Blogs
Stay Prepared: Know 2023’s Top Cyber Risks
- IT Risk & Cyber Risk
- 23 February 23
7 min read
Introduction
We’re already two months into 2023, and cyber risk remains high on the list of high-alert challenges for the year. The World Economic Forum recently highlighted “widespread cyber crime and cyber insecurity” as one of its top 10 global risks in its 2023 Global Risks Report. Global economic turmoil, geopolitical crises and technology industry layoffs add to the concerns, as C-suite leaders already struggle with understanding the impacts and visibility into cyber and IT risk.
This volatile backdrop calls for ongoing agility and cyber resilience. In addition to our top 10 Cyber Risk Trends Report, here are 10 cyber risks to prepare for in 2023.
1. Increase in Ransomware Cyberattacks
According to Verizon, ransomware attacks saw a 13% increase over the past five years, with the first two quarters of 2022 documenting 236.7 million ransomware attacks worldwide. As organizations employ complex countermeasures to tackle ransomware and manage cyber risk, attackers are resorting to increasingly sophisticated infiltration techniques, including the use of AI and the availing of ransomware-as-a-service (RaaS). Educating your teams on ransomware and mounting equally sophisticated defenses is key.
2. Digital Supply Chain Vulnerabilities
By 2025, Gartner expects 45% of firms to have suffered supply chain attacks, up threefold from 2021, making it an important cyber risk to make note of. Today, with highly interconnected risks and hundreds if not thousands of third and fourth-party IT vendors within the chain, a cyber attack can result in accessing a company's networks, data theft, and operational disruption, resulting in financial losses and reputational damage.
A strong third-party vendor risk management program, from onboarding to offboarding, can help plug the gaps. Consider not only critical suppliers but also incorporate automation and AI to expand your risk monitoring and assessment to as many of your third parties and their suppliers as possible. You never know where risk can come from.
3. Cloud Security Gaps
A cloud security gap is a weakness or vulnerability in an organization's cloud security posture. According to a Gartner survey, misconfigurations of the cloud environment can cause 80% of all data security breaches, making it a critical source of cyber risk. Causes include:
- Shared responsibility model: Since cloud service providers and users share security responsibilities for their data, apps, and infrastructure, a weakness at either end can create security gaps.
- Limited visibility: Cloud users have limited visibility into security measures, making it challenging to identify and address potential gaps.
- Lack of control: Cloud storage can reduce user control over data.
- Complex environments: Cloud environments can be tricky, with multiple layers and users, making security flaws hard to find.
- Insufficient security measures: Some users may not adopt suitable security measures, causing exploitable vulnerabilities.
Implementing cyber risk controls, deploying technology for continuous control monitoring of the cloud environment, and training staff to identify and report security issues are vital steps to help address cyber risk stemming from cloud security gaps. Cloud-first models are here to stay (as we discuss in our 2023 Cyber Risk Trends Report) and that’s a great thing – and securing the risk will keep them, and you, safe.
Check out 2023's Top Cyber Risk Trends:
4. Software Insecurities in Critical Infrastructure
The Ponemon Institute's 2022 Cost of a Data Breach Report found that critical infrastructure data breaches cost $4.82 million, $1 million more than other industries. This covers losses, recovery fees, and equipment damage. Cyber risk due to software vulnerabilities in critical infrastructure can cause service outages, injuries, and financial losses. In addition, cyberattacks can infect PLCs (programmable logic controllers) with malicious instructions that have nationwide ramifications. The associated cyber risks can further increase as businesses connect operations and machines to the internet to collect and exchange data and make remote control more convenient.
One memorable example is the Colonial Pipeline data breach, which put cyber risk and security on board agendas around the world. As in all things cyber risk related, that means guarding your critical assets and infrastructure with extra care – and to take the usual cyber precautions. In the case of Colonial Pipeline, according to Reuters, a giant oil pipeline was brought down because a legacy VPN did not have multi-factor authentication. That’s a classic case of inadequate cyber hygiene.
5. Data Poisoning
Data poisoning is a cyberattack when an attacker inserts erroneous data into a dataset to disrupt machine learning. This could include adding malicious data points to a training dataset, altering labels, or introducing noise. According to Gartner's 2021 Top Tech trends, 30% of AI hacks on ML-powered systems will include training data poisoning, model theft, or adversarial samples. From a cyber risk perspective, the repercussions can be drastic. For instance, a healthcare company using machine learning to predict patient outcomes can endanger patients if the dataset is poisoned.
6. Nation-State Attacks
Microsoft’s Digital Defense Report 2022 found that cyberattacks by nation-states targeting critical infrastructure jumped from 20% to 40%. Hackers from nation-states have targeted hundreds of thousands of systems globally and are not limiting the attacks to governments alone. The report highlighted that 79% of nation-state attacks target enterprises, making it an important cyber risk challenge.
7. Cyber Regulatory Risk
A Wall Street Journal article cites the ever-growing regulatory demands as a top concern for 2023. In a recent survey, 36% of respondents felt that evolving legislation and regulations were a significant risk as they increased the chances of companies' non-compliance, either knowingly or unknowingly.
Top cyber regulations include those surrounding data privacy (EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA); incident reporting (New York State Department of Financial Services (NYDFS) Cybersecurity Regulation); industry-specific regulations (Health Insurance Portability and Accountability Act—HIPAA); third-party compliance (Payment Card Industry Data Security Standard—PCI DSS); cybersecurity standards (ISO 27000 Standards and the NIST Cybersecurity Framework) and digital services and networks (Network and Information Systems (NIS) Directive).
