It feels like we’ve suddenly entered a rabbit hole of cyberattacks. Starting from the SolarWinds attack to Facebook’s old leak resurfacing, to the LinkedIn hack, and more, 2021 has so far been immensely challenging for cybersecurity officials, leaving only one thing on their priority list – cyber resilience – broadening protection, detection, and response measures to future-proof their cyberattack mitigation strategies.
_____________________________________________________________________
The data breach crisis escalated last year as more records were compromised in just 12 months than in the previous 15 years combined reported Canalys in a special report ‘Now and Next for the cybersecurity industry’, adding that cybersecurity must be front and center of digital plans, otherwise there will be a mass extinction of organizations, which will threaten the post-COVID-19 economic recovery.
However, not just the last year, 2021 has also brought with it a fresh set of unfortunate news. Beaming’s analysis of commercial internet traffic found that UK businesses encountered 172,079 cyberattacks each, on average, between January and March 2021, the equivalent of 1,912 per day, reported Information Age.
And although, there seems to be an increase in number of attacks, a new report from Audit Analytics, “Trends in Cybersecurity Breach Disclosures,” revealed that cyber breach disclosures fell in 2020 for the first time in five years. “It would not be surprising to learn of additional attacks that occurred throughout 2020 that remain undisclosed,” Audit Analytics said.
Post this report, Booking.com was fined €475,000 after failing to report a serious data breach that happened in 2018. The Dutch Data Protection Authority imposed the fine, after calling the incident a “serious violation” of the EU’s data protection regulation. AP vice president Monique Verdier said in a statement: “This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions…But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”
According to Compliance Week, “The costliest cyber-security breaches aren’t necessarily those that result in the largest loss of records as much as the type of data stolen.” But it does seem like negligence and non-compliance have a number that keeps going up. The world’s top brands across sectors might lose between $93 billion and $223 billion because of a data breach, a first-of-its-kind study by Interbrand and Infosys, called ‘Invisible Tech, Real Impact’, has found. Following the report, Macquarie was slapped with a $500m capital buffer after ‘multiple breaches’ by the Australian Prudential Regulation Authority.
More recently, Gartner released its Emerging Risks Monitor Report which identified cybersecurity control failures as the top emerging risk in 1Q21 in a global poll of 165 senior executives across function and geography. Cybersecurity control failures also ranked third overall in “risk velocity,” an additional metric that Gartner tracks in the Emerging Risks Monitor Report.
Current research estimates that this year alone, businesses will spend $106 Billion on cybersecurity, and that is a direct result of a 300% increase in cybercrimes that have been reported to the FBI since COVID-19 started, said Suzy Greenberg, Vice President of Intel Product Assurance and Security for Intel, in conversation with Forbes.
Security and risk management leaders must address these eight top trends: Cybersecurity Mesh, Identity-First Security, Security Support for Remote Work, Cyber-Savvy Board of Directors, Security Vendor Consolidation, Privacy-Enhancing Computation, Breach and Attack Simulation, and Managing Machine Identities, to enable rapid reinvention in their organization, said Gartner, Inc, adding that by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today.
While talking to Strategic Risk Europe about the art of the con, cyber security strategist Eddie Doyle said, “Threat actors are always going to be out there, so creating technologies to stop them is necessary…We’re already starting to see the future, which is all about blockchain and artificial intelligence…but today, what we can do is make sure that every employee is identified within our system, and that the remote access control is unique to each and every person. You need massive granularity on a system so you can see where users go, what they’re doing, and what things they’re trying to touch and not trying to touch.”
The World Economic Forum (WEF) recently published a report in collaboration with the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA), and PwC. The report listed six consensus principles for cybersecurity board governance:
Gaurav Kapoor, Co-Founder and Chief Operating Officer at MetricStream, called for a collaborative effort between organizations and regulators to ensure operational resilience in these unprecedented times. “Due to remote working and rapid digitization, the year 2019 and 2020 witnessed the highest number of cybersecurity breaches, financial frauds and third-party risks,” Gaurav said. “It is now critical for companies especially banks and financial services institutions, and regulators to work together to create the conditions where companies take advantages of business growth opportunities and accelerate digital transformation while remaining operationally resilient throughout.”
Do you find Cloud Security daunting? Do you understand the different cloud relationships? Do you know standards that you can use as references? Do you understand Governance of Cloud Security? If you answered no to even one of these questions, this article will help you gain a better understanding of each of these areas and give you a great overview.
