Reputation is a new target for cyber-attacks, says Steve Durbin of the Information Security Forum, offering strategies on how organizations can protect their credibility in the midst of an incident.
"Organizations have to equip themselves much better to deal with this whole attack on reputation," says Durbin, the forum's vice president, in an interview with Information Security Media Group [transcript below].
The forum recently issued its annual threat report, Threat Horizon: New Danger from Known Threats, which provides recommendations on protecting reputation, an area Durbin concedes is a high area of interest for attackers.
Word of a cyber-attack spreads fast these days, Durbin says, and that viral impact can be a major issue. "Criticism that was levied ... and fueled by social media, disgruntled employees and a whole collection of real viral traffic [causes] a major reputational hit," he explains.
"The faster an organization is able to respond, the more it knows about the particular issues that are being raised by hacktivist groups and can say credibly what their position actually is, then the less severe the impact is," Durbin says.
To ensure they can respond effectively, organizations need to have clear ways of collaborating internally.
"They have to have honest relationships with the media in order to combat these things, plus an understanding of exactly where things are sitting from a data perspective across their own organizations," Durbin explains.
Organizations also have an opportunity to get security and business departments together to get their arms around how they're going to deal with the issue of reputational risk, Durbin says, because "it's very real."
In the interview, Durbin discusses the:
- Five recommendations the Information Security Forum makes in the threat report;
- Roles governments and businesses should perform in safeguarding industry's digital assets;
- Threats posed by nation-states, such as China and Iran.
An independent, not-for-profit organization with members from some of the world's leading enterprises, the Information Security Forum investigates, clarifies and resolves key issues in information security and risk management by developing best-practice methodologies, processes and solutions. Business growth strategist Durbin joined the forum in 2009 after a three-year stint as chairman of the DigiWorld Institute, a British think tank comprising telecommunications, media and IT leaders and regulators. Durbin also spent seven years at the IT advisory service Gartner, where he served as group vice president worldwide.
ERIC CHABROW: As its title suggests, this year's threat report identifies the biggest risk to enterprises is from known threats. What are those threats and why is the old also the new?
STEVE DURBIN: [That's] a good question to start with. Understanding threats is fundamental to enterprise risk management. Every organization needs to evaluate threats within the context of their own business to determine risks. One of the key things that we noticed this year is that threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to organizations, simply because they've had that degree of maturing. That increase in the sophistication of the people who are behind the attacks, behind the breaches, has increased significantly. As we've talked about before, security organizations are still, even in 2013, in catch-up mode in terms of trying to pull together the resources that they've got in place to address some of these key issues. That's the backdrop for the overall report that we've produced.
We've highlighted five key areas. The first is that of cyber risk, challenging to understand and address. The second is we've moved into the area of reputational damage for organizations. There's a section this time on the way in which criminals have developed and we've called that "crime as a service," having upgraded to version 2.0 which gives you some view as to how we're seeing that. Then, some of the contributing factors behind this is the continuously changing pace of technology, and government legislation and regulation, which is causing all sorts of issues irrespective of which jurisdiction you happen to be placed in.
CHABROW: Let's go over these five different recommendations, and maybe not in the order you gave. Among the recommendations is protecting reputation. Your report states that reputation is a new target for cyber-attacks. How so?
DURBIN: We've moved to an environment where we operate in a course of public opinion. The majority of people, when they get out of bed in the morning, the first thing that they're now doing is checking their smart phone and looking at their e-mail. They're looking at their Twitter feeds. They're looking at YouTube. Any real impact of a threat or an attack on an organization that goes viral is difficult to control. Hacktivists obviously understand this and they're pretty determined to make their case, particularly if they have an axe to grind with particular organizations.
