Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Cyber threats require a risk management approach

Information security programs that rely on defensive measures are no longer adequate.

By Seth Berman

The recent report by Harvard Business Review Analytic Services has further reinforced a commonly held view that too many organizations are leaving cyber security to chance. ‘Meeting the cyber risk challenge’, which polled more than 150 risk management professionals across Europe, found that just 16 percent of companies had a chief information security officer in place to manage cyber risk and privacy.

However, as an escalating number of companies face dealing with the aftermath of reported data breaches, it is clear that cybercrime knows no boundaries and no organization is immune.

There is no fool-proof way to prevent a cyber attack but corporates can take several steps to build greater resilience. First among these is one that sounds elementary, although in reality often turns out to be quite complicated: conduct an audit of the IT and physical security system. A security assessment, like a financial audit, should be carried out by an outside team without a stake in the existing IT infrastructure.

The team will be looking to understand the company’s threat profile and any vulnerabilities. In addition to ensuring that firewalls and other security measures are up to industry standard, a thorough security assessment will also identify where sensitive data is stored and whether this can be segmented or further removed from the rest of the IT system.

As with physical security, the best preparation cannot prevent all attacks. For this reason, preparing a response strategy in case of an attack is an essential part of risk and contingency planning strategies. This must include a specific plan to ensure that valuable time is not lost as the organization decides who is in charge of the response efforts.

Corporates should determine in advance of an incident what the chain of command will be for the incident response team. A specific executive should be nominated to lead the internal response team, and the organization must designate in advance its external lawyers and IT consultants. This will ensure that the organization is ready to respond at the first signs of an incident.

Whether law enforcement can play any meaningful role in the aftermath of a hacking incident is often dictated by the type of incident involved. Where employees or former employees with a grudge are involved, a range of civil enforcement options may be available. In contrast, hackings co-ordinated by outsiders present a much steeper challenge. Unlike most crimes, there is typically no physical link between an outside hacker and his victim. The hacker could be thousands of miles away and completely unknown to the victim.

Even if law enforcement could determine the scope of the incident for the corporate victim, there are serious downsides to this approach for most organizations. To conduct a thorough investigation, forensic experts must secure and review copies of the network traffic logs and configurations, and make forensic images of infected computers. This is a very intrusive process that may require unlimited access to secret corporate data and restricted networks.

Most companies faced with this situation conduct a private investigation before notifying law enforcement, with three factors often driving the decision:

  • Sophisticated computer hackers typically do not advertise their presence and initial evidence of a breach may be confusing or hard to interpret.
  • Hackers rarely leave a detailed list of what they stole and only painstaking reconstruction of a hacker’s activities through sophisticated computer forensics can determine if regulators or individuals need to be notified about the breach.
  • It is much easier to control the public relations and communications strategy if the company knows the extent of the problem before it is made public. By handing the investigation over to the police, the company would lose control over the timing and content of any public notification. This could prove a public relations disaster, especially since the public often blames the corporate victim for failing to prevent the incident, regardless of the facts.

Hacking is one of the greatest business and technology threats of the digital age. It is constantly evolving, claiming ever more victims. Failure to prepare is simply no longer an option and organizations must ensure the risks are fully understood and addressed.

Author: Seth Berman is executive managing director and UK head of Stroz Friedberg, a digital risk management and investigations company. He spearheaded government hacking investigations as a former US Department of Justice prosecutor, before making the move into private consultancy.

•Date: 15th Feb 2013 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here