How to manage cyber risk

It isn’t a question of if your business will be affected by cyber crime, but when—and to what extent. In the annual Business Continuity Institute’s risk survey, 73% of respondents named data breach and cyber attack among the top three threats their businesses face.

“We’re seeing more and more that everybody’s data has been compromised,” says Alan Brill, Senior Managing Director for Kroll Inc., a risk and security company headquartered in New York. Or, to paraphrase U.S. Congressman Mike Rogers: there are two types of companies—those who already know they’ve been hacked and those who don’t know it yet.

The number of cyber breaches was 62% higher in 2013 than in the previous year, according to the Internet Security Threat Report 2014 by Symantec Corp. And according to Symantec’s 2013 Norton Report, the global direct cost of cyber crime climbed to $113 billion, up $3 billion from 2012.

“Cyber risk should be at the core of other risks in an organization,” says Lori Bailey, Global Head of Special Lines at Zurich Insurance Group. “If a company experiences a cyber attack, it’s going to affect every facet of the organization—customers, suppliers or vendors, employees. That’s why it’s so crucially important for companies to have strong business continuity plans and to make themselves resilient against such potential attacks.”

Risks include theft of customers’ or employees’ personal or financial data, exposure to fines or lawsuits because such data was compromised, financial theft, theft of intellectual property, damage to brand or reputation, regulatory scrutiny, lost business, or disrupted operations.

Different threat actors seek different things and will affect your organization differently. Cyber criminals want financial gain and will look for credit-card data or personal information they can sell, says Lillian Ablon, researcher at the RAND Corp., a U.S. think tank. Competitors and some nation-states may be conducting industrial espionage in search of intellectual property. Less-sophisticated nation-states and cyber terrorists or hacktivists want to bring down systems or create chaos.

“Companies should ask, ‘who are the threats going after me and what are the vulnerabilities they are going after? Which vulnerabilities would affect me most? If what I care about most were taken, how would that impact me?’” Ms. Ablon says. You might be a target of both unsophisticated and sophisticated cyber actors.

“Risk management is a continual process,” says Mr. Brill. “We evolve how we do technology, whether it’s cloud computing, mobile, BYOD [bring your own device], bring your own cloud. Those things evolve and change your risk profile. Malware also changes. The availability of new forms of cyber defense, new forms of insurance coverage, all are changing how companies can deal with a problem that has no solution.”

Outsourcing has also changed the risks. Companies tend to focus on internal security, although problems can enter their business via a partner who is not quite so careful. Attackers recently accessed a large retailer’s customer credit-card information via its heating and air-conditioning supplier. Another company was fined after a vendor discarded confidential financial data in public recycling bins. The risk isn’t limited to data: companies may face disruption if a strategic supplier is paralyzed and unable to deliver as a result of a cyber attack.

“You’re dealing with more layers of organization: employees; vendors; contractors; cloud providers,” Mr. Brill says. “The infrastructure has become an order of magnitude more complex. As a result, the cyber risks have become far more complex, including the range of things that could go wrong that may affect your business but not occur within your business.”

While attacks on large corporations attract media attention, small and mid-size enterprises can no longer count on security through obscurity. The same goes for companies with mainly brick-and-mortar operations and a minimal Web presence—they use information technology and the Internet in some fashion and thus are at risk.

Cyber thieves have two criteria, Ms. Ablon says: they usually want a certain kind of data, such as credit-card numbers or intellectual property, and they want relatively easy targets. While larger companies present bigger pools of data, if they are too much trouble hackers will turn to easier prey. Some target their victims and carefully plan their attack, while others work by volume, sending malware to hundreds or thousands of recipients as soon as a vulnerability is uncovered, hoping to infiltrate before the entry is patched—a net that can sweep up big and small fish alike.

Large enterprises accounted for 35% of targeted attacks, such as spear phishing, in 2013, according to Symantec, while mid-size companies made up 31% and small businesses 30%.

Cyber security might seem like a Herculean task. However, reducing your cyber risk is similar to reducing other business risks—you need to understand how cyber risks are linked to all aspects of your business and beyond, and then build in resilience.

“People buy technology and two years later think it’s still protecting them,” says Jim Jaeger, Chief Cyber Services Strategist with General Dynamics Fidelis Cybersecurity Solutions. But what was safe yesterday is open to attack tomorrow. In fact, legacy systems and old software can be dangerous because they’re no longer being updated. “Without any action on your part, a system that was secure last week may be insecure this week, because a new hole was discovered in one of the tools you use. The biggest risk from legacy systems is complacency,” says Mr. Brill of Kroll.

Defending only your network’s perimeter used to be considered adequate, but the growth of interconnections to other parties, from vendors and suppliers to customers to your own employees’ BYOD smart phones, means your perimeter is full of holes.

An intrusion-detection system should look at not only what’s coming into your network, but also what’s traversing or leaving it, because risk is there, too. “You’re tying one hand behind your back if you focus only on malware,” Mr. Jaeger says. “Once they’re in, hackers will use the tools you use to move around your network. That’s why you have to look at what’s going on inside your network as well.”

