees
21
Don’t know
Reducing
0 the risk of a major data breach Adrian Ludwig, CISO of Atlassian, an Australian
has become a top area of concern at most enterprise software company, issues monthly
companies. An overwhelming 82% of survey cyber-security reports to the executive team
respondents cite it as a high or essential C-suite and quarterly reports to the board. “We let
priority and 73% expect reducing the risk of a them know if there’s a gap, and if we need more
major breach to become a higher priority for investment, it’s an easy conversation,” he says.
the C-suite over the next three years. Almost all How are companies addressing data
respondents (96%) say the board and C-suite breaches? For many, it starts with centralising
strongly support efforts to control cyber- the organisation’s efforts to help create a
security risks and 93% say the board and C-suite cyber-security culture embracing every
are regularly updated on cyber-security risks. employee, every functional area and line of
business and the networks that bind them Between 86% and 96% say their organisation
together. Virtually every respondent (94%) has taken action or plans to implement the
agreed that their organisation has done so. following to avoid and mitigate data breaches:
82
respondents say their organisation has moved • Train users to detect and report
more than half of its data infrastructure to suspicious email (94%);
the cloud and over 69% say they have moved
more than 40%. Most respondents also say
their organisation has undertaken processes to
• Isolate employees’ personal
web browsing and email activity %
from network traffic (92%); cite reducing the
address data breaches. The survey divided these
into two groups: processes to ensure responsible • Implement a zero-trust network risk of a major
cyber-security behaviour by employees and strategy for access security (86%); security breach
processes to avoid and mitigate data breaches. as a high or
• Install security programs (secure email
essential C-suite
Between 84% and 95% of respondents say their gateways, cloud access security broker/
cloud security tools, firewalls, anti- priority; 73%
organisation has taken action or plans to implement
malware and anti-virus software; 96%); expect it to be a
the following to ensure responsible behaviour:
higher priority
• Conduct pre-employment screening • Roll out systems and software updates and over the next
and background checks to avoid hiring patches as soon as they are available (94%);
three years.
individuals who pose a risk (89%);
• Install upgrades as soon as manufacturer
• Require employees to sign no longer supports software (95%);
confidentiality agreements (91%);
• Periodically run tests on data security
• Develop and enforce information standards and practices (96%); and
security policies for employees (93%);
• Require use of a virtual private
• Conduct regular employee education network (VPN; 91%).
and security training (94%);
At Delta, “we take a risk-based approach” to interaction to ensure that appropriate actions are
cyber-security, embracing not just company- taken when suspicious activities are detected”.
specific data but employees’ and contractors’
At times, the technology “attempts to
own PII [personally identifiable information] and
remediate where there was not an actual
PCI [payment card industry] data, says Deborah
covert action”. As adaptive security matures,
Wheeler, CISO at Delta Air Lines. “So a lot is however, “it will free up our analysts to tackle
based on the data itself.” bigger problems in our environment”.
Delta has already taken most of the actions
listed above, resulting in a defense-in-depth What works best?
structure that includes security portals when
Respondents’ views on the effectiveness of
the user enters the Delta network, additional
security processes vary considerably. The most
challenges for each specific system, and favoured tend to be the most basic, suggesting
then monitoring of and controls over how that as long as employees are educated and
the data can be treated by the end user. informed of the rules, they will assume a
“At every step of the user’s data experience, measure of responsibility.
some form of control is happening,” she
Survey respondents who had already
says. “Our team is never done; we are
implemented security processes found the
constantly reviewing and altering our
following to be most effective in ensuring
approach to account for the ever-changing
responsible cyber-security employee
threats and approaches by bad actors.”
behaviour: conducting regular employee
Like other large companies, Delta has also education and security training (35%) and
started testing adaptive security architecture developing and enforcing information
to “track user behaviour, view what’s happening security policies for employees (34%).
in the environment and make adjustments”, In addition, one out of four respondents
Ms Wheeler says. It’s a still-developing area, mentioned limiting or blocking personal web
she adds, and “there’s still a good deal of human browsing and access to personal email.
Most effective security processes* for ensuring responsible employee cyber-security behaviour
(% of respondents)
Conduct regular employee education and security training
35
31
To work well, cyber-security education and By contrast, the processes least favoured by
training must actively engage with employees, survey respondents to improve employee
says Mr Ludwig. “A lot of it is raising awareness behaviour are more impersonal:
and building tools so that they will have visibility pre-employment screening and background I focus on
into their situation,” he says. That means monthly checks to avoid hiring individuals who pose making sure
check-ins with each production area, including a risk (21%) and offering incentives to motivate the easy way
employee behaviour such as whether they are upstanding online behaviour (16%). to get things
using correct authentication when signing on. done is the most
The processes considered most effective
secure way.