Cloud Security is often not treated as a priority by organizations using the cloud because there is an erroneous assumption, that cloud providers all know how to secure the data in the cloud and this is why they use cloud services so it’s one less thing to worry about. Organizations, that were not prepared for the pandemic and working remotely, rushed to cloud computing. Many of these organizations failed to consider risks or compliance with standards.
In traditional IT, the organization manages all of the levels of integration on its own. There are three main customer cloud relationships. The first is IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. These can be public or private cloud providers.
The National Security Agency (NSA) classified cloud vulnerabilities into four main categories: misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities.
The risks in cloud security must be managed by both the customer and the provider. Organizations that are customers can implement governance, technological, and strategic controls to mitigate risks.
Management should ensure that policies for cloud computing include guidance for implementation. Before developing and implementing the policies, risk concerns should be pondered and discussed. Examples of concerns include access to data in the cloud by cloud providers, what assets are going to be managed by the cloud provider, what processes are going to be multi-tenant, where do the cloud provider servers reside geographically, and many more. These concerns should also be managed with the cloud provider and included within contracts depending on the cloud implementation strategy that is chosen -IaaS, PaaS, and SaaS.
Organizational responsibility for data does not end when using the cloud. Some controls that should be considered and implemented include but are not limited to:
In addition to governance, risk, and compliance(GRC) is a must. Compliance with legal and contractual requirements is essential. These are some International Standards Organization (ISO) standards and National Institute of Standards and Technology (NIST) standards that should be considered.
Bad actors are finding new and better ways of getting access to data and attacking clouds each year such as abuse of cloud services, account or service hijacking, cloud malware injection attacks, denial of service attacks, insider attacks, man-in-the-cloud attacks, side channel attacks, and wrapping attacks, etc. Organizations must be prepared with the better implementation and management of cloud security to deal with bad actors.
There are three relationships you can have with a Cloud Provider: IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. The decision on which one to choose depends on how much you want to manage vs. having it done for you.
Even when the Cloud Provider is managing all levels of integration, there are still many controls that you should consider implementing.
Before developing your policies, a Risk Assessment should be done and controlling these risks should be managed with the Cloud Provider
With the growing frequency and sophistication of cyberattacks, cybersecurity leaders are on high alert to implement and maintain an effective and sound cybersecurity program. Cyber risks and the challenges of ensuring robust cyber health are further exacerbated as the digital interconnectivity of people, processes, and organizations continues to intensify.
Cyberattacks are growing at an alarming rate and do not show any signs of slowing down. Attacks on web applications alone surged by a whopping 800% in the first half of 2020, according to a report by CDNetworks. The Center for Strategic & International Studies (CSIS) estimates that cybercrime costs the world nearly $600 billion every year. Furthermore, private sector companies are expected to lose $5.2 trillion in revenue to cybersecurity attacks over the course of five years, from 2019 to 2023, as per a report from Accenture.
It is important to note here that organizations are often not the victims of a targeted attack, such as hacks, DDoS (Distributed Denial-of-Service) attacks, and others. Untargeted attacks, such as those carried out via malware (worms, spyware, adware, computer viruses, etc.), phishing emails, etc., are not directed towards any specific person or business and are more common. These attacks indiscriminately infect devices, casting a net as wide as possible. According to CSO Online, phishing attacks account for over 80% of reported security incidents.
Today, organizations simply cannot assume that they can have an impenetrable cyber defense mechanism. As such, the global narrative has been gradually shifting from cybersecurity to cyber resilience in recent years—focusing on not just averting cyber breaches but also designing a strategy to minimize impact and potential loss and ensuring continued business operations during the attacks.
As cybercrime incidents continue to proliferate across the globe, achieving cyber certainty seems to be a pipe dream for companies. Achieving cyber resilience, however, is not only a realistic goal but also indispensable for businesses to thrive in this digital era.
Embarking on the path to achieve cyber resilience starts with the identification of the cyber threats that an organization is exposed to (such as ransomware, malware, phishing attacks, etc.), prioritizing the risks depending on the impact and probability of them occurring, and devising an effective response plan. In today’s digitized world, checking an organization’s cyber health has become an iterative process requiring continuous monitoring of business processes and IT infrastructure for identifying and addressing any vulnerable areas or loopholes.
