Slippage in the Cyber Arms Race

Awareness of cybersecurity threats, and actions being taken against them, are on the rise - but that hasn't stemmed the tide of cyber attacks and their financial toll. Companies therefore appear to be losing ground in terms of cyber preparedness, according to Hiscox's annual Cyber Readiness Report.

From its survey with Forrester Consulting of 5,400 cybersecurity professionals in the U.S. and Europe, the specialty insurer found that 61% of firms experienced a cyber attack in the past year, up from 45% in 2018. The median cost of losses jumped to $369,000 from $229,000.

“The message that cyber risk is a real threat to businesses of all sizes is sinking in,” Meghan Hannes, cyber product head for Hiscox in the U.S., said when releasing the report in April. “Companies are increasingly aware of the risks and pouring more resources into cyber protection, and yet, there is still a tremendous gap between awareness of the issue and actually having an effective defense.”

Hiscox referred to “leaky bucket budgets,” noting that 72% in the U.S. plan to increase cybersecurity spending in the coming year, but only 11% cited higher spending on employee training and culture changes as a result of a cybersecurity incident.

“Many believe that increasing cyber-related spending fully protects a business, but it isn't enough,” Hannes said. “Businesses must take a holistic approach, ensuring they can properly maximize their investment with appropriate internal protocols, staffing, and employee training, ultimately creating a human firewall as the first line of defense.”

Experts versus Novices

That part of the message - that throwing money at the problem will be more expensive and less-well targeted than a rigorous, data‐driven risk management strategy - leads Hiscox to best‐practices conclusions that reinforce those of other experts that have been taking a closer look at what makes for a strong cyber defense posture.

Hiscox, for example, divides organizations into three categories: cyber novice, intermediate, and expert. Out of more than 1,000 U.S. companies in the survey, 11% of large and enterprise firms were rated as cyber experts, down from 26% the year before.

One of the differentiators: 97% of cyber expert organizations incorporate security training across their workforces. That is true of only 39% of novices.

“They must have senior management buy‐in, healthy IT budgets with meaningful investments in technology solutions, and they must consistently train their employees in the basics of cybersecurity,” Hannes said. “One‐off seminars are simply not enough. Consistent employee training is key to creating a human firewall.”

Deloitte on Cybersecurity Maturity

Deloitte, in a report following a joint survey with the Financial Services Information Sharing and Analysis Center (FS‐ISAC), used the National Institute of Standards and Technology (NIST) Cybersecurity Framework as the basis for an analysis of cybersecurity maturity levels.

The “Pursuing Cybersecurity Maturity at Financial Institutions” report was noteworthy for its calculation that institutions spend an average of 10% of their annual IT budgets, or $2,300 per full‐time‐equivalent employee, on cybersecurity.

By the same token, “The survey indicated that money alone is probably not the answer, as higher cybersecurity spending did not necessarily translate into a higher maturity level,” Deloitte said. “That likely means exactly how - and how well - financial institutions go about securing their digital fortress is at least as important as the amount of money devoted to cybersecurity.”

What sets adaptive companies apart - that is, those at the top maturity level (above partial, informed, and repetitive) - are: secure leadership and board involvement; raising cybersecurity's profile beyond IT and across the organization; and aligning cybersecurity more closely with business strategy.

Deloitte experts stressed that even those characterized as adaptive cannot let their guard down or their commitment flag. “It's not done and it will never get done,” Deloitte & Touche principal Julie Bernard said during a May 9 Dbrief webcast.

“There's no silver bullet in this space, which is what makes cybersecurity so tricky,” said Raj Bakhru, partner with ACA Aponix. “We have to take a multifaceted approach to cyber and we need the public sector to help the private sector” in the pursuit of criminals, who, he pointed out, are racking up ill‐gotten profits. “They've had some very sizable payouts and will continue to have very sizable payouts, which will draw more attackers into the space and which puts us constantly on the defensive.”

