×
Blogs

Cyber Resilience: The New Paradigm for Cyber Risk Management

Blog Image
4 min read

Introduction

With the growing frequency and sophistication of cyberattacks, cybersecurity leaders are on high alert to implement and maintain an effective and sound cybersecurity program. Cyber risks and the challenges of ensuring robust cyber health are further exacerbated as the digital interconnectivity of people, processes, and organizations continues to intensify.

Cyberattacks are growing at an alarming rate and do not show any signs of slowing down. Attacks on web applications alone surged by a whopping 800% in the first half of 2020, according to a report by CDNetworks. The Center for Strategic & International Studies (CSIS) estimates that cybercrime costs the world nearly $600 billion every year. Furthermore, private sector companies are expected to lose $5.2 trillion in revenue to cybersecurity attacks over the course of five years, from 2019 to 2023, as per a report from Accenture.

It is important to note here that organizations are often not the victims of a targeted attack, such as hacks, DDoS (Distributed Denial-of-Service) attacks, and others. Untargeted attacks, such as those carried out via malware (worms, spyware, adware, computer viruses, etc.), phishing emails, etc., are not directed towards any specific person or business and are more common. These attacks indiscriminately infect devices, casting a net as wide as possible. According to CSO Online, phishing attacks account for over 80% of reported security incidents.

Today, organizations simply cannot assume that they can have an impenetrable cyber defense mechanism. As such, the global narrative has been gradually shifting from cybersecurity to cyber resilience in recent years—focusing on not just averting cyber breaches but also designing a strategy to minimize impact and potential loss and ensuring continued business operations during the attacks.

Cyber Resilience—Daunting Yet Possible

As cybercrime incidents continue to proliferate across the globe, achieving cyber certainty seems to be a pipe dream for companies. Achieving cyber resilience, however, is not only a realistic goal but also indispensable for businesses to thrive in this digital era.

Embarking on the path to achieve cyber resilience starts with the identification of the cyber threats that an organization is exposed to (such as ransomware, malware, phishing attacks, etc.), prioritizing the risks depending on the impact and probability of them occurring, and devising an effective response plan. In today’s digitized world, checking an organization’s cyber health has become an iterative process requiring continuous monitoring of business processes and IT infrastructure for identifying and addressing any vulnerable areas or loopholes.

Achieving the state of sound cyber resilience could be a daunting proposition for any organization. It has been noted that quite often organizations put more reliance on tools and techniques for building cyber resilience capabilities rather than the expertise of people and well-designed processes. The best practice is to find the right mix of people, processes, and technology while devising the cyber resilience management framework.

Cyber Resilience: Blog

A cyber resilience framework is a structured approach that helps organizations proactively prepare for, effectively respond to, and swiftly recover from cyberattacks. It provides a comprehensive strategy to manage cyber risks.

An effective cyber resilience management program also requires integrating cybersecurity into business strategy and engaging the entire spectrum of stakeholders in the process for better decision-making.

MetricStream is helping organizations achieve cyber resilience in a simplified and streamlined manner, saving time, effort, and resources. With the MetricStream CyberSecurity Solution, organizations can proactively anticipate and mitigate IT and cyber risks, threats, vulnerabilities; have a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture; and implement an effective business continuity and disaster recovery program.

The Regulatory Perspective

International standard-setting bodies and national-level regulatory bodies are regularly publishing policies, guidelines, best practices, and more to help organizations prevent or mitigate cyberattacks.

The International Organization for Standardization (ISO), an international standard-setting body composed of representatives from various national standards organizations, has published ISO/IEC 27001 which provides requirements for an information security management system (ISMS). There is also the ISA/IEC 62443 series of standards, developed by the ISA99 committee, which provides a framework to address and mitigate existing and future security vulnerabilities in industrial automation and control systems (IACSs).

In addition to these global standards, there are various national standards such as the NIST Cybersecurity Framework, Cybersecurity Maturity Model Certification (CMMC) in the United States, Cyber Essentials in the United Kingdom, and the BSI IT Baseline Protection Catalogs in Germany, among others, which are intended to strengthen the cyber resilience of organizations operating in these countries.

Governments have also put into effect various cybersecurity regulations that govern the cybersecurity measures implemented by organizations. In the U.S. for example, healthcare organizations have to comply with the Health Insurance Portability and Accountability Act (HIPAA) while financial institutions have to adhere to the Gramm-Leach-Bliley Act. Organizations in the European Union have to adhere to the Network Information Security Directive, EBA ICT guidelines, the General Data Protection Regulation (GDPR), and other such regulations.

