Their brand names are notorious in cybersecurity circles: Equifax, Uber, Maersk and Saudi Aramco. Each of these businesses suffered a big breach – cyber incidents that, together, affected many millions of customers. But it wasn’t only consumer data that was compromised; these companies took huge reputational hits as well. Today, all organizations live in fear of experiencing a similar “digital black swan” event and being made an example of by the media.
Understanding Digital Black Swans
Digital black swans presuppose two key characteristics. First, their impacts are catastrophic. For example, during the 2017 Equifax breach, hackers stole personal data from over 145 million Americans – nearly 44% of the US population. Equifax’s CEO, CIO, and CSO were all forced to resign. And the company is facing dozens of government investigations and hundreds of class-action lawsuits.
Digital black swans are not always limited to individual companies and their customers; sometimes, there can also be national or global impacts. During the 2012 Saudi Aramco cyberattack, three-quarters of the company’s hard drives were destroyed. Saudi Aramco sent representatives directly to computer factory floors in Southeast Asia to purchase 50,000 new hard drives – every single hard drive on the factory line. This constrained the global supply of hard drives, causing computer prices to spike.
The second characteristic of a digital black swan is that they are unpredictable. The cyber event appears to come out of nowhere, catching companies by surprise. Consequently, organizations often don’t hold themselves accountable because they are under the false belief that there is nothing that they could have done to prevent an attack of this nature.
Controlling Your Swans
On the surface, digital black swans may seem unforeseeable, but if you dig a little deeper, you’ll generally discover that many of these incidents could have been prevented. For instance, in the Equifax breach, hackers exploited a vulnerability that was publicly disclosed two months prior to the attack. If Equifax had installed the patch in a timely manner, this breach would likely have been prevented.
The key to preventing digital black swans is carefully putting critical controls in place. There are a number of controls that companies can use to reduce the odds of experiencing a major cyberattack. For example, Equifax suffered from faulty vulnerability management. The credit reporting company had ample time to install a routine security update that would have prevented the cyber incident.
Poor security practices at Equifax were systemic. Shortly after the breach, it was revealed that one of the company’s online employee portals could be accessed using the default credentials of “admin” as both the username and password. This simple negligence put millions of Americans’ data at great risk.
Likewise, the major cyber incidents at Saudi Aramco, Uber, Maersk and even the Ukrainian power grid could have prevented their attacks – or at least drastically reduced the impacts of those attacks – with proper security controls in place.
Contrary to popular belief, cyber risk is not a nebulous concept. Cyber risk can be measured, and because it can be measured, it can be managed. Cyber incidents can be anticipated by using risk scenarios that quantify potential loss magnitude (such as business impacts). When organizations evaluate the variety of threats and potential success rates against the various assets they own, they can quantify the possible losses in these observed or contrived scenarios. As such, senior business leaders can prioritize the appropriate controls and countermeasures to ensure that their most valuable assets – their crown jewels – are properly protected.
Cybersecurity matters affect many areas of an organization, and thus involve people in an array of positions: auditors, CISOs, senior officers, etc. Though each of these roles have different responsibilities, they share a common mission: keeping the company safe from cyber threats. Cybersecurity is a true team sport. And like all team sports, one of the keys to success is effective communication. IT auditors need to look across the organization to ensure it is in compliance with any regulations as well as to identify potential areas of weakness and to convey new requirements and recommendations to the CISO or other information security managers. CISOs need to work within their budgets to protect their enterprise from cybersecurity risks, while balancing the need to keep the organization fluid and functioning. There are several resources available that can help senior executives and other business leaders manage and oversee cyber risk, such as CyberVista’s Resolve Program. Furthermore, CISOs need to communicate this risk to executives and the board by explaining cybersecurity issues in business terms; they need to translate bits and bytes into dollars and cents. And conversely, business executives need to overcome their technophobia, become more informed on cyber risk issues, and prioritize and manage that risk as an enterprise risk.
Editor’s Note: Jeff Welgan will present on this topic at the 2018 Governance, Risk and Control Conference, to take place on 13-15 August in Nashville, Tennessee, USA.
Jeff Welgan, Head of Executive Training Programs, CyberVista
[ISACA Now Blog]