The cyber risk gap
As the number of digital transactions dramatically increases, so does the risk and likelihood of cyber-attack. This means that organisations handling large amounts of sensitive data are more likely to become targets of hackers who are looking to exploit this information which is stored within corporate networks. As a result, businesses find themselves increasingly exposed to what is referred to as a ‘Cyber Risk Gap’ caused by a combination of factors, outlined below.
Today you are a target of opportunity and a target of choice - it just depends on the day
There are countless ways for threat actors and hackers to penetrate Corporate IT systems, with the potential to cause considerable damage to businesses located anywhere in the world. Malicious attacks, such as ransomware, were prolific throughout 2017, one of the most notable being WannaCry. However, even with all the public furore around WannaCry, we know that thousands of organisations still run the majority of their computers on outdated operating systems, which nearly triples the chance of a data breach.
Following WannaCry, we released a report titled “A Growing Risk Ignored: Critical Updates”, which analysed more than 35,000 companies from industries around the globe looking specifically at the use of outdated computer systems and practices and the correlation to data breaches. We found that there are large gaps in asset management programmes and that organisations clearly need to be more vigilant about limiting their attack surface in order to more rapidly address exploitable vulnerabilities.
And just to add to this, while we are made aware of high-profile attacks, like WannaCry, this is really just the tip of the iceberg. There are many other forms of malware for sale that lurk in the shadows of the deep and dark web (DDW) that go unreported. According to Carbon Black’s ‘The Ransomware Economy’ report, there were more than 6,300 dark web marketplaces selling ransomware, with 45,000 product listings in 2017.
What these trends show is that cybercriminals are exploiting opportunities to enter the ransomware market and obtain malicious methods of attacking businesses that are easily deployable and offer attractive returns on investment. It shows that cybercrimes continue to pose a growing problem for organisations. The fallout from some of these threats are publicised and receive extensive media coverage, but many go unreported. Often it is too late for businesses with outdated operating systems and browsers to do anything about it. Companies need to take a more proactive approach to updating their systems, as we will no doubt see even larger attacks again in the future. Boards are now waking up to the fact that cyber security is not just a technology issue anymore, it is a business risk too.
Expansion of the Digital Supply Chain
Compounding this issue is the fact that organisations are doing business with more vendors than ever before — their ecosystems are expanding to include third and fourth parties. This means organisations are taking on the risk of potentially hundreds to thousands of business partners. Third and fourth parties are liabilities because they can access your IT network. As the supply chain fragments, it has become much easier to do business online. However, the downside is that businesses are at a greater risk of exposure to insecure supplier networks.
Most organisations handle this with a cyber risk assessment process that is labour intensive, qualitative in nature and unable to scale. When creating a risk management strategy, it’s important to have assessment processes in place that can scale to meet the growing number of vendors that work with your business. Traditional approaches to threat assessments, such as penetration tests and questionnaires, tend to be qualitative and episodic. They are only able to analyse risk at a certain point in time. While an important part of the risk management process, these labour-intensive activities are unable to scale to meet the volume and timing requirements of the current risk environment.
Regulatory environment that focuses the mind
The impact of regulation very much depends on the industry sector, but most organisations will be subject to some kind of regulation, and often this is not taken into consideration from a cyber-risk perspective. Regulations that encompass all industries, such as General Data Protection Regulation (GDPR) which comes into force on 25th May this year, will need to be part of any organisation’s cyber risk management programme. In fact, Article 32 in the GDPR states that organisations that collect personal data must have rigorous due diligence processes to ensure that appropriate controls are in place before sharing data with third parties.
It is critical that organisations put into place assessments that are qualitative, quantitative, and continuous. While proactively mitigating risk, it’s crucial to have a standard measurement tool when looking at both internal and third-party risk. Here at BitSight we help organisations transform how they manage information security risk. The BitSight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings, to help manage third party risk, underwrite cyber insurance policies, benchmark performance, conduct M&A due diligence and assess aggregate risk.
Well-known, independent analyst firms are in agreement. According to Gartner, 80% of security risk management leaders are being asked to present to senior executives on the state of their security and risk programme and 75% of Fortune 500 companies are now expected to treat vendor risk management as a Board level initiative to mitigate brand and reputation risk. And Forrester is recommending that CISOs gain a deeper understanding of Security Ratings, “as companies look to improve how they handle and mitigate third and fourth party risks, security ratings and other third-party risk intelligence services take centre stage.”
In today’s uncertain environment, the Board is requesting updates more than once a year and this has led to the emergence of security committees. As a result “risk” is now a permanent Boardroom agenda item and one that will gain a lot of scrutiny from senior executives going forward. So make sure that you have your cyber-risk gap covered.
Tom Turner, CEO, BitSight
China Takes Additional Step to Control Big Tech’s Data
China’s new Data Security Law will take effect on September 1st, allowing the government major control over the collection, use, and transmission of data. Tech companies have grown exponentially in terms of market size and overall power, and the Chinese government has no interest in alternative power hubs—especially those that belong to private enterprise.
With its Thursday legislation, companies will face extravagant fines if they export data outside of China without authorisation. The Chinese government claims that this will create a legal framework and help companies from taking advantage of citizens, but according to analyst Ryan Fedasiuk from Georgetown University’s Centre for Security and Emerging Technology, “China’s push for data privacy...is yet another move to strengthen the role of the government and the party vis-à-vis tech companies.”
How Do Other Countries Approach Data Privacy?
- Europe: The EU Charter of Fundamental Rights assures EU citizens the right to data protection. The bloc’s General Data Protection Regulation (GDPR), passed in May of 2018, put stringent restrictions on commercial data collection.
- Canada: 28 federal, provincial, and territorial laws govern consumer data privacy; DLA Piper ranks the country’s data protection legislation as heavy, in comparison to Russia (medium) and India (limited).
- The United States: As usual, the States doesn’t have a single comprehensive federal law for data privacy. Instead, its lawmakers have passed hundreds of local and state acts, many of which are seen by the Federal Trade Commission (FTC).
China, in contrast, thinks data should be a national asset and has written data collection into its five-year plan. Although its new legislation will help curtail private access to consumer data, the government may be the final beneficiary.
What Will China Do With the Data?
According to advisors, consumer data can mitigate financial crises and viral outbreaks. It can protect the interest of national security—no surprise—and help the government with criminal surveillance. Right now, Chinese regulators have summoned 13 major tech firms, including Tencent, JD.com, Meituan, and ByteDance, to meet with China’s central bank. Communist Party Chief President Xi Jinping can shut down any companies found violating the new privacy laws, as well as hit them with a fine of up to 10 million yuan—US$1.6mn.
How Will Laws Affect Foreign Firms?
Now, foreign firms must store data on Chinese soil, a practice that many companies protest will infringe on their proprietary data. So far, Tesla will comply: in late May, the electric car manufacturer promised to build more Chinese factories and keep the resulting information within Chinese borders. In fact, businesses hoping to start China-based businesses—such as Citigroup and BlackRock—will have to comply with the “data-localisation laws”.
The Chinese government has framed data as a critical source of intelligence for the party and central government. “You have the most sufficient data, then you can make the most objective and accurate analyses”, Mr Xi told Tencent’s founder, Mr Ma. “The...suggestions to the government in this regard are very valuable”.
Greater digital control is coming, that’s for sure. Mr Xi has named big data as an essential part of China’s economy, right up there with land and labour. “Whoever controls data will have the initiative”.