The third annual threatLAB conference, Feb 1-3 in Florida, brought together cyber leaders from U.S. federal law enforcement and the intelligence community as well as industry experts from across the Fortune 500, including sectors such as energy, manufacturing, telecommunications, insurance, and more. Together, they shared insights on this year’s theme – Cyber Risk 360° – which embodies the TSC Advantage philosophy of encouraging businesses to take a proactive and panoramic view of their cyber security.
After a packed agenda that included discussions on cyber resiliency, a review of the latest threat actors, a case study on the Ashley Madison attack, and significant findings collected from TSC Advantage’s holistic Enterprise Security Assessments (ESA) conducted over the course of two years, we’ve compiled a short list of takeaways that organizations should consider as they plan their cyber strategies.
- Harmonization of Technology, Processes and People
Security is neither a single act, nor a vendor sensor. Rather, it is the collection of activities that harmonize corporate investments in people, process, and technology. While technology is indeed crucial to any risk management discussion, it cannot be relied upon at the expense of other considerations, such as the importance of developing a mature cyber security culture that has complete C-suite buy-in, or understanding the litany of technical and non-technical threats that may imperil sensitive digital assets. TSC Advantage’s ESAs performed on organizations of varying sizes and sectors have demonstrated that those that invest in cyber security across their holistic enterprise are best able to prevent, detect, correct, and ultimately recover from a cyber attack or breach.
- Cyber Security + Cyber Resiliency = Cyber Maturity
In the years TSC Advantage has been conducting assessments, we have seen a transition from a discussion about cyber security – network security – to one of cyber resiliency. Cyber security is focused on keeping external threats out through preventative fortifications. Cyber resiliency acknowledges that no controls are perfect and because threats evolve, consideration must be paid to those resilient functions designed to detect and correct. Right now the average amount of time it takes to detect a breach is 256 days. That’s simply too long and costly. But, by combining cyber security and cyber resiliency, enterprises would be in a better position to achieve a level of cyber maturity that will make them a much harder target and help them get back to business as quickly as possible.
- Transfer Risk!
Enterprises can choose to avoid, mitigate, accept, or transfer risks to their organization. Cyber insurance can serve as part of an overall risk management plan designed to maintain customer privacy and corporate reputation. The first step is to understand both exposure and risk, including potential physical damage and third party exposures. Step two is to understand your policies. threatLAB guest speaker Mary Guzman of McGriff, Seibels & Williams, outlined how policyholders should be aware there may be exclusions in their current policies for cyber-related incidents. Know the limits and exclusions, and depending on sector, understand regulatory requirements that may impact your enterprise. Cyber insurance can provide an additional line of defense by transferring risk, but more importantly, by requiring organizations to submit to annual holistic cyber risk assessments per the terms of their policy, a virtuous cycle is created that leads to greater cyber maturity of the insured and a lower risk inherited by the insurer.
- Partnerships Promote Sharing
At threatLAB, we heard from senior special agents from the FBI as well as officers representing U.S. Department of Homeland Security (DHS). Both have robust threat intelligence sharing and public/private sector outreach programs covering critical infrastructure, white-collar crime, economic espionage, terrorism and more. Make these additional resources part of your organization’s cyber toolkit. Depending on your specific industry, there are also numerous member-driven Information Sharing and Analysis Centers (ISACs) which collect, analyze and share threat information. Join one to maintain sector-specific situational-awareness.
- Get Back to Basics
Finally, let’s get back to basics and practice basic cyber hygiene. Surprisingly, some enterprises overlook basic security controls such as complex passwords, multi-factor authentication and use of a virtual private network (VPN). But basics should go beyond that. TSC Advantage has found that only half of the organizations we’ve assessed had fully documented external crisis communication plans for disasters or breaches, and very few organizations have identified, classified, and monitored their critical and valuable assets. While we understand this is not an easy undertaking, it makes the job of protecting those assets virtually impossible if you don’t know what exists or where these assets are located. Executives: you’ve seen the data – board involvement and good governance reduces the actual cost of a cyber breach. Be a champion of good cyber hygiene within your enterprise.
These are just five of the many take-aways we gleaned from our roster of speakers at threatLAB 2016. Contact the TSC Advantage team for more information on these or other enterprise risk topics and we look forward to welcoming you to threatLAB 2017!