Achieving the state of sound cyber resilience could be a daunting proposition for any organization. It has been noted that quite often organizations put more reliance on tools and techniques for building cyber resilience capabilities rather than the expertise of people and well-designed processes. The best practice is to find the right mix of people, processes, and technology while devising the cyber resilience management framework.
A cyber resilience framework is a structured approach that helps organizations proactively prepare for, effectively respond to, and swiftly recover from cyberattacks. It provides a comprehensive strategy to manage cyber risks.
An effective cyber resilience management program also requires integrating cybersecurity into business strategy and engaging the entire spectrum of stakeholders in the process for better decision-making.
MetricStream is helping organizations achieve cyber resilience in a simplified and streamlined manner, saving time, effort, and resources. With the MetricStream CyberSecurity Solution, organizations can proactively anticipate and mitigate IT and cyber risks, threats, vulnerabilities; have a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture; and implement an effective business continuity and disaster recovery program.
International standard-setting bodies and national-level regulatory bodies are regularly publishing policies, guidelines, best practices, and more to help organizations prevent or mitigate cyberattacks.
The International Organization for Standardization (ISO), an international standard-setting body composed of representatives from various national standards organizations, has published ISO/IEC 27001 which provides requirements for an information security management system (ISMS). There is also the ISA/IEC 62443 series of standards, developed by the ISA99 committee, which provides a framework to address and mitigate existing and future security vulnerabilities in industrial automation and control systems (IACSs).
In addition to these global standards, there are various national standards such as the NIST Cybersecurity Framework, Cybersecurity Maturity Model Certification (CMMC) in the United States, Cyber Essentials in the United Kingdom, and the BSI IT Baseline Protection Catalogs in Germany, among others, which are intended to strengthen the cyber resilience of organizations operating in these countries.
Governments have also put into effect various cybersecurity regulations that govern the cybersecurity measures implemented by organizations. In the U.S. for example, healthcare organizations have to comply with the Health Insurance Portability and Accountability Act (HIPAA) while financial institutions have to adhere to the Gramm-Leach-Bliley Act. Organizations in the European Union have to adhere to the Network Information Security Directive, EBA ICT guidelines, the General Data Protection Regulation (GDPR), and other such regulations.
In 2020, the World Economic Forum created the Partnership against Cybercrime initiative that aims to explore ways to support and strengthen public-private cooperation against cybercrime and overcome existing barriers to cooperation. Such initiatives are particularly important for reinforcing the fight against cybercrime by businesses and regulators alike.
The lack of a mature cyber resilience program and the resulting inability to thwart cyberattacks or minimize their impact can not only lead to regulatory fines and penalties but also reputational damage, loss of customer trust, and even threaten the very existence of a company. Public-private collaborative efforts to fight cybercrime, bringing together their respective strengths, capabilities, and resources, could go a long way to control the growing menace of cybercrime.
To learn more about cyber resilience read MetricStream’s eBook, A Shift from Cybersecurity to Cyber Resilience, which delves into the growing focus on cyber resilience management, the importance of cyber risk quantification, and provides quick tips on cyber resilience best practices and how to combat cyberattacks effectively with a cybersecurity incident response program.
The recent FireEye breach is perhaps the most significant cybersecurity headline of 2020, with one of the leading advanced threat detection vendors falling victim to an apparent state-sponsored attack. As new details of the breach unfold, the nexus between cybersecurity and risk management become increasingly evident, forming the basis of several lessons learned.
Over the last 10 years, IT departments have gained undeniable advantages and realized significant business benefits by utilizing third-party IT solutions. Rather than building costly on-premise IT infrastructure and services, agile businesses have reliably turned to third-party vendors, such as Amazon AWS, Salesforce, Microsoft and others to effectively and efficiently host, manage and provide mission-critical business and IT services.
Following in this practice, FireEye reportedly used the third-party network performance, management and monitoring software from SolarWinds, which appears to be the crux of the breach. However, the fact that the breach potentially stemmed from SolarWinds is irrelevant. The fundamental issue here is that supply chain and third-party IT solutions present real risks to enterprise security architectures.
The proverbial ship has sailed when it comes to outsourcing IT services, and despite recent attacks, businesses have much to gain (e.g. cost savings, agility, flexibility, productivity, etc.) by using outsourced and cloud-based services. Knowing this, the prudent course of action is to implement a solution that reduces risk associated with third-party vendors.