8. Deep Fakes
Deep fakes are synthetic media that use AI and ML to manipulate or generate realistic video, audio, and images. Gartner blogger Avivah Litan points out that "Detecting Deep Fake objects is a losing proposition in the long run," as "determined adversaries" will use Generative Adversarial Networks (GAN) to create their objects, reducing detection to as low as 50%. With bad actors using deep fakes to evade security controls and defraud businesses, it is increasinly becoming a credible cyber threat.
Similarly, new generative AI tool ChatGPT also creates cyber threats. Just as it can credibly create marketing copy, it can also duplicate code, create convincing phishing emails by copying the style of real people, etc. It offers real opportunity – and real risks.
9. Insider Threats
The 2022 Cost of Insider Threats Report indicates that insider threats – cyber risks from employees, whether intentional or not -- have increased by 44% over the last two years, and costs per incident have risen to $15.38 million. Taking a more stringent view of insider risk as part of an organisation’s cyber risk strategy with continous monitoring of security and privacy controls is the need of the hour. These include the always necessary creation of a culture of security awareness, controls such as blocking of USB access/flash drives, immediate offboarding of employees/contractors, safeguards/role-based access to sensitive information, etc.
10. IoT Surface Expansion
IoT expansion has led to an increase in the "surface area" of attacks by malicious actors. According to the State of IoT—Spring 2022 report, the market for the Internet of Things is expected to grow by 18% to 14.4 billion active device connections. By 2025, there will be approximately 27 billion connected IoT devices—making it vital for organizations to take active steps to mitigate the cyber risks posed by IoT surface expansion.
Build Cyber Resilience with MetricStream CyberGRC
CyberGRC, an interconnected, intuitive, and intelligent GRC product from MetricStream, enables your company to integrate cyber risk data from across the enterprise and use actionable business intelligence to enhance cyber resilience.
With CyberGRC your organization can:
- Quantify cyber risks in monetary terms to assess cyber risks more accurately, communicate the risk more effectively, and make better-informed cyber investment decisions
- Document, investigate, and resolve IT compliance and control issues in a systematic, automated manner with AI-powered intelligent issue and remediation
- Strengthen visibility into the overall IT compliance profile with intuitive dashboards and real-time reports
- Harmonize controls across multiple IT regulations and frameworks, improving compliance and saving effort and costs
- Protetc cloud assets with automated continuous monitoring of controls
Learn how MetricStream CyberGRC can help you effectively manage and mitigate cyber risk in 2023.
Request a personalized demo to see how our product works.
Read the eBook: Top 10 Cyber Risk Trends in 2023 and Beyond
Download the Analyst Report: Cyber-Risk Appetite: How to Put the ‘Business’ in ‘Managing Cybersecurity as a Business Decision’
Jump to Topic
Related Resources
Blogs
AWS Security Lake and OCSF: A Cyber Risk Perspective
- IT Risk & Cyber Risk
- 31 January 23 |
5 min read
Introduction
Amazon Security Lake is an exciting development for cybersecurity and cyber risk management. Announced at the AWS re:invent 2022 conference, it formalizes the concept of a security data lake where organizations can consolidate security data across cloud and on-prem assets to get a complete picture of their security posture. Amazon Security Lake proposes normalizing security data under the recently announced the Open Cybersecurity Schema Framework (OCSF) project, so that data can be easily analyzed, monitored, and connected for ongoing cybersecurity and risk protection and insights.
The Open-Source OCSF Project
OCSF, launched in August 2022, is the outcome of collaboration among leading vendors across the cybersecurity ecosystem, including IBM, AWS, Splunk, and Crowdstrike. It is intended to improve the productivity of security analysts in the security operations teams. That said, the framework is not limited to only the cybersecurity domain or events, as per the framework document.
Historically, instead of focusing on detecting and responding to events, security teams have spent a lot of time normalizing security event data from diverse sources to further their investigations. By providing a simplified and vendor-agnostic taxonomy for security data, OCSF aims to simplify the process of capturing and analyzing security data from multiple sources, thereby improving and accelerating threat detection and investigation.
OCSF aims to eliminate the time-consuming normalization effort and to accelerate the incident triage process across various security products and services. The end-point security solutions and solutions with network security capabilities record the security event. These solutions, aligned with the framework, would store the security events in the OCSF schema structure.
How Can OCSF Accelerate Cyber Resilience
Organizations across the globe have shifted their focus from a reactive to a proactive approach to cyber risk management and are investing in building greater cyber resilience. According to a December 2022 report by Cisco, 96% of surveyed executives said cybersecurity resilience is a high priority. OCSF is a great initiative to support the acceleration of cyber resilience efforts.
A holistic view of security-related data across tools is vital to effectively detect, investigate, and mitigate cyber risk. However, a major challenge for cyber professionals has been to deal with the process of normalizing troves of data before they can derive meaningful and actionable insights. The challenges primarily result from data heterogeneity and inconsistencies and the lack of complete data.
OCSF ensures that the schema is consistent and that the data flows seamlessly into the data lakes and analytics tools that the Security Operations Center (SOC) relies on. By accelerating the process of analyzing security data, it enables CISOs and security teams to identify, assess, and mitigate cyber risks quickly and more effectively.
Where Do We Go from Here?
AWS Security Lake has adopted OCSF as an open standard and while the framework is proposed by a reputable group of cybersecurity vendors, industry adoption statistics are yet to be made available. Additionally, the initial focus of OCSF has been largely on cybersecurity. It will be interesting to see the domains they focus on next. The next logical step is to include cyber risk, compliance, and GRC.
