Cyber Risk is a corporate issue but many companies are often ill equipped to manage it despite its recognition as a high-profile problem that can deeply affect brand and reputation.
Also, it is no longer solely an information technology issue.
Companies proactively dealing with cyber as an enterprise risk issue are changing the way the organizations manage the risks. Gone are the days when a corporation can rely solely on technology to protect the technology infrastructure. Today, a larger scope and budget are needed to understand how a cyber breach will affect your organization.
Among the proactive measures are new roles such as the chief information risk officer (CIRO).
CIRO is “the new chief information security officer.” According to Thomas Dunbar, CIRO for XL Insurance, the new c-suite post comes out of the need to raise cyber-risk awareness within the organization and foster a philosophy to “marry the risk and technology budgets, and work closely with the teams that are responsible for risk transfer measures and insurance.”
Proactive corporations also have formed Cyber Task Forces comprised of functions across the enterprise charged with managing the education of the enterprise on breaches, creating policy and process for managing events, breach containment and the supply chain of vendors hired to contain a breach. Both the CIRO and the risk manager are part of the task force as well as a representative from legal, finance, technology and operations.
These task forces do not mandate the security budgets.The CIRO/CISO still mandate the security side of the technology spend, compliance and regulatory measures; however, now the role needs to work closely with risk managers to continually update them on new technology risks—such as malware, man-in-the-browser attacks, phishing and other crimeware so the security technology risk is up to date as well as the risk mitigation strategy including the insurance policy that will cover these new network penetration methods.
According to Advisen data, malware-related cases are on the rise. Since 2008 these types of cases have risen 11 to 78 in 2013. Just several years ago, network penetration from malware was not as sophisticated and readily available as it is today.
Malware attacks on major retailers such as Target, Neiman Marcus, TJMaxx, and global companies such as Sony come from black market software sold to rogue teams and individuals with malicious intent.
This underground technology is readily available and cheap, and this crimeware keeps getting better as the community grows. Most of the time corporations have been slow to recognize underground groups have an insider or an open door in a piece of code to allow the entry to happen. For this reason we cannot ignore the role that people—the human factor—play in creating these breach events. Companies need to create threat intelligence as part of their cyber task forces with monitoring and detection methods where human behaviors may play a part in allowing an event to happen.
Trusted Knight Corporation, a crimeware prevention and modern threat technology company told us the best defense is to combine the best anti-crimeware technology with the best offense. The best offense starts with a board that is mandating cyber risk preparedness and education throughout the enterprise at every level.
According to Joseph Patanella, CEO and co-founder of Trusted Knight, “The most devastating and successful attacks against the payment card industry to date, including those against Target, Neiman Marcus and others yet to be named have all employed memory-scraping malware to capture large quantities of magnetic-strip data (also known as track data). Memory-scraping malware uses the same techniques employed in sophisticated key-logging Trojans to capture information transiting memory.”
Patanella says Trusted Knight’s Protector software is the only proactive defense technology that prevents both key-logging and memory scraping Point-of-Sale malware.
A proactive program for cyber risk is needed to create a 360-degree view of risk so the corporation is aware of these threats and ready to respond. These events should no longer be a crisis the organization cannot manage if the right level of technology security, education of the work force to build awareness on the human side, and the board and executive management support the program with the proper funding.
Once this happens inside an organization and it becomes part of standard operating procedures, risk and technology experts like a CIRO can build a united front for combating cyber threats.
Mary Beth is President of the Cyber and Risk Practice at Advisen. Mary Beth, a senior risk, insurance, and finance executive speaks and writes frequently on cyber risk management. Contact Mary Beth at [email protected].