In 2020, the World Economic Forum created the Partnership against Cybercrime initiative that aims to explore ways to support and strengthen public-private cooperation against cybercrime and overcome existing barriers to cooperation. Such initiatives are particularly important for reinforcing the fight against cybercrime by businesses and regulators alike.

 

To conclude

The lack of a mature cyber resilience program and the resulting inability to thwart cyberattacks or minimize their impact can not only lead to regulatory fines and penalties but also reputational damage, loss of customer trust, and even threaten the very existence of a company. Public-private collaborative efforts to fight cybercrime, bringing together their respective strengths, capabilities, and resources, could go a long way to control the growing menace of cybercrime.

To learn more about cyber resilience read MetricStream’s eBook, A Shift from Cybersecurity to Cyber Resilience, which delves into the growing focus on cyber resilience management, the importance of cyber risk quantification, and provides quick tips on cyber resilience best practices and how to combat cyberattacks effectively with a cybersecurity incident response program.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

Lessons Learned from the FireEye Breach

MS_ResilienceSpotlight
4 min read

Introduction

The recent FireEye breach is perhaps the most significant cybersecurity headline of 2020, with one of the leading advanced threat detection vendors falling victim to an apparent state-sponsored attack. As new details of the breach unfold, the nexus between cybersecurity and risk management become increasingly evident, forming the basis of several lessons learned.

Third Party IT Vendors – Your Weakest Link in Security

Over the last 10 years, IT departments have gained undeniable advantages and realized significant business benefits by utilizing third-party IT solutions. Rather than building costly on-premise IT infrastructure and services, agile businesses have reliably turned to third-party vendors, such as Amazon AWS, Salesforce, Microsoft and others to effectively and efficiently host, manage and provide mission-critical business and IT services. 

Following in this practice, FireEye reportedly used the third-party network performance, management and monitoring software from SolarWinds, which appears to be the crux of the breach. However, the fact that the breach potentially stemmed from SolarWinds is irrelevant. The fundamental issue here is that supply chain and third-party IT solutions present real risks to enterprise security architectures.

Lesson Learned – Implement Third-Party Risk Management Solutions

The proverbial ship has sailed when it comes to outsourcing IT services, and despite recent attacks, businesses have much to gain (e.g. cost savings, agility, flexibility, productivity, etc.) by using outsourced and cloud-based services. Knowing this, the prudent course of action is to implement a solution that reduces risk associated with third-party vendors.

One such solution is the MetricStream Third-Party Risk Management offering, which protects businesses from existing and potential third-party threats. Built on the MetricStream M7 Integrated Risk Platform, MetricStream’s Third-Party Risk Management product provides an integrated, real-time view of the extended enterprise. It strengthens resilience, contains costs and optimizes business performance by automating the end-to-end processes for information gathering, onboarding, real-time monitoring, risk, compliance and control assessments and risk mitigation.

Policy – Without Policy Security is Toothless

In the cybersecurity world, policy and policy management is often overlooked and undervalued. However, without policy, enforcement of enterprise security programs is futile and inefficient. We see this every day in society. We have laws to protect citizens, but without the police (policy enforcement), we would live in a lawless society. 

Every breach is an opportunity to learn, strengthen security and become more resilient. Policy factors into this, and should be included as part of a post-breach review. In fact, most breaches are not nearly as sophisticated as the FireEye breach, but are instead the result of employees not following security policies. For example, a spear-phishing campaign often succeeds because an employee clicked on a link embedded in a suspicious external email, even though corporate policy states not to do so. 

Lesson Learned – Review Policy Management to Strengthen Security

MetricStream Policy and Document Management built on the M7 Integrated Risk Platform, streamlines and simplifies the creation and communication of organizational policies, while providing a centralized policy portal to store and access the latest policies. It delivers a contextual view to policies by mapping policies to regulations, risks and controls, thereby strengthening compliance while highlighting potential risks. Policy and Document Management raises awareness throughout an organization and brings policies to everyone, including first line employees, who are often the targets of cyberattacks. 

Communications – Transparency is Critical to Recovery

One observation noted from the FireEye attack is the speed and transparency of their communications. Kudos to those involved, as often a breach is solely managed by Legal and/or IT. Whenever a substantive breach occurs, businesses face damage to their brand, sales efforts, customer success and partner base. 