Let's just look at some of the global brands recently that have had exceptionally bad press. I'm thinking of Amazon. I'm thinking of Google. I'm thinking of Starbucks, which recently encountered public relations issues around tax avoidance. None of these companies did anything that was illegal. They were all 100-percent legally compliant, but the criticism that was levied against them and was fueled by social media and disgruntled employees, and a whole collection of real viral traffic around this caused a major reputational hit, which Starbucks themselves, for instance, admit did impact the bottom line.
Organizations have to equip themselves much better to deal with this whole attack on reputation, and the faster that an organization is able to respond, the more it knows about the particular issues that are being raised by hacktivist groups or virally and can say credibly what their position actually is, then the less severe the impact is. That means they have to have clear ways of collaborating within their own organizations. They have to have established methods of using social media feeds, and they have to have honest relationships with the media in order to combat these things, plus an understanding of exactly where things are sitting from a data perspective across their own organizations.
It's a real opportunity for security departments and business departments to combine within organizations to get their arms around how they're going to deal with this issue of reputational risk because it's very real and we've seen some examples of it already this year.
Role of Government Misunderstood
CHABROW: In recent weeks, President Obama has brought cybersecurity to the forefront. Still, the Threat Horizon Report suggests that the role of government is often misunderstood. Please explain.
DURBIN: We're seeing a lot more focus from governments around the world, and President Obama certainly has taken something of a lead ... for the United States government where it's going to stand on this, involving NIST, and I'm very happy to say that the ISF has been asked to work as witness in putting together some of the input that President Obama has asked for from an international standpoint, so we're very happy to be doing that.
Governments now inevitably have a role to play in securing cyber space. What's their role? For me it's about setting expectations. It's about putting in place regulation. Some people will view it as being very, very light-touched. Others will want to have a much stronger set of guidelines. The European Union, for instance, is being very clear about where it stands on the whole issue of data protection, privacy and personally identifiable information. That's not in line with some of the views that are coming out of the United States, for instance, and so there's some debate that's going on around the world in all of these areas. That makes it quite difficult for organizations at the moment because they have to try to keep up with the changing regulatory pattern.
The governments around the world have determined that they have a role to play in at least setting down the ground rules and the guidelines as to what they believe is acceptable within their own jurisdictions and then collaborating at the international level to try to make cyberspace safer for us all. But they're not going to go about implementing some of these guidelines within organizations. They cannot do that. The threats or the danger is that organizations assume the governments are going to be doing all of this for them, and organizations really do have a key role to play themselves in better protecting their own information, yes to conform with the regulations and the guidelines that are being set down, but also to ensure they're doing the best for their shareholders, for their clients and their employees in terms of making sure that data is protected and that they're behaving in an effective fashion to counter cyber-attack.
The other piece is that regulations simply can't keep up with the speed of technology, so there's always going to be a lag between what's capable from a technological standpoint and what regulation is in place, and I think that's why it's very important that governments do set overall, over-arching strategic guidelines and regulations as to what it is they're expecting.
Threats Posed by Criminals
CHABROW: There's been a lot of attention recently on nation-state attacks on western corporations from China and Iran, but the threat report suggests those responsible for enterprise IT security should pay particular attention to criminals. Why are criminals such a nuisance?
DURBIN: We say crime as a service is upgraded to version 2.0. What do we mean by that? Well we mean that criminals have become better organized. Organized crime has moved into this place. We know the criminals, as we talked about last year, really haven't suffered from the downturn. They're still better equipped than a lot of organizations from a financial standpoint and from an equipment standpoint. They've also become, I think, very innovative and sophisticated in looking at how they can circumvent organization's security mechanisms. We're also seeing an increase in unemployed and potentially disgruntled employees who form something of a potential talent-group for criminals to gather information that's needed for them to attack organizations. The value of a person's identity is certainly eclipsed by the access of having that person's identity can give you, to intellectual property that sits within an organization, to insight into research, development and so on, all of which have value on the black market.
