Cybersecurity is likely to remain center stage as a top risk as companies continue to expand their reliance on digital technologies to transform customer experiences and execute global growth strategies. Companies today fall into two groups – those that have been breached and know it and those that have been breached but don’t know it. The realities of managing cybersecurity risks are that they are impossible to eliminate, resources for managing them are finite, risk profiles are ever-changing and getting close to secure is elusive. Furthermore, organizations need IT resources to innovate so they can remain competitive; as important as the cyber imperative is, directors should not allow it to dominate the IT budget and stifle innovation.
Combatting so-called advanced persistent threats (APTs) effectively requires faster detection and more advanced response tactics. But most U.S. organizations seem to be operating from a 1990s playbook when it comes to cyber, while aggressor nation-states, such as China, appear to be using a 2050 playbook.
What makes APTs especially dangerous is that they can adapt to an entity’s preventive countermeasures. They can also change the paths by which they infiltrate a computer or network server to deliver malware payloads that may be altered over time. Stealth is the goal, as an APT may either seek to cover its tracks once its objectives are achieved or lie dormant for an indeterminate period for later activation at an appointed time or in a designated situation.
In the arms race to keep pace (or, in most cases, catch up) with these threats, organizations need to commit themselves to tapping into available government intelligence and using it to facilitate their preparedness. Directors should suggest that the management team develop and maintain relationships with the correct contacts in the government sector needed to stay informed of emerging risks. For example, as attacker resources and sophistication have increased over time, regulators and various government agencies in the United States have formed an information-sharing analysis center (ISAC) for multiple industries. An ISAC is a nonprofit organization that provides a central resource for gathering and sharing information on cyber threats to critical infrastructure. There is so much information provided that these companies should allocate adequate resources to monitor it over time and determine what actions to take to address new and emerging threats.
Many organizations are concerned over the maturity of most companies’ countermeasures and what can be done at the board level to encourage more effective mitigation of the risks. If management and the board believe the entity is an APT target based on what it represents, what it does and the intellectual property it owns, the organization’s cybersecurity capabilities need to be upgraded beyond the controls, tools and response mechanisms traditionally used to contain sophisticated attackers and corporate insiders. Our experience is that detective and monitoring controls remain immature across most industries relative to the evolving threat landscape, resulting in continued failure to detect breaches promptly.
Simulations of likely attack activity should be performed periodically to ensure that defenses can detect a breach and security teams can respond swiftly. However, our experiences with such simulations is that, too often, clients authorizing the testing fail to detect our test activity. Contrary to what many executives think, outsourcing to a managed security service provider does not solve the problem, as we often see breakdowns in the processes and coordination between the company and service provider that result in attack activity not being detected. If an advanced attacker enters a system environment in which detective controls have repeatedly failed to detect breach activity in a timely manner, it’s game over.