Not only do breaches potentially trigger lawsuits, but for many corporations, a material breach can also trigger SEC Regulation FD (Fair Disclosure) consequences. Cybersecurity incidents are often listed as part of corporate governance documentation relating to Regulation FD. 

For those not in Legal or Corporate Communications, Regulation FD basically states that a corporation must prevent the selective disclosure of material, non-public information that could be used in the decision-making process of buying or selling a security. Depending on the severity of a cybersecurity incident, Regulation FD may apply.

Lesson Learned – Incident Response Must be Documented

As FireEye has shown, clear, quick and transparent communications is the way to best manage brand-challenging situations. Learning from their experience and response, every organization should have a PSIRT (Product Security Incident Response Team) policy in place BEFORE a breach or serious incident occurs. Response teams are usually comprised of different members within the enterprise, including representatives from Corporate Communications, Legal, IT/Security and the C-Suite. With MetricStream Policy and Document Management, creation of a PSIRT policy and process is simple and intuitive – a must have for any organization. 

In conclusion, the FireEye breach will continue to dominate headlines as more information is revealed about the attackers, their processes, tools and techniques. As well, we hope to gain insights from what has transpired to find new and better ways to strengthen security and improve resilience. Clearly, more lessons are to be learned.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

Communicating Cybersecurity Effectively to the Board

communicating-cybersecurity-effectively-to-the-board
5 min read

Introduction

Cybersecurity has always been an unsought after investment like insurance – only useful when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to boards and peers. Everybody in an organization has their own perspective when it comes to cybersecurity, and that’s the reason that security professionals have always found it difficult to convince the management and get the budget approved.

But the situation is changing, as boards and management are getting aware of the importance of cybersecurity. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This also becomes highly important in the current scenario where huge risks of cyber breaches are looming and organizations are cutting cost because of slow business, to survive this pandemic.

In this blog, we talk about the best practices to effectively communicate cyber security to the board and management.

Be in Your Audience’s Shoes: Speak the language of the board and quantify cyber risks:

As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations do not use any quantitative risk evaluation tools at all; while the other half still rely largely on the experience of their cyber experts or maturity assessments.

  • Quantify Cyber Risks: In today’s “cyber everywhere” era, it’s of utmost importance to be able to accurately quantify cyber risks ahead of time and adversaries. CISOs who are able to communicate the dollar value loss to the organization in case a breach happens— make more sense to the board and C-suite executives.
  • Communicating return on Security Investment (ROSI): The board and management are always concerned about the output of the investments made. Security leaders can calculate return on investment (ROI) by considering the investment on a risk basis. This can be done by calculating ROSI (return on security investment):

ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution

ALE = annual loss expectancy, or the total financial loss expected from security incidents

mALE = ALE + the savings delivered by the security solution

Presenting the cybersecurity investment vs. risk reduction in terms of dollar value can be a good way to communicate the importance of cybersecurity for the organization.

  • Use simple comprehendible language:  It’s important that security leaders communicate cyber-risk in a language that the board and the rest of the C-Suite can comprehend. Because if you try to explain them malware and technical stuff, it’s a waste of time for them as they are not savvy about the technical details of cybersecurity.
  • Competitive Comparisons: Comparing with peers in terms of risks scores,their cybersecurity posture, industry average etc. can be helpful as board and C-level executives wants to stay ahead of competition in terms of their readiness to face challenges.

Communicate the severity/losses of not having robust cyber security program:

According to the World Economic Forum’s Global Risks Report, “Data fraud, data theft, and cyberattacks as among the top five biggest risks world faces.” That’s because huge business impact of cyberattacks — for example, it has cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks.

  • Quote reports on losses due to not having a robust cybersecurity program: Security leaders can use this as a tool to communicate the value of having a robust cybersecurity program. For example: they can quote industry research such as:  “According to a recent Accenture report, the average cost of cybercrime to an organization has risen to $13 million. Organizations must understand that cyber risk is a business risk for businesses of all sizes and industries”.
  • Use real word stories and facts: Using proper reports, stories and facts while presenting to the board helps them to understand the financial risks associated if they get hacked. Stories about recent breaches of peers can be very relevant here.
  • Prepare a cybersecurity plan and roadmap: Communicating a cyber security plan to achieve the desired level of cybersecurity maturity and providing quantifiable insights on improvement will help the management comprehend it better. Security leaders should come with a plan covering their existing cyber risks and the roadmap to fill those gaps.

Build trust and engage leadership

Winning the trust of the leadership and establishing credibility for yourself is again very important to build a culture of “Cybersecurity Everywhere” and convince management for required resources.

