Are these threats too big to manage? Is cyberthreat management the Elephant in the Room?
Cyber-resilience needs to be on the board agenda but still too many boardrooms prefer to manage the risk with the Ostrich Control – hoping it will go away – exacerbated by the fact that security budgets continue to grow whilst answers to how much and what to target remain aloof.
The trick is to assess causes, how and where they manifest themselves, then define impacts and outcomes before choosing the appropriate controls. Simple in theory, a nightmare in practice because so much now is outside the direct control of our organisations. Originally, we talked about Risks because of our ability to identify, assess and control them as they were mainly of internal origin. Those remain, and still need to managed, but we also have a range of external issues over which we have no control in terms of origin, when, where, how, who. The game has changed from Risk (internal) to Threat (external) Management.
It is difficult to address cyberthreats from the top because of the devil in the detail, often too many and varied for the Leadership to appreciate the scale of the problem. Any hope of success requires a framework to keep us on track, hence COBIT 5.
A new addition to the family is “Transforming Cybersecurity”, providing a high-level view of cyberthreat issues plus mappings to “COBIT 5 for Information Security”. But as cyberthreats feed on traditional vulnerabilities, organisations still need a more comprehensive framework to ensure 360° coverage. “COBIT 5 for Risk”, Appendix B, provides a comprehensive set of practices covering both the technical and soft-skill aspects. “COBIT 5 for Assurance” provides the means of identifying weaknesses. “COBIT 5 for Information Security” identifies the controls needed to protect systems.
So we can:
• Find out where to look for vulnerabilities, human and technical (see COBIT 5 for Assurance, Sections B4-7).
• Understand why those vulnerabilities exist (see COBIT 5 for Assurance, Appendix D2; COBIT 5 for Risk, Appendix B, MEA01).
• Identify cause and effect to help understand the trade-offs that exist in all firms because resources are not limitless (COBIT 5 for Risk, Appendix B, AP008).
• Assess technical and behavioural security and control (COBIT 5 for Information Security, Appendices D-G).
My choice of threats come from Level 3 Communications as I believe they are representative of the attacks on the business community. If we apply COBIT 5 to them, (original source material from Level 3 Communications, embellished by me using COBIT 5), we achieve this overview:
1. Network and Application Layer Attacks
Causes: DDoS tools readily available; unknown locations and number of disrupters with limitless patience; controls over hardware and software components not maintained.
Impacts: server and network disruptions; potential for a ‘piggy back’ attack to occur elsewhere.
Outcomes: business comes to a halt; opportunity cost of resolving the attack and rebuilding supply chain trust.
Controls: stopping an attack is very difficult to do so the firm must have robust internal detective, monitoring and corrective procedures, the ability to speak-out on any suspicions and the agility to respond.
2. Social Engineering
Causes: genuinely-looking fake communication; vulnerable staff; weak governance, behavioural and security practices.
Impacts: critical information accessed; theft; physical and virtual access available to outsiders.
Outcomes: loss of competitive advantage; supply chain trust broken; overall reputation diminished; regulatory breaches; integrity of all other data now suspect.
Controls: many will be soft-skill controls such as anti-social engineering training at all levels and supportive management of staff; sound board/C-suite behaviour that complies with policies; speak-up policies to allow anyone to say they may have been engineered. Technical controls are as above.
3. Advanced Persistent Threats
Causes: exploiting vulnerabilities to create ‘backdoors’ to systems.
Impacts: credentials and data accessed and taken; as there is no obvious disruption, there is no obvious way of knowing how long it has been happening.
Outcomes: as for 2.
Controls: as for 1.
4. Organised Crime
Causes: ability to apply Threats 1-3.
Impacts: as for 1-3 but on a much larger scale. Victims are not only the organisation but also the supply chain, customers and possibly their families and banks.
Outcomes: intellectual property and sensitive data is now under the control of criminals for their benefit; more data available on the black market; ransom and blackmail demands.
Controls: as for 1-3; engaging with the police to ensure forensic evidence is preserved; engaging with lawyers to assess legal liability; establishing communications policy and practices for use with the media.
5. Major Data Breaches
Causes: all the above.
Impacts: sensitive data exposed; business disruption.
Outcomes: loss of trust; high operational and reputational recovery costs.
Controls: as for 1-4.
In summary, if we want to focus on the cyberthreats:
• Start with “Transforming Cybersecurity” and apply the relevant aspects of COBIT 5 Information Security.
• For a 360° assessment, assurance and action plan, broaden out to include COBIT 5’s Risk and Assurance as well.
• The final cross-check is to see how the identification, control and management of the threats supports the overall goals of the organisation – the ‘enablers’ of COBIT 5 that enable an organisation to thrive – such as having a high-quality customer-orientated service culture, increasing stakeholder value through enhanced effectiveness and efficiency (source: COBIT 5 enablers).
By controlling better just one threat, the likelihood and impact of others are reduced too.
Heads up please to see and deal with the Elephant in the Room.