What we're seeing is simply an opportunity that criminals are taking advantage of, as indeed they have always done. We've moved into the electronic age of crime, which is much cleaner, much safer, doesn't require you to go down to your local bank with a gun, and yet you're still able to access highly valuable information which you can sell and you can also make significant profit out of. Why is crime such an issue? [The short answer is] it's because money has moved online and there's an opportunity that they're looking to take advantage of. It's as simple as that.
Rapid Change of Technology
CHABROW: We're seeing a lot of change in technology. How is the rapid pace in change of technology increasing the cyber threat?
DURBIN: We've got a couple of things going on here. Technology is moving ahead at an absolutely relentless pace. The amount of information that we generate and create on a daily basis is still increasing exponentially. So is the demand for access to it anywhere, any time and from any device. People have already got their entire base services that they're running, and so organizations are trying to get their arms around how they can deal with some of the challenges of the consumerization and bring-your-own movements, having to deal with organizational data and structures, while also protecting the amount of information that they're continually generating within the enterprise themselves.
We're saying that organizations cannot ignore bring-your-own-device initiatives. They're here to stay. It's about how you deal with them. We're saying that integration of the whole mobile device environment is complex and does need very careful consideration. We're saying that the whole move to consumer-oriented technologies in the work place are necessarily changing the way in which organizations have to deal with how they handle corporate data, mixing that potentially with privately-owned data. We're seeing an increase in the number of different architectures that are coming into an organization. ...
We've seen the death of the enterprise network. It doesn't exist anymore. It's an open network and we've had to move back from an organizational standpoint to focusing very clearly on the data, on what's important to us as an organization and how access to that data can be effectively and securely managed, which is a bit like going back in time to the days of the mainframe when we used to look at where we were holding our most secure data and how it was being accessed. But things have moved on. Obviously we work in a very different, much more dynamic and complex, environment, but it's all about going back now and having to really understand the data, the importance of the data, categorizing the security of the data and then determining from there how you're going to enable access to it. Things are changing at the speed of a tweet.
Getting C-Suite Buy-In
CHABROW: Obviously, this isn't just a concern of the chief information security officer. Cyber risk is a challenge to the whole organization, but that's something that organizations are finding hard to address at the upper levels. Why so?
DURBIN: ... Ernst & Young in their recent global information security survey ... found that about a quarter of organizations that they had spoken to had given responsibility for information security to the C-level: CEO, CFO and the COO. Seventy-five percent had not done so. The World Economic Forum also has expressed concern that, in their estimation, probably only about a third of companies are discussing this issue of cyber risk at the board level. We still have a ways to go in terms of senior executives understanding cyber space and understanding the risk they need to knowingly accept in order to be effective in this area. I think there's a role for the security professional in increasing the level of awareness within the enterprise, increasing the level of awareness at the C-suite level. The impact of not being fully up-to-speed with cyber space and the dependence that an organization has on cyber space ... is on losing customer trust, on losing potentially intellectual property and on losing market opportunity.
When I look at the whole area of cyber from a senior-executive perspective, I see it as one that's full of opportunity, provided you understand clearly where the risks are and you've made sensible decisions about how you're going to go about running your business in the cyber world, because it does require you to think differently about your supply chain, about the people that you do business with and the people you share data with.
If you're holding intellectual property, for instance, at your lawyer's offices, how secure is that? You may have the most secure network in the world, but you've now handed over data to a third-party. Have you asked the right questions about how they're securing that? These are the sorts of things that we need to be thinking about.
The dynamic is changing away from one where we can control everything that's going on within our organization to having to take a much more expansive and, perhaps, a holistic perspective on how we manage the security of enterprises and our information when we're working across many networks, many jurisdictions and many environments. That has to be a boardroom issue because the security folks can put in place some of the guidelines, but they can't make the business call. They can't tell the business what risk profile the business wishes to carry, or how the business is going to go about growing its market share in good faith. [There's] much more of a requirement for business and security to work collaboratively together. There's work to be done in this space, as some of these surveys that I referenced have pointed out.