In our last article on Corporate Growth, Capital Style, we featured part one of a two-part interview with Natasha Barnes, a Technology Risk Services Manager at Aronson LLC, and Andres Franzetti, Chief Strategy Officer and Founding Member at Risk Cooperative. During our discussion, we talked about a new 360° Cyber Risk Survey being conducted by Aronson, Risk Cooperative and Ridge Global. We also discussed why security is no longer just an issue for the CISO, but rather an issue that every member of the C-Suite should consider.
In part two of our two-part interview, we ask Natasha and Andres about the evolving risk landscape facing enterprises, the new types of attacks that they need to prepare for, what they expect to discover in their survey results, and when those results will be released to the public.
Here is what they had to say:
Corporate Growth, Capital Style (CGCS): Would you say that the risk landscape facing these organizations has shifted or evolved? Would you say that it’s more dangerous today than in the past? What new threats are there that enterprises need to be concerned with?
Andres Franzetti: In terms of the landscape, this is an ever-evolving threat. What cybersecurity meant yesterday is not what it means today and is not what it will mean tomorrow. The Internet of Things and the interconnectivity that we’re seeing nowadays is opening up businesses to all sorts of new threats, constantly evolving threats. The velocity at which we are developing and storing data as well as new regulatory requirements are also compounding the need to adapt. And the bad guys don’t have to be confined to – or abide by – regulations. So the rules they play by are outside the ones that companies are playing by.
Ransomware is something that organizations certainly need to be concerned with. If you’re operating in an unsecure environment and your files are held for ransom, it can be very costly to recover them. If you don’t have the monetary resources, or a good breach response team to pay the ransoms, the right policies or insurance programs in place to mitigate that, you can be at the mercy of a hacker.
Today’s organizations – particularly those that may have more of a public profile – are also more exposed to hacktivism. In these instances, individuals target an organization because of political sponsorship or affiliation, or because they fundamentally disagree with their policies or business practices. Unlike ransomware, these events are not easily resolved with a payout. Sometimes the intent is to cause irreparable damage. This is why organizations need to be a lot more agile today, and have the right defensive measures to mitigate or prevent such attacks.
That’s ultimately what we’re looking to show these enterprises with our survey. It’s not about how many endpoints you have, and how much personally-identifiable information is in your database. It’s more about how resilient is their business? Can it withstand a cyber-attack, both fiscally and operationally? Do they know what their supply chain looks like? Have third party vendors been vetted? Do employees and officers alike understand and abide by cybersecurity procedures? Ultimately, it’s about creating an agile cyber posture allowing organizations to be able to pivot and respond to these types of situations as they evolve.
Natasha Barnes: Ransomware is certainly out there and it’s very lucrative. A hacker can perpetrate a couple of attacks and make what one person makes in a year with just a day or two of work. So these things aren’t going to just go away – they’re too profitable for hackers.
According to Gartner, by 2020, 30 percent of Global 2000 companies will have been directly compromised by an independent group of cyber activists or criminals – and that’s just the external actors. There are also insider threats. Cyber Security Magazine says that 85 percent of security incidents are attributed to an insider.
And I think that speaks to what Andres was talking about. These threats – today they’re ransomware and phishing, which are popular because they’re so effective – require companies to focus on programs that are agile enough to account for all possible kinds of attacks. Because – regardless of threat – there are certain components that need to be in place to have a chance of managing these issues in a way that doesn’t impede business.
CGCS: I’ve looked through the questions in the survey, and it appears most are about the types of risks enterprises are concerned about, their security spending and steps they’ve taken to mitigate their cyber risk. What results are you anticipating? Do you anticipate that many of the respondents to this survey will have their security postures and security spending where it needs to be? Why or why not?
Andres Franzetti: Just based on my previous experience and other programs that I’ve worked on throughout my career, I’m anticipating that many of the CEOs, COOs, CFOs and other folks outside of the IT domain at middle-market companies will assume that their technology and the systems that they have in place are already adequate.
We’re anticipating that organizations are going to place higher value on cybersecurity after they take the survey and start thinking of cybersecurity business continuity terms. I think most organizations are doing it as a check the box approach to be compliant. But as they see this threat evolving, and as they see how much it can impact their financials and their company’s overall viability, they’re going to be a much more engaged audience. And they’ll begin to explore more of the innovative and agile solutions that address their cybersecurity.
I think that we’re going to see that many of them have opted for a singular solution, choosing one component of a proper cybersecurity system, largely in the technology field. They’re not currently using a stacked approach where it’s combining education, proactive assessments and services, as well as technology, and then putting the financial risk into the insurance market. So, I think we’ll see that the industries – at large – are underprepared. We’ll find that they’re largely dealing with cybersecurity as it was years ago, and not what it is today. Which is – again – the issue with this kind of fast-moving, evolving threat.
Natasha Barnes: I agree completely. And I also think we’ll find that there’s an increased reliance on third-party providers, but without sufficient oversight. There’s this assumption that everything is fine because a third-party provider is in place. With everything in the cloud, they assume that it’s being secured by Amazon Web Services or another cloud provider and that everything is perfectly fine. There’s no risk that their actual organization has because they’ve essentially outsourced all of that. But, from a responsibility perspective, that’s not always the case.
Look again at the Target hack. They call it the Target hack, but it was an HVAC provider that made the hack possible. Everyone that is involved is responsible. And there is certainly a lack of oversight when it comes to third-party providers. And – just as Andres was saying earlier – we’re expecting to see that there is a lack of awareness of cybersecurity among senior leaders that hear about it, but don’t really understand it in a way that it becomes a part of their daily cyber hygiene that extends throughout the culture of their organization.
I think we’ll find that cyber risk is remaining mostly with an IT person – whether it’s the CTO or CIO – it’s not truly extending out across the senior leadership the way that it should so that it gets the proper budget allocation and prioritization that it deserves.
CGCS: When will Aronson be releasing the results of the survey?
Natasha Barnes: The intent of the survey is to obtain an understanding of cyber risk across industries. We want to analyze the results to share them with others to help enhance these initiatives for our clients.
The tide is turning on information sharing for cyber matters, in that the public and private sector are cultivating partnerships to the benefit of all involved. This is seen through the prevalence of Information Sharing and Analysis Centers (ISACs) for various industries. Shared knowledge should yield collectively more resilient businesses and agencies.
We’re working aggressively to get the responses we need to the survey and analyze the results. Ideally, we’d like to release the results by the end of Q1 2017. And when we do, we’re hoping to do a lot more than just put out a report. We’re hoping to do an event and make it a more interactive dialogue.