The insider threat has long been recognized as a major factor in cyber-criminal activity. The Insider Threat 2018 Report stated that 90% of respondents felt vulnerable to an insider attack and 53% confirmed an insider attack in the previous 12 months.
Insiders have traditionally been thought of as current or former employees or contractors who use their authorized access to an organization’s system and data to conduct or assist cyber-criminal activity. But employees who make poor decisions about the organization’s cyber-security program can also dramatically increase the risk of attack. They may not be considered insiders in the traditional sense, but these bad decision-makers can be just as risky as nefarious insiders wishing to harm the company.
Cyber attacks are no longer just about data breaches. Over the past two years, attacks have involved encryption of data and ransom demands, zeroing out servers, exploiting unpatched or unsupported software, and causing massive business interruption, denial of service attacks (including via internet of things (IoT) devices), and sophisticated social engineering attacks for credentials. A report by Positive Technologies—Cybersecurity threatscape Q2 2018—noted the number of unique cyber incidents grew by 47% over the previous year. Cyber criminals are expected to make $1.8 trillion off their criminal behavior. The problem is that a number of these attacks could have been avoided if employees had made better decisions about preventive actions.
The impact of bad cyber-security decisions by internal personnel becomes glaringly apparent when one considers how their decisions contributed to the severity of the attack and its cost to the company. An Advisen report found cyber-related business interruption losses increased 30% between 2016 and 2017. Losses from the NotPetya malware alone are estimated to range between $4 billion and $8 billion (the White House estimate was $10 billion).
In the Crosshairs of Blame
Decisions made by personnel in the C-suite and management frequently result in a failure to take actions that are commonly known to help prevent attacks. Although top executives are not typically considered to be insider threats, they play a critical role in enabling attackers when they make or participate in decisions that cause an organization to become more vulnerable to attack.
Failure to Act
Failing to take preventive actions results in some hard cyber truths.
"Executives and board members who fail to understand they have particular responsibilities for cyber-security may well be more dangerous insiders than the traditional hostile insider."Tweet
The failure of top managers to take the preventive actions listed below just might enable a devastating cyber attack:
- Failure by the IT or security teams to implement critical patches
- Failure by the CFO or chief information officer (CIO) to fund the replacement of out-of-support hardware and software or purchase additional vendor support at an increased price (if available)
- Failure by the CFO or CIO/CISO to fund denial-of-service prevention services
- Failure by the CFO or CIO/CISO to fund critical cyber-security program activities
- Failure by the CFO or business unit lead to replace a favorite legacy application that requires an out-of-support operating system (this may be why patching is not performed on some systems; if patched, the system won’t support the legacy app)
- Failure by the CIO to segment and firewall off portions of the network
- Failure by general counsel to ensure their privacy and security requirements are actually integrated into cyber-security controls
- Failure by the CISO to have a tested backup and recovery program
- Failure by the C-suite and board to ensure a CISO is responsible for the cyber-security program
- Failure by the C-suite and board to ensure annual cyber-risk assessments are conducted and funding is allocated to close gaps and deficiencies
- Failure by the CISO, business executives and board to develop a robust incident-response plan and participate in at least one tabletop annually
- Failure by the risk manager to engage with the CISO and CIO to develop a cyber-risk strategy and ensure insurance coverage is adequate.
On the other hand, when companies do take the necessary preventive steps, they can be better protected and recover more quickly if an event does occur.
- Companies that have a fully tested backup and recovery plan are able to restore their data in the event of ransomware, continue operations and avoid paying a ransom.
- Companies that have denial of service overflow capabilities are usually able to maintain operations during a DDoS attack.
- Companies that have all their hardware and software patched and within vendor support are able to avoid exploits, such as WannaCry and NotPetya, that target these known vulnerabilities.
- Companies that segment and firewall their network can prevent an attack from traversing the entire network and stealing or damaging the system as it goes.
- Companies that ensure their privacy and security compliance requirements are integrated into cyber-security policies and procedures are better positioned with regulators after a breach.
- Companies that conduct annual cyber-risk assessments are more likely to have appropriate types and levels of insurance.
What’s more, companies that have not hired a chief information security officer are unlikely to have a mature cyber-security program in place or the ability to effectively respond to an attack. Target, for example, did not have CISO when its notable breach occurred in 2014, and its failure to segment and firewall its network played a major role in the event.
Board members also are not exempted from blame. In 2014, Institutional Shareholders Service (ISS) called for seven of the 10 Target board members not to be reelected, stating it believed the directors “failed to exercise adequate risk oversight.” They were ultimately reelected, but their action sent shivers through boardrooms.
Four years later, ISS called for five Equifax board members, including the chairman, not to be reelected over their failure to exercise their “responsibility for risk management related to technology security.”
"Companies that have not hired a chief information security officer are unlikely to have a mature cyber-security program in place or the ability to effectively respond to an attack."Tweet
Following the Equifax breach, in 2018, the SEC issued guidance for publicly traded companies to inform investors about material cyber security risks. It specifically noted, “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cyber-security risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures.”
The New York Department of Financial Services’ cyber-security regulation became effective on March 19. Three months earlier, the agency’s superintendent issued a memorandum to remind all covered institutions that department-regulated entities are required “to adopt the core requirements of a cybersecurity program, including a cybersecurity policy, effective access privileges, cybersecurity risk assessments, and training and monitoring for all authorized users…. The regulation also requires the establishment of governance processes to ensure senior attention to these important protections.”
Health providers and government contractors already have requirements for cyber-security programs and governance compliance. The Federal Trade Commission’s proposed revisions to the Safeguard Rule, which was released on April 4, also has increased requirements for cyber-risk assessments, vulnerability, and penetration testing and governance.
Executives and board members who fail to understand they have particular responsibilities for cyber-security may well be more dangerous insiders than the traditional hostile insider. If correct decisions are not made internally about cyber security, the consequences can be painful and expensive, as the NotPetya attacks so clearly demonstrated.
Spend the Money
The primary reason most companies do not conduct regular risk assessments, perform vital cyber-security actions, or hire chief information security officers is because they don’t want to spend the money. That thinking is penny wise and pound foolish, and it fails to take into consideration how expensive cyber attacks are, how much forensic and regulatory investigations cost, and what the potential hit on reputation and market share may look like.
Customers are truly beginning to care about doing business with companies that are trustworthy. A 2017 report on consumer intelligence by PwC indicated that “87% of consumers say they will take their business elsewhere if they don’t trust a company is handling their data responsibly.”
This concern represents an enormous opportunity for insurance agents and brokers to meet with clients and discuss their cyber-security programs, help them understand where they might be deficient, and encourage them to conduct regular cyber assessments so they can develop an appropriate risk-transfer strategy. The large business interruption claims over the past couple of years reminds us that a robust cyber-security program consists of more than blaming criminals, including insider criminals. Increasingly, cyber-security attacks can also be blamed on poor decision-making by management.
“Understanding this issue begins by focusing on the risk, without insurance being a driving thought,” says Max Perkins, senior vice president for global cyber and technology, global professional and financial risks with Lockton Companies. “Once the risk is understood, only then can proper governance procedures be continued, strengthened or implemented. Risk management includes the hardening of security controls, user awareness and training, and risk financing/transfer. We find that clients whom we lead or who have been through this process are best positioned to negotiate with insurers and, more importantly, to respond to the underlying incident.”
Westby is CEO of Global Cyber Risk. firstname.lastname@example.org