One such solution is the MetricStream Third-Party Risk Management offering, which protects businesses from existing and potential third-party threats. Built on the MetricStream M7 Integrated Risk Platform, MetricStream’s Third-Party Risk Management product provides an integrated, real-time view of the extended enterprise. It strengthens resilience, contains costs and optimizes business performance by automating the end-to-end processes for information gathering, onboarding, real-time monitoring, risk, compliance and control assessments and risk mitigation.
In the cybersecurity world, policy and policy management is often overlooked and undervalued. However, without policy, enforcement of enterprise security programs is futile and inefficient. We see this every day in society. We have laws to protect citizens, but without the police (policy enforcement), we would live in a lawless society.
Every breach is an opportunity to learn, strengthen security and become more resilient. Policy factors into this, and should be included as part of a post-breach review. In fact, most breaches are not nearly as sophisticated as the FireEye breach, but are instead the result of employees not following security policies. For example, a spear-phishing campaign often succeeds because an employee clicked on a link embedded in a suspicious external email, even though corporate policy states not to do so.
MetricStream Policy and Document Management built on the M7 Integrated Risk Platform, streamlines and simplifies the creation and communication of organizational policies, while providing a centralized policy portal to store and access the latest policies. It delivers a contextual view to policies by mapping policies to regulations, risks and controls, thereby strengthening compliance while highlighting potential risks. Policy and Document Management raises awareness throughout an organization and brings policies to everyone, including first line employees, who are often the targets of cyberattacks.
One observation noted from the FireEye attack is the speed and transparency of their communications. Kudos to those involved, as often a breach is solely managed by Legal and/or IT. Whenever a substantive breach occurs, businesses face damage to their brand, sales efforts, customer success and partner base.
Not only do breaches potentially trigger lawsuits, but for many corporations, a material breach can also trigger SEC Regulation FD (Fair Disclosure) consequences. Cybersecurity incidents are often listed as part of corporate governance documentation relating to Regulation FD.
For those not in Legal or Corporate Communications, Regulation FD basically states that a corporation must prevent the selective disclosure of material, non-public information that could be used in the decision-making process of buying or selling a security. Depending on the severity of a cybersecurity incident, Regulation FD may apply.
As FireEye has shown, clear, quick and transparent communications is the way to best manage brand-challenging situations. Learning from their experience and response, every organization should have a PSIRT (Product Security Incident Response Team) policy in place BEFORE a breach or serious incident occurs. Response teams are usually comprised of different members within the enterprise, including representatives from Corporate Communications, Legal, IT/Security and the C-Suite. With MetricStream Policy and Document Management, creation of a PSIRT policy and process is simple and intuitive – a must have for any organization.
In conclusion, the FireEye breach will continue to dominate headlines as more information is revealed about the attackers, their processes, tools and techniques. As well, we hope to gain insights from what has transpired to find new and better ways to strengthen security and improve resilience. Clearly, more lessons are to be learned.
Cybersecurity has always been an unsought after investment like insurance – only useful when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to boards and peers. Everybody in an organization has their own perspective when it comes to cybersecurity, and that’s the reason that security professionals have always found it difficult to convince the management and get the budget approved.
But the situation is changing, as boards and management are getting aware of the importance of cybersecurity. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This also becomes highly important in the current scenario where huge risks of cyber breaches are looming and organizations are cutting cost because of slow business, to survive this pandemic.
In this blog, we talk about the best practices to effectively communicate cyber security to the board and management.
As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations do not use any quantitative risk evaluation tools at all; while the other half still rely largely on the experience of their cyber experts or maturity assessments.
ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution
ALE = annual loss expectancy, or the total financial loss expected from security incidents
mALE = ALE + the savings delivered by the security solution
Presenting the cybersecurity investment vs. risk reduction in terms of dollar value can be a good way to communicate the importance of cybersecurity for the organization.
According to the World Economic Forum’s Global Risks Report, “Data fraud, data theft, and cyberattacks as among the top five biggest risks world faces.” That’s because huge business impact of cyberattacks — for example, it has cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks.
Winning the trust of the leadership and establishing credibility for yourself is again very important to build a culture of “Cybersecurity Everywhere” and convince management for required resources.
When security leaders are preparing to present to the board to C-suite executives, they must be ready to face with all kind of non-tech, and sometimes technical questions as well.