  • Engage leadership in cybersecurity discussions: Security leaders should engage leadership in cybersecurity dialogues and build trust. Security leaders should not wait for board meetings to engage with the leadership on cybersecurity communications, they should communicate to the leadership about the progress of different cybersecurity programs and take their feedback and advice on regular basis wherever possible.
  • Get your colleagues on your side: It’s always good to have someone to support your point of view while presenting to the board. To build trust with leadership it will be helpful for security leaders to get support from their colleagues while communicating cybersecurity to the board– to make them understand the value of “cyber-everywhere” mentality.

Be prepared to face objections and questions

When security leaders are preparing to present to the board to C-suite executives, they must be ready to face with all kind of non-tech, and sometimes technical questions as well.

  • Be ready with all the required collaterals: Have all standard collaterals on hand, depending on the agenda of discussion. If it’s a budget approval board meeting, security leaders should be ready with the current state of cyber security and gaps and their action plan to fill the gaps and create robust cyber security. They should have collaterals like case studies, use cases, ppts, and risk quantification data wherever possible.
  • Listen carefully to the board and provide answers: Prepare to defend and answer questions around cybersecurity investments and on other related topics. Sometimes you might get a surprise question, be a composed listener and answer carefully.

It is critical for CISOs and security leaders to communicate the value of cybersecurity effectively. If they are unable to communicate and quantify their cybersecurity risks properly, priority projects will not get enough funding as required, and this would lead to increased cyber risk for the organization.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

Communicating Cybersecurity Effectively to the Board

MS_ResilienceSpotlight_805x489_22
4 min read

Introduction

Cyber security has always been an unsought goods like, insurance, which is useful only when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to board and peers. Furthermore, everyone in an organization has their own perspective when it comes to cyber security. That’s partly why security professionals find it difficult to convince management for budget approval.

Leaders Differing Perspectives

But situations are changing, as boards and management are understanding the importance of security. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This has become very important during the pandemic when huge risks of cyber breaches are looming and organizations cut costs due to slowing business to survive the pandemic.

In this piece, we talk about the best practices to effectively communicate cyber security to the board and management.

Be in your audience’s shoes: Talk in the language of the board and quantify cyber risks.

As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations use any quantitative risk evaluation tools at all while the other half said they still rely largely on the experience of their cyber experts or maturity assessments.
 

  • In today’s “cyber everywhere” era, it’s more critical than ever to be able to accurately quantify cyber risks ahead of time.
  • Security leaders should come with a plan for their existing cyber risks, and if a breach would occur, what would be the dollar value loss to the organization. And relate the impact of cyber attacks to the organization's value creation — business operations, reputation and loss exposure in terms of dollars — all of which effect the future of the organization.
  • It’s important that security leaders communicate cyber risk in a language that the board and the rest of the C-suite can comprehend. Some are not savvy about the technical details of cyber security.
  • Compare with peers’ your risk scores, cyber security posture, industry averages, etc. as boards and C-level executives want to stay ahead of the competition in terms of their readiness to face challenges.

Communicate the severity and losses of not having a robust cyber security program

According to the World Economic Forum's Global Risks Report, data fraud, data theft and cyber attacks are among the top five biggest risks world faces. That's because of the huge business impact of cyber attacks. For example, it cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations. Verizon paid $350 million less in its acquisition of Yahoo after the tech company suffered two cyber attacks.
 

  • According to a recent Accenture report, the average cost of cyber crime to an organization has risen to $13 million. Organizations must understand that cyber risk is a business risk for businesses of all sizes and industries.
  • Use proper reports and facts while presenting to boards helps them to understand the financial risks associated if they get hacked.
  • Present a plan to achieve the recommended level of cyber risk and provide quantifiable insights on improvement

Use simple language: Build trust and engage leadership.

Again, it’s very important to keep in mind to use simple language and avoid technical jargons as much as possible when presenting to the board or trying to make your point to any non-technical C-suite executive.
 

  • Security leaders should engage in dialogue to build trust and engage leadership. They should use real world breach stories, including ones from their peers and the kinds of losses they faced. These are more relatable to the board and management than listening to technical dialogue, which they might not understand.
  • It is helpful if security leaders can get support from their colleagues while communicating cyber security to the board. Make them understand the value of a “cyber everywhere” mentality.

Be prepared to face any kind of objections and questions.

When security leaders are preparing for a presentation to a board or C-suite executives, they must be ready to face all kinds of non-tech, and sometimes, technical questions.
 