Acceleration of cyber resilience requires the cyber community to break down silos. AWS Security Lake and OCSF are steps in the right direction to enable data interoperability. Similar to how STIX/TAXII is being used for threat intelligence and the MITRE ATT&CK framework for tactic classification, OCSF will streamline and simplify vendor-agnostic taxonomy for accelerated data ingestion and analysis. The eventual success, however, will depend on adoption levels across environments, applications, and solution providers.
How Does Cyber Risk Fit In?
Cyber risk solution providers, like MetricStream, that empower cyber leaders to proactively and meaningfully act on security findings have an outsized role to play in the mass adoption of technologies such as Security Lake. We at MetricStream are actively engaged with our technology partners at AWS to enhance these offerings and bring meaningful capabilities to the market at rapid speed to effectively mitigate cyber risk. MetricStream CyberGRC enables CISOs to efficiently mitigate cyber risk while ensuring continuous compliance to regulations and industry standards. It acts as both the management and orchestration layer for continuous control monitoring. CISOs can define the controls to be evaluated within MetricStream in addition to configuring the necessary orchestration for evidence collection.
MetricStream CyberGRC then delegates the automated evidence collection to the multiple disparate systems running both on-cloud and on-prem via a host of delegation protocols such as APIs, Robotic Process Automation etc. The challenging aspect for our customers has always been to consolidate data across disparate sources, both on-prem and cloud assets. With the proposed Security Lake capability, cyber risk solution providers, like MetricStream, will have a single source of truth in a common language to reference, thereby eliminating additional technical debt enterprises have to undertake in their quest for continuous compliance monitoring – improving compliance, visibility and reducing risk.
References:
1: Understanding the Open Cybersecurity (https://github.com/ocsf/ocsf-docs/blob/main/Understanding%20OCSF.pdf)
2: Open Cybersecurity Schema Framework (ocsf.io)
3: https://solutionsreview.com/endpoint-security/open-cybersecurity-schema-framework-and-the-long-road-ahead/
Jump to Topic
Related Resources
Blogs
What are IT and Cyber Controls and How to Achieve Control Harmonization?
- IT Risk & Cyber Risk
- 25 January 23
5 min read
Introduction
In our previous post on this series, What are Cyber Frameworks and How Should You Choose the Right One?, we walked through understanding IT/cyber frameworks and how they are used to manage IT & cyber risks. In this second part, we will review IT/cyber controls, choosing them effectively and harmonizing them across frameworks.
What are Controls?
Controls can be defined as safeguards, mechanisms, or countermeasures, implemented by organizations, to avoid, detect, counteract, or minimize security risks (threats/attacks) to protect the confidentiality, integrity, and availability of data and information assets.
Implementing the right set of controls can better protect the organization from attacks, breaches, and threats, and if done intelligently, may result in resource and cost savings.
Types of Controls
Controls can be segregated by their type/nature and by the specific function they play.
| Types | Functions |
|---|---|
| Administrative/Managerial Controls are policies and procedures that provide structure and guidance to individuals | Preventative Controls prevent/restrict certain activities, such as unauthorized system access, data altering |
| Physical Controls limit the physical access to systems and act as offline barriers | Detective Controls alert deviations from the status quo, such as video surveillance, intrusion detection systems, honeypots |
| Technical/Logical Controls limit access to systems or data on a hardware or software basis, such as encryption, fingerprint readers, authentication, AuthCodes | Deterrents are controls that discourage threats from attempting to exploit a vulnerability, such as policy punishments, law/order |
| Operational Controls involve people conducting processes on a day-to-day level, such as awareness training, asset classification, reviewing log files | Corrective Controls help take an action from one state to another, such as patching a system, quarantining a virus, terminating a process |
| Recovery Controls help get something back from a loss, such as the recovery of a hard drive | |
Controls types and functions can overlap as well as we can see from the examples below:
- To implement appropriate risk controls, an organization might implement administrative and preventive controls together. This can be done by defining and rolling out an asset usage policy (preventive) along with regular security awareness training (administrative).
- To implement appropriate security controls, an organization might implement technical and detective controls together. This can be done by installing an antivirus tool (detective) along with an intrusion detection system (technical).
- To implement appropriate access controls, an organization might implement physical and technical controls together. This can be done by restricting access to premises through guards and access control systems (physical) along with two-factor authentication to use any IT systems (technical).
There can be numerous combinations of control types and functions. Many are provided for across the various frameworks, and yet more can be conceptualized and implemented by organizations themselves.
How Can Controls be Harmonized?
As we can infer from the above, organizations and specifically security and risk teams need to deal with hundreds of controls across multiple frameworks. With certain frameworks prescribing near identical controls, this can lead to duplication and possibly errors, in implementing and monitoring compliance. Certain frameworks may have conflicting controls. This can cause confusion and makes the collective management of security, risk, and compliance a Herculean task. The best practice is to harmonize controls across various frameworks.
In essence, harmonizing controls follows the principle of “ask once, answer many”. Instead of asking multiple teams, multiple times, simplify the process. The goal is to group same or similar controls/requirements across frameworks together, run tests, and complete compliance through a single instance, and then update the status for all such controls/requirements, collectively with a single action.
A common example of this would be the requirement to change user passwords every 90 days. This is a control prescribed by NIST 800-63b and ISO 27001, among others. In this case, the test or compliance would be carried out once, but the updating and reporting would need to be done twice, if not more.