Keeping in mind that at Atlassian, most by far in avoiding and mitigating data
When I find
employees are technologically sophisticated, breaches are installing security programs
such as secure email gateways, cloud access
corner cases
“I focus on making sure the easy way to get
security broker/cloud security tools, firewalls, where someone
things done is the most secure way,” Mr Ludwig
anti-malware and anti-virus software. is doing it
says. “When I find corner cases where someone
differently,
is doing it differently, I show them that if they At Atlassian, “we have two-factor I show them
make these tweaks, it will be more secure.” authentication,” Mr Ludwig says, “and that if they
we’re working with our vendors to make make these
Bringing employees as close as possible to the
sure they’re all up to speed. We want
actual experience of a breach is key to making tweaks, it will
centralised authentication for all of them.”
cyber-security training effective. At Delta, be more secure.
which has never had a breach2, “we try to The company also enforces tiered access
Adrian Ludwig,
act as though we’ve just had a breach,” says services within its corporate environment. It CISO, Atlassian
Ms Wheeler. The company runs red- and blue- takes a comprehensive, centralised approach
team simulations as part of its programme. to logging corporate activity, balanced with
At Signify, “We emphasise continuous learning. processes designed to protect employee privacy.
For example, when an employee shares with
The two most important specific processes,
us that they have experienced unusual activity
Mr Ludwig says, are single sign-in across all
via social media, we will use that story as an
applications and centralised logging, “so that
example throughout the organisation to raise
if there’s an incident, we can investigate quickly”.
awareness and create a teaching moment,”
says Mr Ramakrishnan. Other choices depend more on individuals’
training and behaviour: requiring strong
However, education and security training
credentials and multi-factor authentication
alone will never be 100% effective, he adds:
(29%), training users to detect and report
“We recently implemented a security test
suspicious email (also 29%) and isolating
for our employees. Twenty percent followed
employees’ personal web browsing and
through immediately; 50% were in the middle,
email activity from network traffic (23%).
wondered why we were doing it and needed
subject matter experts to explain it to them; “We look at access logs,” says Mr Ludwig. 2 [24]7.ai, a service that
and 20-25% will never do anything.” With that “So, for example, if there’s a portal that provides online customer
provides access for support personnel to help chat for its clients’
last group, “we go through a multi-step process
websites—which included
to raise awareness, compliance and alignment customers with problems, in what scenario Delta—experienced a data
to improve that number.” is it being used and with which controls?” breach in 2017.
48
“Companies can be at different stages in their
security journey, which can bring inherent risk
%
that we have to manage.”
The biggest obstacles to overcoming vendors and other third parties have long
people-centred cyber-security threats are, been a concern, for example, companies
of course, people themselves. “People have may need to focus more on those arising
a lot to do, and while they care about security, from authorised individuals’ personal
they don’t think about it amidst revenue targets contacts, such as friends and even family
and other goals,” says Mr Ludwig. members, and from former employees.
91
What can organisations do to strengthen the Accordingly, engaging with employees,
people element in cyber-security? Looking contractors and other parties is crucial to
into the future, most survey respondents reducing people-based threats, because the
already have part of their course plotted out.
Survey respondents agree that the IT function
company can never control everything that
happens within its network. Rather than simply
%
must focus more strongly on cyber-security, making rules, periodically updating and informing Survey
in two ways: the CIO must make it an integral users, the company needs to monitor its people respondents
part of IT (94%), and the CISO role should be and work with them so that they understand and agree that their
strengthened so that it operates alongside the are motivated to follow best practices. organisation
CIO rather than reporting to the CIO (91%). needs to better
At Delta, to keep cyber-security issues from
understand
In 2017 Signify, for example, centralised all developing among its vendors, “our goal is to work
which cyber-
cyber-security management under a chief with them collaboratively and always let them
security
security officer, including both product and know what remedial processes we expect of
organisational security (supply chain, travel, them,” says Ms Wheeler.
measures work
etc). “I can’t look at cyber-security as siloed best—their focus
anymore,” says Mr Ramakrishnan.
While following this path will help companies needs to shift
minimise and mitigate the onrush of data- from quantity
Mr Ludwig reports to the company’s chief breach threats, they shouldn’t expect to to quality.
technology officer, as do the heads of relax any time soon. “Companies can’t stop
engineering. He works closely with the heads innovation. [Signify] always wants to go into
of products and the CIO, who is responsible for new areas of lighting,” Mr Ramakrishnan says.
internal systems and core business functions “As a huge business, we need to be able to
like billing and accounting. “These are my adapt ourselves quickly. To get there, we’ll need
peers,” he says. “Together we combine data preventive and detective measures.”
security governance and implementation.”
The good news about people-centric risks, he
Survey respondents also largely agree (91%) adds, is that “typically, humans follow certain
that their organisation needs to better routines. That makes prediction possible;
understand which cyber-security measures somebody will do the same thing over and over
work best—their focus needs to shift from again. You can change that behaviour. Some will
quantity to quality. While threats from never change, but that in itself is predictable.”