How Technology is Fast Redefining Business Risk.
The whole notion of risk management is about as appealing as watching paint dry for many business people. In business its defined as the forecasting and evaluation of financial risks together with the identification of procedures to avoid or minimize their impact.
These risks have historically come from uncertainty in financial markets, threats from project failures, legal liabilities, credit risk, accidents, natural disasters and deliberate attacks from an adversary. Managing these risks typically falls to CFOs, corporate risk managers and insurance companies.
In the 21st century a new threat is fast making itself front and center in the risk management: cyber-attacks. And they are making front page news – including new allegations that Russian intelligence agencies may have impacted the recent US elections with hacks of key data bases in both the Republican and Democratic parties.
At a recently symposium on cyber security sponsored by St. John’s University School of Risk Management, Reactions Magazine and global executive search firm Korn Ferry the risks brought by this global trend were brought to vividly to life.
This symposium looked at cyber security from both a threat and business risk-management perspective. As Korn Ferry Partner and Insurance Practice Leader Tom Rowe noted “We saw this event as an opportunity to help people understand the current and future threats to cyber-security, and what many companies as well as government agencies are prepared to do about them… or not… to deal with the problem.”
The keynote speaker was Peter Warren Singer - a Harvard-educated American political scientist, an international relations scholar and a preeminent specialist and best-selling author on 21st century cyber warfare.
A Rapidly Changing Technology Landscape
|Peter Warren Singer|
Singer asked the audience to think about forces that will impact the future, many driven by revolutionary and disruptive advancements in technology.
He observed “…this gives governments and people capabilities that used to be only in the realm of science fiction. ”He cited one example - “wet ware” or technology that can translate human thoughts into computer code then in turn to physical action.
Singer spoke about what can be done with information: From collecting it on social media to stealing it, blocking it as Russia did in the Ukraine, or changing it to a cyber- weapon as Israel and the US reportedly did with Stuxnet – a malicious computer worm built to sabotage Iran’s nuclear program. In the end it compromised Iranian programmable logic controllers (PLCs) and caused fast-spinning centrifuges to tear themselves apart.
In the current issue of Vanity Fair there is a chilling article called “Invading Apple” about the discovery earlier this year by UC Berkeley Ph.D. student Bill Marczak (left) of a spyware, and a previously unknown Apple vulnerability, that allows hackers to infiltrate the Apple computers and I phones.
This “Jail Break” hack could spy on a person’s audio, e-mail and text messages remotely. The story goes on to detail the on-going battle between “white hat” good-guy hackers and “black hat” bad-guy programmers.
Cyber Threats to Critical Infrastructure
The next panel helped define and navigate the cyber threat-landscape. They noted three major types of threats to corporate IT infrastructure:
Malware: An umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software.
Ransomware: A malicious software is delivered that is designed to block access to files on a computer system through encryption - until a sum of money is paid. After a victim discovers they can’t open a file, they get a ransom note demanding money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever.
Advanced Persistent Threats (APT): A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.
Panelist Sarah Roland Geffrey from AT&T observed “There are two kinds of companies: Those who have been hacked, and those who don’t know it yet.” She said many threats can be mitigated though risk assessment, being proactive about software updates and proper training of employees. AT&T has published “The CEO’s Guide to Cyber-breach Response” on how to deal with DDoS attacks.
Can Washington Keep Your Data Secure?
Apparently not so well. Thomas Pace of Cylance Inc. gave the example of the OMP.GOV (Office of Personnel Management) data breach. In June of 2015 the US OPM announced that the records of as many as four million people had been targeted. Later, FBI Director James Comey placed the number at 18 million people, including his own information. It was the largest data breach of government data in US history. US law enforcement sources told Reuters news agency that a “foreign entity or government” was behind the attack, identified as Chinese hackers.
Safeguarding Against Cyber Attacks
Pace offered some pragmatic advice:
Don’t wait until it is too late after a cyber-attack. Be proactive about dealing with threats. Address “silo” problems – be sure various parts of the enterprise collaborate on cybersecurity. Lots of companies buy security software and then simply don’t install it. If you buy it, install it!
Pace noted most cyber-attacks come in via e-mail, so avoid clicking on links or attachments from unfamiliar e-mails. Tell all employees to avoid opening .exe files, or executable files that run as a program on a computer.
He advised that companies should pay ransom when facing ransomware, get the decryption key and hope it works. Pace added “The #1 solution: have good, secure data back-up.”
Scott Lailberte – Managing Director of the Cyber Security Practice at Protoviti Inc. identified the bad guy hackers as “The Red Team” and noted that “cyber security attack factors have changed.” He advised “Take a kill-change approach. Accept that you will lose at the initial phase. Then put controls in place to safeguard the administrative rights – then guard the data.”
He added “Firms need controls at each stage, to monitor at various levels on the detection side.” Continuing “Most firms are doing this very poorly.”
Elissa Doroff - who oversees risk management services for cyber liability at global insurance firm XL Catin remarked: “The cyber insurance industry is necessarily ready to deal with catastrophic exposure scenarios.” A scary though indeed, if anyone even knows what this means.
Aileen Alexander co-leader of the cyber security practice at Korn Ferry noted that “There is a glaring lack of data security specialists available to corporations today. That training, awareness and a cultural awareness of cyber-security threats are the best things any company can employ to safeguard against this threat.”
She concluded: “From the view of the hackers – the weakest link is the human element.”
The Future of Cyber Security
For a hair-raising view of future of cyber-security check out what the UC Berkeley Center for Long-Term Cyber security came up with in their report published in April 2016 called “Cyber Security Futures 2020.” They describe the future in terms of five possible scenarios.
Imagine a world where computer algorithms are capable of predicting — and manipulating — the people’s behavior with a high degree of accuracy; where economic collapse puts our private information on the market to speculators or criminals; where wearable devices track our thoughts and emotions, leaving us vulnerable to surveillance, hacking, and blackmail; where the Internet of Things (IoT) takes control of more and more of our lives; and where widespread distrust of institutions’ security results in a digital “Wild West” of lawlessness.
“Scenario thinking has really encouraged us to stretch our imaginations and expectations about the future of cyber security,” said Betsy Cooper, executive director of the CLTC.
I get the feeling that the whole cyber security issue will be much more than an academic exercise over the next 15 years. The CLTC scenarios are the stuff mind boggling science fiction and really scary horror movies are made of.