Another common example is the need to perform risk assessments prescribed by any intermediate maturity framework. If there is no variation in the assessment scope, the assessment can be carried out only once and then updated once as well, instead of multiple, disparate updates.
Controls can be harmonized in the following ways:
- Creating a custom framework that collates and eliminates duplicate controls. According to UCF, the best way to do this would be to
- Extract Mandates: Define rules to extract mandates from various applicable frameworks.
- Map Mandates to Common Controls: Map mandates from such frameworks to common controls and when necessary create new common controls.
- Report Mapping Accuracy: Calculate the percent of match accuracy when tagging mandates and mapping them to common controls.
- Standardize Audits: Leverage a standardized structure for auditing the implementation of the common controls.
- Implementing a ready-made common controls framework
- Using a GRC solution that includes control harmonization
[To learn more about using a common controls framework, download our eBook, Simplify and Accelerate Your IT Compliance by Leveraging a Common Controls Framework.]
Ideally using a GRC solution will be complementary to creating a custom framework or implementing a common controls framework (CCF), as it breaks down silos and simplifies and consolidates the compliance and reporting activities.
MetricStream’s CyberGRC, IT Risk, and IT Compliance products come with built-in features for populating and harmonizing controls across over 100+ different cyber frameworks. To learn more, please click here to schedule a personalized demo.
On a different but connected note, at MetricStream, we anticipate Regulatory Reporting to increase significantly as a top cyber risk trend in 2023. To ensure compliance, organizations must assume the responsibility of being updated on the proposed regulations and viewing them in conjunction with frameworks and standards. Harmonizing controls as explained here, can be an essential and beneficial activity for organizations to tackle this challenge.
Check out 2023’s other Top Cyber Risk Trends. Download our eBook now.
Jump to Topic
Related Resources
Blogs
Defending the Digital Landscape with Effective Vulnerability Management
- IT Risk & Cyber Risk
- 11 January 23 |
6 min read
Introduction
With the growing sophistication, severity, and magnitude of cyber attacks, CISOs and security teams are under immense pressure to protect their IT assets. As organizations increasingly rely on web applications to address specific business requirements, discovery and remediation of vulnerabilities have become a top priority for organizations across industries.
According to a graph released by the National Institute of Standards and Technology (NIST), a record-breaking 20,158 vulnerabilities were reported in 2021. Remediating 20,000 new vulnerabilities in a year is a daunting proposition for organizations of any size.
Organizations need robust vulnerability management programs to proactively address vulnerabilities before they can be exploited by threat actors.
The Challenges
Many organizations still rely on manual and siloed approaches to vulnerability management, which are prone to errors and inefficiencies. Often multiple scanners are used – for network vulnerabilities, application vulnerabilities, etc. – without a centralized repository. With vulnerabilities being discovered and handled in siloes, it becomes very difficult to track them effectively.
The challenges are further exacerbated due to a lack of a structured, updated, and complete inventory of assets. Creating and maintaining an inventory of all organizational assets is foundational for an effective vulnerability management program. It provides the required visibility to identify the assets that are more vulnerable to exploits and take preventive steps as needed.
Many organizations also approach vulnerability management only periodically. A sporadic approach will inevitably result in a “vulnerability debt” as teams struggle to control the flurry of vulnerabilities. As new, and possibly more exploited, vulnerabilities continue to emerge, organizations would find it difficult to address these while working with a growing backlog.
Ideally, an organization would want to patch all vulnerabilities when they’re discovered. However, the growing number of new vulnerabilities makes it difficult for even well-resourced security teams to remediate all. In a recent survey conducted by the Ponemon Institute, 54% of respondents said that they were able to patch less than 50% of the vulnerabilities in the backlog – hence, the need to effectively prioritize vulnerabilities.
Inaccurate prioritization is a major deterrent to an effective vulnerability management approach. Failing to prioritize vulnerabilities into, say, critical, high, medium, and low, categories, and not contextualizing them with critical assets can result in security teams wasting time and effort to address vulnerabilities that may not pose any real risk.
Vulnerability Management Best Practices
There are several measures that organizations can take to manage vulnerabilities proactively and efficiently:
Create a Centralized Repository of Critical Assets
With an organization dealing with thousands of vulnerabilities, creating and maintaining a centralized repository of critical assets, mapped to associated threats and vulnerabilities, risks arising from API connections, areas of compliance, controls, and other business functions, is crucial. It not only enables quick access to critical data but also delivers comprehensive visibility into vulnerabilities across the enterprise.
Identify Vulnerabilities Using Diverse Scanners
Vulnerability scanners are tools that simplify and automate the process of identifying vulnerabilities present in an organization’s IT infrastructure. There are various types of vulnerability scanners, including database vulnerability scanners, cloud vulnerability scanners, network vulnerability scanners, web application scanners, etc. It is recommended to use a combination of vulnerability scanners to ensure full coverage of all organizational assets and gain a complete and accurate picture.
Prioritize Vulnerabilities in the Context of Critical Assets
It is imperative to prioritize vulnerabilities in the context of critical organizational assets to ensure the optimum utilization of resources. This could be done by combining an asset’s vulnerability severity rating with its business criticality rating to provide a consolidated risk rating. Security teams can then prioritize and trigger vulnerability remediation strategies depending on the combined risk rating.