Accenture on Extreme and Evolving Threats

“Hackers may already be inside your system, and, as a result, it's about showing up daily to mitigate the risk,” said Valerie Abend, managing director and leader for Accenture's North America Financial Services Cybersecurity and Global Cyber Regulatory practices. “In understanding that paradigm, you'll come up with really creative ideas to minimize an attack.”

Accenture produced a report in April on “extreme but plausible” financial services threat scenarios: credential and identity theft; data theft and manipulation; disruptive and destructive malware; emerging technologies (blockchain, cryptocurrency and artificial intelligence); and disinformation.

“As time goes on, these five threats are likely to overlap and intersect,” said Accenture's executive summary. “In doing so, they can create the right conditions for new classes of cyber attacks - ones that simultaneously affect numerous organizations essential to financial services' most critical processes. A proactive cyber defense plan that incorporates multiparty attack simulations to test against these key threats could help financial institutions to be better prepared - not only to recognize cyber threats today, but also to defend them tomorrow.”

Accenture's recommended action steps:

- Collaborate with peers and third parties on multistage exercises.

- Invest in people, processes and tools that identify potential disinformation concerning their firms.

- Strengthen insider threat programs to detect and prevent malicious adversaries from gaining access to key systems and data.

- Improve online accountability through threat informed approaches to authentication and authorization.

- Simulate adversarial threats using disinformation, emerging technologies and compromised corporate credentials.

Cyber Expert Qualities

Hiscox listed a number of cyber expert best‐practice qualities, including:

- Executive buy‐in. Only 54% of cyber novices globally believe cybersecurity is a top priority for their firm's executive management/board, as compared to 85% of cyber experts.

- A well-defined strategy with input from multiple stakeholders, and a formal and adequate cyber budget. Cyber experts globally devote an average 14.7% of the IT budget to cybersecurity, cyber novices only 8.7%.

- A dedicated head of cyber overseeing the strategy, supported by a team if necessary. Fifty-one percent of cyber experts globally have one, compared to 39% of novices.

- Supply chain evaluation. Only 18% of cyber novices strongly feel that they have good visibility into their suppliers' security arrangements, compared to 34% of cyber experts. “Supply chain connections often go unaudited by organizations,” Hiscox's Hannes said.

- Proactive testing and simulated attacks. Forty-one percent of cyber novices globally have conducted phishing experiments to understand employee behavior and readiness for attacks, well below 69% of experts.

- Insurance. Globally, 59% of cyber experts have cyber insurance coverage, compared to only 37% of cyber novices.

National Cyber Risk Score

Another set of cyber risk management recommendations came out of the first quarter, 2019 Assessment of Business Cyber (ABC) Risk, which the U.S. Chamber of Commerce and FICO introduced last year.

The probabilistic measure of cyber risk to the U.S. business community held steady in the quarter at 687 on a scale of 300 to 850, based on FICO Cyber Risk Score data. Since the fourth quarter of 2018, small firms showed a slight improvement, to 740 from 737, and large firms moved from 646 to 643.

“The disparity in risk scores between small and large organizations is due to the fact that large firms have a wider attack surface and are more frequently the target of cyber criminals,” Doug Clare, FICO vice president for cybersecurity solutions, explained.

Six recommendations were “based on the observations of thousands of businesses scored for the ABC”:

- Use the NIST Cybersecurity Framework to develop or improve an information security program.

- Develop a reliable understanding of one's network, including identifying assets to apply security management based on risk.

- Eliminate “weak links” by identifying functions and teams whose process and policy maturity are not performing adequately.

- Oversee an organization's network team to confirm alignment to the details of network management policies.

- Protect and monitor network endpoints.

- Develop a process to confirm that active certificate management programs are in place and being implemented.

GARP Editor‐in‐Chief Jeffrey Kutler contributed to this article.

NOTE: A GARP webcast, Global Cybersecurity Risks and Nation-State Threats, with cyber risk experts and former U.S. government officials John Carlin and Gregory Touhill, is available on demand HERE