It is critical for CISOs and security leaders to communicate the value of cybersecurity effectively. If they are unable to communicate and quantify their cybersecurity risks properly, priority projects will not get enough funding as required, and this would lead to increased cyber risk for the organization.
Cyber security has always been an unsought goods like, insurance, which is useful only when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to board and peers. Furthermore, everyone in an organization has their own perspective when it comes to cyber security. That’s partly why security professionals find it difficult to convince management for budget approval.
But situations are changing, as boards and management are understanding the importance of security. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This has become very important during the pandemic when huge risks of cyber breaches are looming and organizations cut costs due to slowing business to survive the pandemic.
In this piece, we talk about the best practices to effectively communicate cyber security to the board and management.
Be in your audience’s shoes: Talk in the language of the board and quantify cyber risks.
As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations use any quantitative risk evaluation tools at all while the other half said they still rely largely on the experience of their cyber experts or maturity assessments.
Communicate the severity and losses of not having a robust cyber security program
According to the World Economic Forum's Global Risks Report, data fraud, data theft and cyber attacks are among the top five biggest risks world faces. That's because of the huge business impact of cyber attacks. For example, it cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations. Verizon paid $350 million less in its acquisition of Yahoo after the tech company suffered two cyber attacks.
Use simple language: Build trust and engage leadership.
Again, it’s very important to keep in mind to use simple language and avoid technical jargons as much as possible when presenting to the board or trying to make your point to any non-technical C-suite executive.
Be prepared to face any kind of objections and questions.
When security leaders are preparing for a presentation to a board or C-suite executives, they must be ready to face all kinds of non-tech, and sometimes, technical questions.
In summary, it’s critical for CISOs and security leaders to communicate the value of cyber security effectively. If CISOs are unable to communicate and quantify their cyber security program, priority projects don’t get funded which leads to increased breach risk. Fortunately today, there are many tools on the market that significantly improve a CISOs’ ability to effectively and systematically report to the board.
In this “New Normal” of COVID-19, where we rely more than ever on the digital world of virtual meetings and get-togethers, online shopping and delivery alerts, tele-medicine visits and triage – our security and cyber teams are on high alert to protect both regulated and sensitive data.
Ordinarily, most security and cyber teams patrol and prod an organization’s infrastructure, analyzing weaknesses and locking down IT assets to close gaps. Remediation comes in many flavors, from restricting access to tightening configurations based on recommended security settings, to partitioning networks to sequester sensitive information.
Getting a bee line on what ‘crown jewel IT assets’ need high priority attention is the mantra of these teams. It’s an ongoing challenge with the attack surface becoming more complex with third parties, cloud service providers and layers of software and technology blurring the lines of demarcation between what is ‘inside’ and ‘outside’ the organization. It is widely understood now that the concept of a ‘fixed perimeter’ is dead. With the advent of Work for Home, Distance Learning, and the dramatic increase in the use of digital solutions, the threat landscape is growing exponentially. And with it, risk to process, people and technologies.
So how can teams understand what remediations to prioritize and where to apply scarce resources to lower risk by closing gaps?
A best practice that is quickly emerging in IT, security and cyber programs is risk quantification.
Risk quantification strives to create an operating risk score, based on multiple factors, in the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data. Properly executed, teams can continuously calibrate and tune algorithms that produce scores. Ideally, scores produce a forward-looking view based on changes in the external environment, business processes and technologies.
For example, cyber risk postures are shifting with as threat actors target attacks on video conferencing and VPN traffic due to the uptick in the number of people working and learning from home. At the same time, the internet is stressed with an increase in streaming and gaming traffic. Spear-phishing and scams are on the rise. If email comes through that looks legitimate, pertaining to personal finance or health issues, employees working from home are apt to click and be trapped, increasing the risk of a bad actor penetrating their organization and threatening information and assets.
Teams strive for a top-down and bottom-up 360 view of risk to recommend mitigation investments. The diagram below shows how operational risk, resilience teams and cyber teams can get on the same page to do just that. Driving to a common risk score is a way to make sure teams use aligned techniques and methods.
Top-down views take information from the business in terms of dollars rather than just the days or hours to return to operations (RTO) or an recovery point objective (RTO). RPO and RTO are typically used to measure in resilience through business impact assessments (BIAs) and aren’t sufficient for risk quantification.
Cyber teams can work hand-in-glove with operational and resilience teams that look at inherent and residual risk within a high priority business process. Operational risk teams understand concepts like annual loss expectancy and can put a value of the criticality of a process – say keeping the order processing system up 24×7 – in terms of real dollars.