Implement a Continuous Approach with Well-Structured Workflows
Vulnerability management is not a one-time activity; it is a continuous process of identifying, assessing, and remediating vulnerabilities. Establishing well-structured and systematic workflows is essential to track vulnerabilities, right from their identification until their remediation and closure, and then to repeat the process at a pre-defined frequency, the more frequent, the better. It is also important for organizations to clearly define the roles, responsibilities, and accountabilities of the security team. Tying everything together is an effective and open communication channel.
Automate to Patch Vulnerabilities
With the number of new and critical vulnerabilities trending upward, adopting automated patch management tools has become a business necessity. These tools seamlessly and automatically deploy patches to the identified vulnerabilities, eliminating the manual process of scheduling a scan and addressing the vulnerabilities. Automated patch management tools help to take a proactive and continuous approach to managing vulnerabilities and significantly improve the security of an organization.
How MetricStream Helps with Vulnerability Management
MetricStream CyberGRC products provide native integration with industry-leading vulnerability scanners, such as Tenable, QualysGuard, and Rapid7, to help organizations streamline the process of investigating and remediating vulnerabilities. CyberGRC’s open API capabilities allow organizations to effortlessly import vulnerabilities from any source. The built-in common data structure, available as an API, allows receiving vulnerabilities when sent via the API.
Today, organizations use more than one vulnerability scanner to reduce false positives. CyberGRC provides the ability to combine vulnerabilities from multiple scanners and produce a combined risk rating for a combination of the critical asset and vulnerability.
Importantly, CyberGRC provides a framework to define rules based on vulnerability and asset attributes to automate the creation of remediation tickets. Organizations can leverage the framework to develop one or more rules. For example, by selecting the asset severity as ‘critical’ and vulnerability severity as ‘critical’, a rule can be created to trigger a task with an SLA of 7 days to remediate.
With MetricStream, organizations also have the option to create remediation tickets either within CyberGRC or on external ticketing systems like BMC, ServiceNow, and JIRA.
With MetricStream CyberGRC, you can:
- Stay on top of vulnerabilities with early warning notifications and proactive remediation strategies
- Leverage industry standards, best practices, and technology to establish a robust and automated approach to vulnerability management
- Drive efficient decision-making with actionable and timely intelligence on vulnerabilities
- Enhance cyber risk preparedness through a consolidated view of vulnerabilities across systems
Looking Ahead
Vulnerability management has become central to a robust IT and cyber risk management program. In the future, vulnerability management is expected to merge with configuration management. As the cyber risk landscape and security requirements continue to evolve and increase in sophistication, organizational expectations would soon be for tools and software solutions to directly resolve a vulnerability with a patch in one click, with minimal human intervention.
Contextual prioritization of vulnerabilities, combined risk ratings from multiple scanners, tagging assets to critical business services and processes, and more are expected to gain more prominence not only from an organizational security perspective but also from a regulatory requirement standpoint.
Moreover, with the ongoing digital transformation in organizations worldwide, automated, autonomous tools are expected to take center stage.
Learn more about MetricStream Threat and Vulnerability Management.
Jump to Topic
Related Resources
Blogs
What are Cyber Frameworks and How Should You Choose the Right One?
- IT Risk & Cyber Risk
- 22 December 22
3 min read
Introduction
Cyber risk and resilience are among the top concerns for businesses today. An organization’s cyber defense infrastructure is only as strong as its weakest link. The fast-evolving cyber risk landscape is keeping CISOs and security teams on their toes. It is imperative to adopt the right cyber framework and establish strong controls to actively manage cyber risks and build cyber resilience. But, where to start?
To help you better understand cyber frameworks, controls, and making the right choice, we present a two-part blog series:
- Understanding IT/cyber frameworks and how they are used to manage IT and cyber risks
- Understanding IT/cyber controls, choosing them effectively, and harmonizing them across frameworks.
What are Cyber Frameworks?
Using and adapting a term borrowed from the construction industry, a cyber framework can be loosely defined as a system of standards, guidelines, and best practices to manage risks that arise in the digital world. The intent is to give IT/cyber risk and security managers a reliable, systematic way to identify, prioritize, and mitigate cyber risk no matter how complex the environment might be. A framework also provides the guide rails and the boundaries of any program so that desired objectives are met without taking on activities out of scope.
Frank Kim, Ex-CISO, SANS Institute, has intelligently classified the multitude of cybersecurity frameworks into these 3 categories, of which cyber risk management forms one dedicated category:
Some frameworks may completely fit into one of the above categories, while others may have overlaps between the three categories.
Frameworks can also be classified by their applicability, as follows:
Mandatory – These frameworks must be compulsorily implemented and complied with depending on the region or sector of operations. They are split further into:
- a. Regulatory: These are mandated by local laws/regulations
- b. Industry-Specific: These are mandated by regulators or service receivers
Examples
GDPR mandated for all companies operating in the EU region,
SAMA mandated for all companies operating in the Republic of Saudi Arabia,
HIPAA mandated for all healthcare providers in the US.- Optional – These are frameworks that are provided as guidelines but are not necessarily mandatory to implement or comply with.
Examples
ISO 27001, CIS, FAIR
Choosing Frameworks
With the plethora of frameworks available, it can get confusing to choose the appropriate ones. Even for seasoned cyber risk management professionals, this issue can cause confusion. The best way to start is by determining these three aspects first:
- Which regions are operations carried out in?
- Which industry(ies) is the business involved in?
- What is the current maturity level of the cyber risk management program?
This will help determine a baseline framework to implement. After this, specifics such as business objectives & goals, potential threats & vulnerabilities, existing policies and treatment procedures, and budget resources should be considered to determine additional framework requirements. The infographic released by NIST provides a good place to start.
