Employees, vendors, corporate culture tops among today’s cyber risks

What do you see as the greatest cyber risks today?

As Walt Kelly’s famous line goes, “We have met the enemy, and he is us.” The actors change. The threats change. We only have control over our own shop. The greatest cyber risks, in my opinion, are:

• Employees. Study after study shows that your employees are the weakest part of your data security program. Employees regularly fall victim to increasingly-sophisticated phishing and spear-phishing emails, clicking an enticing link that covertly loads malware that provides a “foot in the door” for subsequent evil. The silver lining is that organizations have more control over their employees than the other actors in a data security tragedy (e.g. hackers and vendors).
• Vendors. Vendors cause or contribute to nearly half of all data breaches. Despite this, organizations often overlook the threat posed by vendors. Vendor due diligence is often ignored. Furthermore, if employees are one of the greatest cyber risks, your vendor’s employees are out of your control, yet their actions can expose your sensitive data.
• Corporate culture. Recognizing that the threat actors are not going away, corporate culture is at the heart of the cyber risk management problem. Senior management shapes the culture, the “who we are” of an organization. Are we security conscious? Do we think that data security is an “IT issue” or do we acknowledge that it is a “C-Suite” and board-level issue? If budgets reflect an organization’s priorities, what is your data security budget? If data security is part of the corporate culture, it looks like this: someone is responsible for security and thinks about it; time and money are allocated to train employees, manage vendors, and set up layered security (defense in-depth) in case the bad guys still get past your employees and vendors (e.g. data classification, data segmentation, user access controls, encryption); regular risk assessments are conducted, and vulnerabilities are addressed; incident response plans are created and tested; and the board of directors is behind the effort, insisting on implementing data security best practices.

What will be the greatest threats in 5 years?

Recognizing that no one can predict the threats 5 years out (just think back 5 years and compare today’s threats), I predict cyber-warfare and/or the US government will be our greatest threats. Depending on how you define “threat” (and what you are trying to protect), political and economic forces indicate to me that smaller nation states will use (or attempt to use) the Internet to destroy the US. If our financial industry and markets can be destroyed, or if power grids, dams, air traffic control, or other major public systems can be shut down or damaged, the ensuing chaos will threaten the core of the country.

In 5 years, the Internet will be at the heart of communications and commerce worldwide (if not already). If the United States government controls the Internet, it will have the power to control its people.

Is the insurance industry doing enough to adequately address these risks? 

Some industry-leading insurance companies have been proactively supporting and providing the tools for the exceptional cyber risk management. Similarly, there are some outstanding brokers who are proactively encouraging their clients to use these risk management resources. That said, and while I am not an insurance expert, I don’t think the insurance industry’s role is to address/solve cyber risks. The insurance industry is more focused on separating the good risks from the bad risks and making decisions on the cost and/or availability of risk transfer.

What keeps you awake at night? 

My biggest concern revolves around the explosion of Internet-connected mobile devices coupled with (1) the BYOD phenomenon, (2) the proliferation of uncontrolled or unsecured Wi-Fi access points, and (3) rapid growth of malware designed for mobile devices. The result is potentially uncontrolled data leakage and information theft which continues to be the highest external cost for the victims that experience cyber breach. 

In your opinion, what is the single most important cyber risk development in the past 12 months? 

Director and officers have been placed on notice of their potential liability related to cyber risks and need for appropriate risk management.

• Palkon v. Holmes, (U.S. D.C., NJ). On October 20, 2014, a federal district court dismissed a shareholder derivative suit that sought damages from directors and officers of Wyndham Worldwide Corp. for a series of data breaches. While the court did not reach the merits of the case, the dismissal turned on the board of director’s affirmative steps to address data security risks.
• In re Target Corporate Shareholder Derivative Litigation, (D. Minn Jan. 21, 2014). After the well-known Target data breach in December 2013, four derivative lawsuits were filed/consolidated against Target’s directors and officers. These cases allege breach of fiduciary duty, waste of corporate assets, among other allegations.
• On June 10, 2014, SEC Commissioner Luis A. Aguilar told the New York Stock Exchange that “ensuring the adequacy of a company’s cybersecurity measures needs to be a part of a board of director’s risk oversight responsibilities.” He added the warning that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril.”

When boards of directors recognize their responsibility for cyber risks and risk management, corporate culture (discussed above) changes and the C-suite responds.   If corporate culture is the root of better cyber risk management, then this development will change everything for the better.

***

Randall J. Krause, Esq. CIPP/US, is an attorney and privacy professional who co-founded ePlace Solutions, Inc. in 1999. ePlace Solutions is a consulting firm that provides innovative cyber risk management solutions to insurance companies and over 30,000 organizations across the US, including a web/mobile app for data breach preparedness and incident response.