From a bottom-up perspective, security and cyber teams map threat and vulnerabilities to assets that support critical business processes. They strive to estimate the real cost of mitigating vulnerabilities; for example, strengthening access controls, patching software, replacing an unsupported application, implementing automated controls through firewalls, re-architecting and segmenting networks, outsourcing some apps to a 3rd party operating in the cloud, or taking on cyber insurance. There are limited options. With a risk score supported by a top-down view, cyber teams will be able to weigh one or a combination of mitigation strategies for optimal defense in depth.
For example, a team will have insight into the dollar amount to invest in and deliver the mitigation, such as deploying stronger anomaly detection software on a critical business process.
With Risk Quantification, teams can increase their insight, agility and speed in remediation efforts. They can use scores to compare a forward-looking risk with dollar investments to mitigate against dollar impact. Teams can prioritize efforts based on the risk quantification score and the dollar magnitude of impact.
The leverage best practice, security and cyber teams must continue to diligently deploy and refine risk quantification methods – as a scalable discipline – and use them effectively to invest in the just the right areas as our cyber programs evolve with increasing digitalization.
Over the coming weeks, we will explore more best practices and how security and cyber teams are adapting to COVID-19, outlining how risk quantification methods tie to the digital asset/impact chain, how to move from risk to resilience, and orchestrate risk across IT, cyber, op risk, incident and crisis response and other disciplines.
In the last few months, the COVID-19 pandemic redefined risk management, forced businesses to review their cyber-attack mitigation strategies to understand the gaps in their approach to cybersecurity. Today, the world seems to be gradually re-emerging from the crisis and getting a grip on understanding the aftermath. Globally, businesses are beginning to prepare themselves for their return to work, anticipating the mid- to long-term implications of the crisis and working towards strategically responding to the challenges. While the world gets ready to adapt to the New Normal, let’s find out what made it to the headlines in April, through the GRC lens.
In early March, JP Morgan, experimented by allowing 10% of their employees to work from home. A month later, JPMorgan’s Co-president Daniel Pinto, said that staff could work from home on a rotational basis more permanently, in line with the bank’s future vision of work. Recently, tech-giant Facebook also announced that most of its employees will be allowed to work from home through the end of 2020 and Twitter made WFH permanent for all its employees.
After witnessing no significant drop in productivity with the WFH regime, organizations around the world, seem to be getting comfortable with the idea. The new social distancing policies have also got organizations reconsidering their plan to get back to office.
Arguably, COVID-19 proved to be the greatest catalyst for rapid change in workplaces. According to the Bureau of Labor Statistics, only 29 percent of Americans were able to work from home before the COVID-19 era. It now appears that this could outlast the lockdown. However, this growing shift to virtual ways of working dramatically altered the cyber threat landscape, with a potential for greater risks, this year.
In the beginning of April, Marriott International revealed that a security breach may have exposed the personal information of 5.2 million guests. Soon enough, Cognizant was hit by ‘Maze’ ransomware attack, causing disruptions to some of its clients. Zoom, a heavily-used video-conferencing app, was again compromised by credential stuffing and over 5,00,000 credentials were sold on the dark web. Recently, Unacademy, an India-based online learning platform also suffered a data breach that exposed details of 22 million users.
Phishing increased by 350% since the coronavirus outbreak started (between January to March 2020), according to data gathered and analyzed by Atlas VPN. It goes without saying that remote work inevitably brings a new set of risks and challenges.
While we can’t solely blame the shift from office spaces to work from home for the increase in cyberattacks, organizations need to step up their cyber game to align better to this new way of working.
In a recent virtual conference, hosted by Global Cyber Center of NY, William Altman, the company’s Senior Analyst, said, “Organizations of all kinds are facing an uptick in email-based threats, endpoint-security gaps and other problems as a result of the sudden switch to a fully remote workforce…It’s now more important than ever to consider both the security practitioner as well as ethical-hacker perspectives in order to stay secure, that’s what this is all about.”
Looking at the brighter side, we can believe that every crisis comes with opportunities for reinvention and differentiation. Although, no one could have predicted the upheaval caused by the COVID-19 pandemic which disrupted businesses and economies around the globe, it has now become imperative for organizations to pay extra attention to the blind spots in risk management and strengthen their cyber defense.