It is always advisable to start simple with the most basic of the applicable frameworks and ensure that the frameworks are aligned with business goals & objectives. And it is imperative to continuously assess and review the success of implemented frameworks. Once there are mature processes in place, the organization may consider gradually scaling up in sophistication and complexity.
To learn more about cyber frameworks, click here. Watch this space for the second part of the series, “What are Controls and How to Achieve Control Harmonization?”.
Jump to Topic
Related Resources
Blogs
Insurance Industry. Strengthen Cyber Resilience Now!
- IT Risk & Cyber Risk
- 08 December 22
4 min read
Inroduction
The recent cyberattack on an Australian health insurer’s patient data has made global headlines. The release of personal data including names, addresses, dates of birth, phone numbers, and email addresses and the treatment they received for personal health issues, on a dark web forum has once again brought the spotlight on the cyber vulnerabilities in the sector. However, this is not an isolated incident. The number of cyberattacks on insurers in the past couple of years has increased significantly. A survey conducted by the Financial Services Information Sharing and Analysis Center (FS-ISAC) among financial institutions, found that insurers are among the top affected sectors.
Digitization, Data, and More—Insurance Faces Unique Cyber Challenges
Companies in the insurance industry are moving toward greater digitization in an effort to create seamless customer relationships. Like the rest of the financial services industry, insurance consumers demand services 24/7/365 via smartphone apps. To provide this real-time experience, companies are increasing investments in IT systems and platforms that can provide myriad services from online policy applications to web- and mobile-based apps for filing claims. However, these new digital capabilities bring new cyber risks that companies are often not equipped to deal with.
Insurance companies collect massive amounts of both structured and unstructured data. It’s necessary for coverage, to analyze fraud, and more. The huge volumes of data generated by the insurance industry have however made the industry attractive to cybercriminals. Insurance companies store highly sensitive personal data including Personally Identifiable Information (PII) such as Social Security Numbers (SSN), bank account or digital wallet details, health records, phone numbers, and addresses. In the case of health insurance companies, Personal Health Information (PHI) is also at stake. And they are more likely to pay the ransom if attacked, as seen in numerous cases in the past.
Cyber attacks and breaches can result in an insurance company facing significant and far-reaching damages--from material damages such as fines, legal costs, and fraud monitoring costs which add to the ‘cost per record’ to loss of customer trust, operational disruption, and devaluation of brand name which contributes to the hidden ‘below the surface costs’. Loss of reputation can be especially damaging when it comes to insurance as the entire business is based on trust.
Making Cyber Resilience a Priority
When it comes to risk, the insurance industry is best placed to understand risk better than any other industry. In fact, risk-averse enterprises across all markets transfer a portion of their cyber risks to insurance companies to minimize their exposure in the case of a significant cyberattack.
This deep understanding of risk within this sector should be channeled by insurance companies to make informed decisions about how much cyber risk to avoid, mitigate, transfer to another insurance company, or simply accept. For example, cyber risk management should include both technology and policy. Leaving a database exposed in the cloud because of an unclear policy will undermine any sophisticated access control or perimeter protection technology. Similarly, user training is equally critical. Most importantly, cybersecurity must be embedded in new software and applications when launched, as the common practice of choosing to patch up legacy systems opens up cyber vulnerabilities.
Manage and Mitigate Cyber Risk with MetricStream
To combat the unique challenges, insurance companies will need to move from manual, point-in-time cyber risk assessments to a robust cyber risk program that leverages technologies such as AI and automation which can process and analyze large amounts of data. Additionally, Continuous Control Monitoring (CCM) and automation are essential because the ability to work all the time and identify and flag anomalies.
MetricStream’s ConnectedGRC provides insurance companies with an integrated solution on a single platform. Purpose-built to manage, measure, and monitor cyber, risk, and compliance demands for the insurance industry in real-time, the platform is powered by AI, enabling the capture, assessment, and processing of diverse, complex, and voluminous risk and data at scale across your entire organization. This enables you to:
- Gain a single view of your risks with a centralized library of risks, controls, regulations, policies, and issue management to drive risk intelligence and actionability
- Actively monitor and adapt to applicable regulatory changes from around the world
- Map policies to regulations, and ensure employee and third-party attestation
Proactively manage cyber risk and build cyber resilience with MetricStream CyberGRC by:
- Reducing the risk of breaches with active risk management
- Prioritizing cyber risks and measuring risk exposure with quantification
- Leveraging automation for greater efficiency
- Continuously monitoring controls and processes for improved compliance and security
- Gaining a single view of your cyber risk
Want to learn more about how MetricStream can help your insurance company build resilience by leveraging award-winning AI, analytics, and automation technologies? Request a demo now.
Jump to Topic
Related Resources
Blogs
5 Reasons to Take the State of CyberGRC Survey
- IT Risk & Cyber Risk
- 23 November 22
3 min read
Introduction
Year endings are a time for reflections and resolutions, or as we call them in the corporate world – reviews and forecasts. It’s no different at MetricStream. With 2023 just around the corner, we’re looking to get a pulse on what’s happening with industry leaders in cyber risk and compliance management.
We’re doing that with our annual “State of CyberGRC Survey: Looking into 2023”. The purpose of this short survey (which takes approximately 5 minutes to fill out) is to better understand the challenges you as CISO or IT compliance and cyber risk leader are facing and the strategies being adopted, to resolve them. The focus is on cyber governance, risk and compliance – CyberGRC.
It is our mission to understand:
- How the responsibilities of cyber risk and compliance management are evolving
- The primary strategies and tactics being used to identify and mitigate cyber risks
- The biggest cyber risks and GRC trends anticipated for year ahead
Data from our last year’s survey had interesting findings:
- 45% lacked visibility into cyber risks across the organization
- 41% had manual processes for cyber GRC
- 39% faced increased regulatory compliance requirements
But a lot has changed over the past year. With the pandemic now in the background, businesses are looking beyond recovery to growth. Are manual processes still being used or has the shift been made? Does visibility still continue to be an issue? Only you can tell us.
Here are five more reasons why you should take the survey.
1. The Cyber Risk Landscape is Changing
Rapid digitization has led to organizations facing several new challenges including increased attack surfaces, sophisticated attack methods, ever-evolving threats, IT vendor risk, compliance pressures, cloud & API security gaps, and more. It is undoubted that cyberattacks continue to rise year after year—both in number and sophistication.
You tell us: In today’s interconnected risk landscape, what are the unique cyber challenges you face?
2. Cyber Risk is Now a Board Level Priority
As per the 2021 Gartner Board of Directors Survey, 88% of boards now view cybersecurity as a business risk—up by 30% since 2017. Leaders are well aware that cyber risk can no longer be viewed as merely an ‘IT problem’. In the connected ecosystem, a cyber incident can lead to financial losses, operational disruption, reputational damage, legal issues, regulatory fines, and even business closures.
You tell us: How are you communicating cyber risks to your Board and what steps are you taking to prioritize cyber risk at your organization?
3. Cyber is a Highly Demanding Field
The urgency to build cyber resilience has resulted in an acute lack of cyber resources. As per data from McKinsey, 3.5 million global cybersecurity positions remained open at the end of Q1 2022. Budget is a perennial issue. Added to this are legacy software, cyber tools and technologies operating in silos, and several other challenges that are unique to cyber.
You tell us: In relation to cyber risk and compliance, where does your organization plan to invest in 2023?
4. AI, Automation, and Cyber Risk Quantification is Creating New Advantages
New cyber use cases leveraging cutting-edge technologies are creating new advantages. For instance, Continuous Control Monitoring, Automated Compliances, now enables organizations to proactively identify risks and improve cybersecurity and compliance posture by monitoring IT controls in real-time. AI/ML are driving reports away from dashboards and heat maps to predictive analysis and insights. Similarly, cyber risk quantification, helps assign a monetary value to cyber risks, thus enabling better informed decisions of investment and insurance.
You tell us: How is technology helping you build cyber resilience?
5. Your Opinion and that of Your Peers Matter
As a leader in the domain, managing cyber risk and strategizing to build cyber resilience, your opinion provides valuable insights for the future of cyber risk and compliance management - CyberGRC. Your expertise is needed! Your Voice Matters!
So we request you to spare the 5 odd minutes and encourage you to fill out our survey. In appreciation, we will share a copy of the research report when published in Q1 2023.
Take the Survey now. And do share with your CISO and cyber risk community!
Want to learn more about how MetricStream CyberGRC can help build cyber resilience?
Jump to Topic
Related Resources
Blogs
Staying on Top of Crypto Regulatory Landscape with AI and Automation
- IT Risk & Cyber Risk
- 07 September 22
6 min read
Introduction
In January 2009, the first cryptocurrency, Bitcoin, entered the market. The concept of a digital, encrypted currency has been on the minds of innovators and entrepreneurs for decades. As designed, Bitcoin and the nearly 10,000 additional cryptocurrencies that have entered the market in the last 13 years operate via blockchain technology. Blockchains help ensure transactional anonymity, encryption, decentralization, and distribution of synced, duplicate records around the world.
Cryptocurrencies are means of completing digitally facilitated transactions around the world, in a global currency with no third parties, like banks and governments, involved. Because cryptocurrencies are typically ‘minted’ a determined number of times (either ever or annually), their value grows as demand for them increases. This is why many have acquired coins with the purpose of increasing their value rather than spending them in the marketplace. With no financial or governmental third parties involved in transactions, those who advocate for cryptocurrency promise little to no delay in processing payments at little to no cost. In theory, this model has the potential to revolutionize some elements of common financial transactions, on a global scale.
In the last few years, interest in cryptocurrencies has crescendoed, with both investment professionals and laypeople purchasing coins. Reportedly, nearly 20% of Americans have invested in cryptocurrencies. In the last six to nine months, however, many to most cryptocurrencies have experienced significant losses in value. There have been multiple accusations of fraud, misrepresentation, and dishonesty as well. Especially as cryptocurrencies had gradually broken through from a small group of technorati to almost the mainstream, these sudden and massive drops in value and integrity are causing concern among cryptocurrency advocates, established investors, and governments.
Even while investors and the public pressure governments to step in and reduce some cryptocurrency market volatility, regulators have been cautious in moving forward with cryptocurrency regulations. The first hurdle is an agreeable definition of what is and what is not a cryptocurrency and how it may fit within a government’s authority. The anonymity, encryption, and decentralization of cryptocurrencies purposefully make them opaque. Further, as there are multiple blockchains that don’t share data, defining data rules is also elusive. Finally, governments typically cannot claim oversight over businesses and transactions outside of their jurisdictions. Because there is no central bank for a cryptocurrency and records may live in nodes and personal wallets across the world, jurisdictional claims can be hard to assert. That said, central banking authorities, such as the U.S. Federal Reserve, the Bank of Canada, the Monetary Authority of Singapore, and others, are considering issuing their own central bank digital currency (CBDC), which could alleviate this regulatory blocker but may not be accepted by the market.