In addition, most advanced, or targeted, attacks won’t become visible for weeks or even months. “The attacker will try to find the most appropriate time and just wait for it to get the most valuable information to extract,” says Christophe Nicolas, Senior Vice President of Kudelski Security, the cyber security division of Kudelski Group SA. “That’s why you need constant monitoring to see attempts on, or abnormal behavior of, computer infrastructure.”

Most companies learn about breaches from outside—a customer or a vendor notifies the company of a mistake, such as a billing error, or law enforcement picks up information about a breach on networks it’s monitoring. Mandiant, a unit of cyber security firm FireEye Inc., finds that organizations have been compromised an average of 229 days before they become aware of a breach, says Charles Carmakal, Mandiant’s Managing Director.

In fact, intruders may build and test several generations of malware within the victim’s network, before seizing just the right moment to actually steal information, says Mr. Jaeger of Fidelis. “Credit card usage at least triples during the holiday shopping season, from just prior to Thanksgiving through to New Year, making it a lucrative period for hackers,” he says. That makes a spike in activity harder to detect, as well as providing a bumper crop of credit card data to steal.

Rather than solely relying on detection tools to identify security events, it is necessary to also have people searching for signs of compromise that might go unnoticed by software—such as employees logging in at inhabitual hours, a clue their credentials might have been stolen. Sophisticated attackers, such as organized crime groups or foreign governments, “will be relatively quiet and relatively slow, so traditional security and antivirus solutions don’t detect the activity,” Mr. Carmakal says. “But if you start hunting for those threat actors, there are a lot of things they do that are quite noisy.”

Another way to hunt, Mr. Nicolas says, is to monitor what’s for sale on the black market—is your intellectual property or your customer data on offer?

Creating a list of secure applications or sites is easier and more effective than trying to keep up with a blacklist of forbidden ones, especially in a fast-changing technology world. This can be useful for dealing with suppliers or vendors. “It won’t make you immune from cyber attack, but it’s a more manageable approach than blacklisting,” Ms. Bailey says.

Companies can also monitor and block unauthorized changes to the IT environment. The idea is similar to whitelisting—that nothing resides or executes in the environment that isn’t known and approved. File integrity monitoring or configuration management software products constantly compare system files and settings to baseline approved versions and issue alerts whenever changes to these baselines are detected.

Some attackers enter the system using credentials stolen from employees or suppliers. Employees with high privileges should be required to go through a more rigorous level of authentication when performing administrative duties. They should have to use a separate administrative account, not their normal one, for this activity, with multi-level authentication and special monitoring of what’s performed by the administrative accounts.

“People who have administrative privileges generally have a lot of freedom in the system,” Ms. Bailey says. “Keeping control and limiting the number of these individuals reduces the potential for employees to go in and get information they shouldn’t have.”

Compartmentalizing the network makes it difficult for intruders to move laterally through your network if they gain an initial foothold, Mr. Carmakal of Mandiant says. Does procurement need access to customer data? Does human resources need access to your latest designs and intellectual property? If not, make their IT separate.

Your business’s most valuable assets might be sitting in an employee’s smart phone, says Kudelski’s Mr. Nicolas. “They may be more valuable than some of your physical assets. Start by doing an assessment of the assets you want to secure; what are your crown jewels. Some people might not be aware of where they are and whether they are secure.”

If something is really important, the risk of it being hacked dissolves if you isolate it offline. “You can’t hack it if you can’t connect to it,” says Larry Collins, Vice President, E-Solutions at Zurich Insurance Group. “What kind of data do I have that is so sensitive that it can’t be connected to anything else? If I’m a designer, maybe the computers I use for design shouldn’t have an Internet connection. Just don’t plug it in.”

Your IT team needs regular training to stay abreast of the latest threats, not only to run your security but also so they can educate the wider pool of employees. You can educate your vendors—the entry points for some recent hacking cases—by examining their cyber security measures, hiring another firm to do it or requiring independent cyber-security audits, Ms. Ablon says.

Companies’ attitudes toward technology have been “‘let’s have functionality, let’s have productivity,’ rather than ‘let’s have security,’” she says.

Scenarios out of thrillers actually occur: attackers leave infected thumb drives in the employee parking lot so someone will pick one up, plug it in in order to find out the owner, and unintentionally unleash malware in the system, Mr. Brill of Kroll warns.

Phishing emails traditionally have been easy to spot—bad grammar or unusual subject matter used to tip off recipients that an email wasn’t really from a friend or colleague. But these attackers are getting more sophisticated and employees need to be alerted to the latest threats so that they don’t inadvertently allow an attacker to enter the system.

Traveling employees should avoid taking their personal or corporate devices to certain countries. Mr. Nicolas tells of analyzing the camera of someone who had traveled the world for three months—Kudelski found 4,000 viruses on the flash drive, picked up at Internet cafés where the traveler had gone to email photos home.

New technological applications and increasing interconnectivity of devices have “benefits so great that it’s trumping those security concerns,” agrees Mr. Collins of Zurich. “That has to change. Security has to be a consideration. It isn’t won and done.”

Published in collaboration with Zurich Knowledge Hub

Author: Catherine Bolgar spent 12 years as an editor at The Wall Street Journal. Since leaving the Journal two years ago to move to the South of France with her family, Bolgar has been a freelance writer.

Image: An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel.