As hacks rise, cybersecurity risk management should be top priority


According to IBM’s Cost of Data Breaches Report 2022, the global average total cost of a data breach has reached new heights—$4.35 million (but a whopping $9.44 million in the United States)—and 83 percent of organizations will experience a data breach, usually more than once.

Events driving these metrics have swayed the Securities and Exchange Commission to broaden oversight of organizations’ cybersecurity risk management. With finalization of the SEC’s cybersecurity proposal forthcoming, stakes are raised for chief information security officers (CISO) and other risk officers to ensure cybersecurity hygiene is up to speed. To adapt to broadened regulations and keep pace with a shifting cyber-risk landscape, controls need to be embedded into the entire fabric of the organization, not just at the IT level.

Cybersecurity operations are under further watch
Although the SEC is increasing requirements for cybersecurity reporting, broadly speaking, CISOs aren’t concerned about meeting the SEC’s requirements—in fact, they’re looking forward to the proposal’s finalization. The new requirements will not only force executives to examine further insights into enterprise-wide vendor management practices but also increase the practice of presenting cybersecurity-related compliance information to the board, regulators, and investors. Not to mention, the rules may pressure boards to recruit directors with cybersecurity backgrounds.

However, the details are somewhat murky. As written, public companies would need to disclose material breaches even if they’ve been instructed by law enforcement to not do so. And even if breach management is ongoing, companies may still be required to report the incident. Moreover, public disclosure of the current incident may cause the hackers to pivot and launch an even more crippling strike.

CISOs should focus on their risk management programs first because they need to be disclosed in all reporting. However, the proposal’s disclosure requirements for programs are fairly broad. Companies have some leeway in how complex their programs need to be as long as they’re mapped out according to industry-standard frameworks.

Incident response is also critical. Regulators and shareholders will want to see strong opinions on what designates a material breach, when one would be reported, and how that information would be tracked for disclosure purposes.

The tone comes from the top
Cybersecurity threats are as material as operational and financial risks and, to a basic degree, are similar to them. However, board directors don’t traditionally have cybersecurity backgrounds. The acumen to gauge what a risk entails, how to resolve it, and what’s needed from CISOs from a spend perspective often falls short at the board level.

Expanding the board’s knowledge beyond the fundamentals with the help of internal and third-party advisors is essential. CISOs currently present to the board but have limited windows given the scale of evolving complexities and reliance on their digital literacy. A portion of this time should be dedicated to compliance work, program assessments, and training programs. However, these efforts should be a two-way street—teaching directors how to think so they know what to ask.

Equally important is reaching the right cyber-risk appetite with the board in the context of broader strategic goals and shareholder value. CISOs need to continue to validate the role cybersecurity plays in the interests of investors and operational goals and demonstrate the ROI that can be gained.

Diagnose ransomware vulnerabilities
At the governance level, attaining buy-in from executives for prevention resources can be a challenge although it’s critical. Reining in a ransomware attack and building a path back to operations, especially in a cloud environment, require efforts across the entire IT department. And as operations continue to migrate to the cloud, ransomware gangs will hatch more strikes on cloud assets—a threat that companies have been largely insulated from. Having sufficient controls in place and implementing them effectively is key.

As the cloud slowly becomes more of a target, ransomware strategies have evolved. Leadership is now being forced to make more calculated decisions about whether to pay the ransom or not. In the past, ransoms were paid and files were unlocked. But case studies reveal that some ransomware strategies involve exfiltrating data—in other words, even if you pay to unlock the files, your data may still be with someone else, which is an entirely different set of problems.

From a preventive and technical side, containing the blast radius of a ransomware breach is one area that needs improvement. A ransomware virus can spread aggressively through the entire enterprise. Micro-segmentation is a promising solution in patching identity management that can help stifle the threat. With micro-segmentation controls bolstering security, a ransomware breach may invade only one business unit or isolated laptops as opposed to a central source system.

Vet your value chain’s SaaS services
Adopting cloud and SaaS technologies has fundamentally changed data management because data is now spread much broader and deeper throughout an organization’s value chain.

Firms use deployed SaaS and cloud software across the enterprise, so they rely on their vendors’ quality control processes. However, those same vendors and service providers may also use SaaS and cloud solutions, meaning companies are at risk of fourth-party data management flaws. This vast spread of essential data obfuscates visibility into it. Thus, CISOs and other risk officers need to vet a larger volume of data to a safe and acceptable degree.

Still, vendors may not provide the requested data. Small- or medium-sized businesses may only receive compliance documents. Larger organizations with bigger contracts may be able to throw their weight around and demand more data from vendors, but they may charge for the additional checks and balances. In this scenario, whether to acquire the data or not becomes a value proposition based on how vital it is.

There’s recently been a push for vendor ratings provided by rating agencies, such as SecurityScorecard or Panorays, which assess vendors and attribute a risk score to them. Report cards not only provide an indication of service providers’ overall level of security but also open up the market for companies if their current vendors’ risk scores are subpar.

In place of software vendors, firms could opt to build proprietary programs. Nevertheless, developers need to source third-party, open-source libraries to build software, but the open source world wasn’t built for today’s governance standards. A small library plucked from a repository, such as GitHub or NPM, may actually be malicious code that developers could inadvertently introduce to the enterprise, so extra vigilance is needed in this area.

Cybercriminals are adapting
Cybercriminal gangs are exhibiting advanced proficiencies that were once associated with nation-state hackers. They’re not reaching this level on their own but rather through what can be called “Ransomware as a Service” attacks. In this scenario, a separate ransomware gang develops a robust ransomware platform that can be exploited by other cybercriminals, who then deploy the software onto the target’s environment and collect the majority of the profits. The ransomware gang that created the software then receives a portion of the ransom. This new tactic increases cybercriminals’ reach, introducing a novel danger.

As cybercriminals adopt new strategies, there appears to be cross-pollination between cybercriminal gangs and nation-state hackers. These criminal bands operate independently, but when called on by government regimes, they might offer their services, as with the 2021 Russian hacking incident.

Companies are mostly victims of opportunity
From a controls standpoint, breaches often occur because of inadequate segmentation. If a hacker compromised one user’s credentials and everyone has access to the same database, it doesn’t matter whose credentials were stolen. Yet if permissions are appropriately set to limit access based on a user’s role, then the scope of a breach could be muted. But if a central system housing customer financial information is penetrated through a phishing campaign, and a company needs to publish the breach, then this scenario becomes a loud material issue. Your internal response to the threat is paramount, and it can turn a potentially catastrophic situation into a minor incident.

From a user perspective, humans will always be the weakest link. Social engineering and phishing strategies can be quite convincing. Similar to Ransomware as a Service, CISOs are seeing what can be called “Bypass as a Service,” which mimics authentic multi-factor authentication push notifications. The notification pops up repeatedly asking users if they’re trying to log in. After hitting “no” several times, users get annoyed and eventually push “yes” to make it disappear, allowing hackers to infiltrate the host environment. Even with proper employee training, these scams can invite easy access to hackers.

Don’t wait for regulations

The forthcoming SEC proposal will provide a new basis for cybersecurity disclosures, but companies ultimately need to chart their own course. In tandem with developing hacker sophistication, investors’ protections and their disclosure demands will continue to orient regulations. Meanwhile, threats are too myriad and immediate for organizations to rely on clear guidance before acting. Maintaining frequent ties with CISOs and other risk chiefs to drive cybersecurity awareness will help companies preserve a protective moat.