While some governments are moving forward with extending existing financial regulations on money laundering and financing terrorism, there remain questions of applicability. Do financial or technology regulations apply to cryptocurrencies? Much of this is being determined now, and multiple governments are working together to create similar legislation that could in effect reach farther around the world. Either way, cryptocurrencies are here to stay. With the recent adventures in value, it is wise to expect that more comprehensive, sticky, and global cryptocurrency regulations are not far off.
The Deluge of Crypto Regulatory Change
I recently hosted a webinar with Jennifer Clarke, Senior Editorial Manager, Regulatory SME, CUBE, Alex Royle, Head of Compliance and Regulatory Affairs, EMEA, Galaxy Digital, and Suneel Sahi, Marketing, Europe, MetricStream, to discuss how to best manage the deluge of new cryptocurrency and digital asset regulatory change.
Jennifer made an interesting observation – CUBE captured nearly 10,000 pieces of regulatory data in 2021 that were related to crypto or crypto-related keywords. And, the volume of crypto regulations is only going to increase going forward.
Here is a look at some of the recent regulatory activity in the crypto space:
- In the U.S., the Infrastructure Investment and Jobs Act, which was signed into law by President Biden in November 2021, extends information reporting requirements to digital assets. In its Financial Institution Letter 2022, the Federal Deposit Insurance Corporation (FDIC) said that FDIC–supervised institutions that engage or intend to engage in crypto-related activities should notify the agency and provide information that will allow it to “assess the safety and soundness, consumer protection, and financial stability implications of such activities.”
- European regulatory authorities are drafting crypto rules not just for ensuring consumer protection and preventing financial crime but also to reduce the carbon footprint of cryptocurrencies.
- The Bank of England is also not lagging behind. Earlier this year, the central bank published a paper highlighting the potential risks of cryptoassets to UK financial stability. “Where crypto technology is performing an equivalent economic function to one performed in the traditional financial sector, the FPC [Financial Policy Committee] judges this should take place within existing regulatory arrangement, and that the regulatory perimeter be adapted as necessary to ensure an equivalent regulatory outcome,” it read.
Likewise, regulatory authorities in Canada, Singapore, Japan, India, and other countries are also coming up with crypto-focused regulations and frameworks.
Leveraging AI and Automation
Another key takeaway from the webinar was that while regulators are increasingly working on crypto regulations, there remains too much of a lack of collaboration across borders. So, while we will be seeing more regulations, it is likely to be fragmented and piecemeal, without any real harmonization across borders for some time. Needless to say, it will only add to the challenges of compliance teams to keep up.
So, how can you manage this growing number of crypto regulations? The answer lies in AI and automation in regulatory compliance. When legislatures propose and enact cryptocurrency regulations, understanding how, where, and when they apply to digital coins and their markets may be critical knowledge.
Artificial intelligence (AI) can be a real game-changer here. It is almost impossible to manually monitor and track the ever-evolving regulatory environment for updates, especially when dealing with a global financial and technology environment. An AI-based system can deliver alerts and initiate an applicability assessment based on your requirements, triggering automated workflows to ensure compliance with regulatory changes and greatly enhancing the efficiency of your compliance team.
With organizations today looking at achieving compliance with thousands of regulatory requirements, having an AI-based system with automated workflows is an absolute must. It can help you automatically capture new regulations and regulatory updates, map them to corporate policies, adapt your systems, and test your controls. Ultimately, AI and automated workflows can alert you to urgent needs or necessary adjustments to your policies, employee training, attestations, and other compliance, ethics, and behavioral standards.
Where companies apply AI to initiate regulatory assessments and alignment, compliance professionals can apply more resources to and better focus on the human intelligence required to adapt specific business processes to those regulations. When regulations relevant to crypto payments, donations, exchanges with third parties, and anti-money laundering/combating the financing of terrorism (AML/CFT), come into effect, you can more quickly and easily adapt your policies and rules to specific requirements.
Regulatory change management is, of course, a part of governance, risk, and compliance (GRC). We, at MetricStream, believe that AI and automation is central not just to compliance but all things GRC – risk management, third-party engagements, ESG, cyber compliance – in relation to cryptocurrencies. When the use of cryptocurrencies inevitably becomes more commonplace, the full range of GRC functionality will need to adjust to new, unanticipated, and emerging vulnerabilities and threats. At that time, organizations will need to adapt their approach to GRC and adopt next-gen technologies to stay ahead of the new risks, regulations, and challenges that a cryptocurrency world will create.
In any situation, it is incumbent on all of us to understand what we’re investing in. There has been a lot of hype in cryptocurrencies – complete with celebrity-endorsed commercials at highly viewed sporting events – in the last few years. There have been promises made and promises invested in that have come crashing down in the last six months. The market is going through a cycle of excitement to instability and – hopefully – to a more secure and dependable long-term status.
The way I see it, cryptocurrencies as a concept are here to stay. Much of the market has embraced the concept of purely digital currency, along with the benefits of the rapid exchanges and processes cryptocurrencies offer. What’s missing is stability, governmental assurances (ironically), and mass adoption. In the end, I assume we will all be using some degree of cryptocurrencies in the not-too-distant future. Whether we will be using an existing coin or an offspring from the current market remains to be seen. Until then, keep an eye on the regulations and their impact on the market.
To explore the 5 best practices for successful compliance management, click here. To request a personalized demo, click here.
Jump to Topic