The European Commission recently unveiled its long-awaited proposal to regulate artificial intelligence (AI). But will the new proposal stifle innovation? Find out more through the GRC Lens – February 2020 edition.
_____________________________________________
On the 19th of February, the European Commission (EC) President, Ursula von der Leyen, Executive Vice-President, Margrethe Vestager and EU Commissioner for Internal Market, Thierry Breton, held a press conference at the European Commission headquarters in Brussels, unveiling their ideas and actions to regulate AI.
Keen on building “a digital Europe that reflects the best of Europe,” the EC released a white paper on AI that defines an extensive framework under which AI can be developed and deployed across the EU. The paper includes considerations to govern high-risk use of AI like facial recognition used in public spaces, with an overall ambition to shape Europe’s digital future”.
The proposal still has a long way to go. For now, the EC plans to gather opinions and reactions from companies, countries, and other interested parties before they begin to draft the laws. And although the AI white paper is open for suggestions until May 19, lobbying has already begun.
Although many AI experts have said that the regulation of AI is necessary, especially due to ethical concerns, there is considerable worry around the consequences of regulation. Europe’s new proposal has already had far-reaching implications on the big tech brands that have invested in AI. After the EC declared a 12-week discussion period, several tech leaders from large organizations have journeyed to Brussels to meet with EU officials.
Their major concern – will tough laws hinder innovation?
AI vendors are worried that if the process of regulation, considered a slow process that can be subject to interference and distortion, is applied to a fast-moving field like AI, it can stifle innovation and divert the technology’s enormous potential benefits.
To illustrate this concern, a recent article in Analytics India Magazine, used the example of neural nets to explain how the regulation of AI could possibly hamper innovation. Neural networks work by finding patterns in training data and applying those patterns in new data, enabling researchers to solve problems that they couldn’t earlier.
For instance, CheXnet, an AI algorithm from Stanford, has an incredibly powerful ability to detect pneumonia among older patients through chest X-rays. But for technologies like these to work, they need a certain amount of creative and scientific freedom (within ethical boundaries, of course). If there is a ban on “black box” AI systems that humans can’t interpret, could AI innovation be impacted?
Another area of confusion revolves around the definition of “high-risk” applications of AI. The report seems to be unclear about high-risk applications in low-risk sectors, leaving companies uncertain on how to approach this issue.
There is no doubt that AI has enormous potential to be used for good. But its accelerating adoption across industries comes with multiple ethical concerns.
According to a survey by KPMG, 80% of risk professionals are not confident about the governance in place around AI.
What happens when decisions are made by AI without human oversight? Recent instances have shown that automated decision-making can perpetuate social biases. In addition, deep fakes, surveillance technology, autonomous weapons, and discriminatory HR recruiting tools come with multiple serious risks. The focus of AI regulatory authorities is on developing frameworks to govern AI.
Like Anna Fellander, Co-founder of the AI Sustainability Center, said at the GRC Summit in London, “It’s no longer just about what AI can do, but what it should do.” In a similar vein, Andreas Diggelmann, “Office of the CEO,” Interim CEO and CTO at MetricStream said, “We need technology that serves humanity, not the other way around.”
AI expert Ivana Bartoletti, Technical Director, Deloitte – Cybersecurity and Privacy Division, speaking at Impact 2020 conference, said: “The reason why we’re talking so much about ethics in AI is over the last few years we have seen the best of technology – but also the worst.”
With its novel approach to AI regulation, the EC wants to promote the development of AI while respecting human fundamental rights and addressing potential risks that come with the technology. The EC wants a digital transformation that works for all, reflecting the best of Europe: open, fair, diverse, democratic, and confident.
The new AI proposal has already begun to receive acceptance in some industries. Ted Kwartler, Vice President, DataRobot, said the vendor welcomes calls for regulatory approaches that don’t stifle innovation. Christopher Padilla, VP, Government and Regulatory Affairs, IBM, also was reported saying in Protocol, “By focusing on precision regulation — applying different rules for different levels of risk — Europe can ensure its businesses and consumers have trust in technology.”
It appears now that big tech companies that want to tap into Europe’s market will have to play by the rules that come into force. Like the GDPR in 2018, will the new AI proposal inspire similar, tough regulatory action in other parts of the world? Read the MetricStream Blog to stay updated on more news.
