Over the past several years, we have seen cybersecurity increasingly become a boardroom issue. A report sponsored by Palo Alto Networks, Forbes, Financial Services Roundtable and Georgia Tech in 2015 showed that the number of boards paying attention to cybersecurity has risen 33 percent since 2012. But, as Brian Krebs recently noted in his interesting blog post on The Value of a Hacked Company, senior execs should think a little deeper about the business impact of cyber incidents.
To highlight his point, Krebs turns the classic, "damage to business reputation” argument on its head and has built a helpful diagram showing how an attacker would look at the value of a company’s data. Economic motivation can be a powerful incentive for criminal hackers, and the thinking is that senior leaders should know what an attacker is most interested in as this is the same data that they likely value and should focus on protecting. However, one key aspect that Krebs’ model can dig deeper into is the externality costs from attackers looking to swim upstream into a company to achieve broader downstream effects. Think targeting one company in order to hit their clients. This style of attack has been a concern for law firms worried about protecting their clients’ sensitive files; the government protecting employee records; and, for industrial control systems and the internet of things vendors attached to critical infrastructure.
As we have seen with ransomware, criminal attackers are becoming much more efficient with their economic models for making serious cash. With last year’s takedown of CryptoWall v3, members of the Cyber Threat Alliance discovered over $325 million in damages from this one campaign. Attackers are also highly sensitive to their profit model. A recent Ponemon survey noted that not only are a majority of attackers financially motivated, but also that a two-day increase in their workload is enough to dissuade them from continuing an attack.
What does all this mean for CEOs and board members? Unfortunately, to Krebs' point, it shows that adversaries likely understand the value of your data and how to access it better than you do. It also shows that business-savvy attackers driven by profit motive will look for opportunities to strike once and reap the benefits from large amounts of data. For a company, this generally means attackers will target data that you are holding on behalf of someone else or systems that are connected to many other targets. From a business risk standpoint, this blows your externality cost models out of the water.
The recent attacks utilizing the SWIFT global payment system are another excellent example. In this case, attackers appeared to be leveraging the trust in the SWIFT network not to take it down or gain sensitive IP but to use it as a conduit for perpetrating fraudulent transactions against other users. This hammers home that, even if you are the first victim of an attack, you may not be the primary victim but could still be potentially responsible. This has been a major concern in the cyber insurance market as well, where the complexity of these types of externality costs make it difficult to write policies that cover the full cost of major cyber incidents.
With all this being said, there is hope! Krebs ends with a pitch for an effort that is near and dear to my heart: the Cybersecurity Framework that was launched in a public-private partnership by the U.S. government and private sector in 2014. The Framework emphasizes that investments made against your specific business risks can have a huge effect on increasing your cybersecurity. From a Palo Alto Networks perspective, we speak about this as focusing on preventing successful attacks by matching your investments to the right personnel training, proper security processes, and next-generation technology, in order to raise the cost for attackers at every step in the attack lifecycle. This strategic level of planning for prevention rests largely in the hands of senior leaders, and oversight of these risk reduction measures is becoming a key board responsibility as well.
Kudos to Krebs for helping to generate discussion and build out more data around bringing cyber to the boardroom. For more information on how to plan for, prevent and respond to cyberattacks, check out some of the great articles from our partners at the SecurityRoundtable.org.