Over the past decade, fraud has evolved to become more sophisticated and systemized. Thankfully, innovations in technology now enable businesses to better combat fraud. But there’s a catch. Modern technologies also present new opportunities to cyber criminals, making fraud harder to detect and easier to commit. This raises the question – is digitalization making fraud easy? Find out ‘Through the GRC lens’ – January 2020.
_____________________________________________________________________________________
Frauds are increasing every year at an alarming rate. The Federal Trade Commission received more than 3.2 million reports of fraud in 2019. The 2020 Global Identity and Fraud Report reported significant indications that business concerns around rising fraud persist, with nearly three in five businesses concurring that fraud has increased exponentially in the past 12 months.
Along with this increase is sophistication, scammers are also beginning to get extremely creative with their attacks. We recently witnessed the first case of CEO voice fraud using AI. An energy company in Germany, was cheated into allowing unauthorized transactions by mimicking the voice of its real CEO, reproduced using an AI software based on ML, to mislead the head of a UK subsidiary to transfer $220,000. The company managed to recover the amount later because it was covered by fraud insurance.
In another incident, PayPal users in the UK lost over £1 million to fraudsters in the last quarter of 2019, after being tricked by fake e-mails. E-tailers of electronics, vehicles, phones, and household furniture via online marketplaces, received an email allegedly from PayPal, asking for verification of a payment received for an item purchased. The fraudsters then sent a follow-up email asking for the tracking number, pressurizing the e-tailer to ship the item, without verifying his PayPal account, or the authenticity of the email, in order to provide the tracking number as requested. The clueless victims reported losing a total of £1,121,446.
Media stories such as these only go to show how fraudsters are continuously improvising scamming methods, often facilitated by developing technology.
Innovations in Artificial Intelligence (AI), Robotic Process Automation (RPA), Machine Learning (ML), and Blockchain, are helping businesses adapt to changing behavior and predict anomalies quicker than traditional tools. For instance, Highmark Inc.’s Financial Investigations and Provider Review (FIPR) department leveraged artificial intelligence to generate over $260 million in savings associated with fraud, waste, and abuse in 2019, reported Health IT Analytics.
According to the Association of Certified Fraud Examiners (ACFE) inaugural Anti-Fraud Technology Benchmarking Report, the amount organizations are expected to spend on AI and machine learning to thwart online fraud, is expected to triple by 2021.
If technology has opened new doors for combating fraud, it has also allowed new and more pervasive forms of fraud to enter. Today, with the pace of technological advancements, it appears to be getting surprisingly easier to commit fraud.
Today fraudsters use sophisticated techniques to increase their success rate with high-quality attacks that circumvent bot-detection tools to enable greater efficiency with automated attacks. One such incident involved replicating human behavior such as faking human typing patterns.
And while technology can help predict an attack, a recent article by Payments Source, differentiated between basic and sophisticated attacks, pointing out that, “smart attacks work by using techniques that mimic human behavior and, by doing so, reduce the chances of being detected by bot-detection tools.”
“Expect criminals to increasingly utilize deepfakes to target the C-Suite and PSP’s authentication procedures to commit financial fraud.”, stated a recent article on Paypers, adding, “SMS spoofing impersonates a trusted party such as a PSP as the sender of an SMS message, that appears to be from their banks but is actually from fraudsters and acts out instructions believing to be from their PSP.”
A recent report from Kount and Javelin, ‘Protecting Digital Innovation: Emerging Fraud and Attack Vectors’, revealed that the risk of fraud slows innovation across industries. However, fraud prevention strategies transcend industry, enabling different businesses to learn from each other and adopt similar fraud mitigation strategies and tactics when innovating their products and services.
As HelpNet security highlights, “digital innovation and the corresponding increase in revenue will never reach their full potential, without integrating suitable fraud prevention initiatives.”
Recent cases of fraud and social engineering are indicators of what fraudsters can achieve with technology. But even if these criminals try to stay one step ahead of their targets with technological advancements, organizations need to invest in the next generation of automated fraud risk management measures to ensure safety.
According to the 2020 Global Identity and Fraud Report, “…fraud prevention efforts are aimed at stopping fraud and reducing losses. But an effective program also makes it easier for your good customers to do business with you…It starts with moving away from a one-size-fits-all approach.”
To prevent fraud, preparation is key. By taking a holistic approach, employing tools that increase visibility into cyberattacks, and red-flagging unusual activity and behavior, with the right controls in place, organizations can identify anomalies before they occur, rather than after the damage is done.