  • They should be ready with standard material, depending on the agenda of discussion. If it’s a budget approval board meeting, security leaders should be ready with the state of current cyber security and any loopholes their action plans can fill to create a robust cyber security environment. They should also have collaterals like case studies, use cases and risk quantification data, whenever possible.
  • Prepare to defend and answer questions around cybersecurity investments.

In summary, it’s critical for CISOs and security leaders to communicate the value of cyber security effectively. If CISOs are unable to communicate and quantify their cyber security program, priority projects don’t get funded which leads to increased breach risk. Fortunately today, there are many tools on the market that significantly improve a CISOs’ ability to effectively and systematically report to the board.

Jump to Topic
blogo-

Amit S Bhadauriya Manager, Product Marketing

MetricStream, is a product marketing enthusiast for IT Governance, Risk and Compliance (IT GRC) , and cyber security technology, products and services.

 
Blogs

Risk Quantification Heightens Value in Cyber Vigilance

Blog Image
4 min read

Introduction

In this “New Normal” of COVID-19, where we rely more than ever on the digital world of virtual meetings and get-togethers, online shopping and delivery alerts, tele-medicine visits and triage – our security and cyber teams are on high alert to protect both regulated and sensitive data.

Ordinarily, most security and cyber teams patrol and prod an organization’s infrastructure, analyzing weaknesses and locking down IT assets to close gaps. Remediation comes in many flavors, from restricting access to tightening configurations based on recommended security settings, to partitioning networks to sequester sensitive information.

Getting a bee line on what ‘crown jewel IT assets’ need high priority attention is the mantra of these teams. It’s an ongoing challenge with the attack surface becoming more complex with third parties, cloud service providers and layers of software and technology blurring the lines of demarcation between what is ‘inside’ and ‘outside’ the organization. It is widely understood now that the concept of a ‘fixed perimeter’ is dead. With the advent of Work for Home, Distance Learning,  and the dramatic increase in the use of digital solutions, the threat landscape is growing exponentially. And with it, risk to process, people and technologies.

Risk Quantification is Now Critical to Prioritize Successful Asset Protection

So how can teams understand what remediations to prioritize and where to apply scarce resources to lower risk by closing gaps? 

A best practice that is quickly emerging in IT, security and cyber programs is risk quantification.

Risk quantification strives to create an operating risk score, based on multiple factors, in the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data. Properly executed, teams can continuously calibrate and tune algorithms that produce scores. Ideally, scores produce a forward-looking view based on changes in the external environment, business processes and technologies.

For example, cyber risk postures are shifting with as threat actors target attacks on video conferencing and VPN traffic due to the uptick in the number of people working and learning from home. At the same time, the internet is stressed with an increase in streaming and gaming traffic. Spear-phishing and scams are on the rise. If email comes through that looks legitimate, pertaining to personal finance or health issues, employees working from home are apt to click and be trapped, increasing the risk of a bad actor penetrating their organization and threatening information and assets.

How to Quantify Risk With a Top-Down, Bottom- Up View

Teams strive for a top-down and bottom-up 360 view of risk to recommend mitigation investments. The diagram below shows how operational risk, resilience teams and cyber teams can get on the same page to do just that.  Driving to a common risk score is a way to make sure teams use aligned techniques and methods.

Top-down views take information from the business in terms of dollars rather than just the days or hours to return to operations (RTO) or an recovery point objective (RTO).  RPO and RTO are typically used to measure in resilience through business impact assessments (BIAs) and aren’t sufficient for risk quantification.

Cyber teams can work hand-in-glove with operational and resilience teams that look at inherent and residual risk within a high priority business process. Operational risk teams understand concepts like annual loss expectancy and can put a value of the criticality of a process – say keeping the order processing system up 24×7 – in terms of real dollars.

From a bottom-up perspective, security and cyber teams map threat and vulnerabilities to assets that support critical business processes. They strive to estimate the real cost of mitigating vulnerabilities; for example, strengthening access controls, patching software, replacing an unsupported application, implementing automated controls through firewalls, re-architecting and segmenting networks, outsourcing some apps to a 3rd party operating in the cloud, or taking on cyber insurance. There are limited options. With a risk score supported by a top-down view, cyber teams will be able to weigh one or a combination of mitigation strategies for optimal defense in depth.

For example, a team will have insight into the dollar amount to invest in and deliver the mitigation, such as deploying stronger anomaly detection software on a critical business process.

Risk Quantification Creates Agility and Speed in Remediation

With Risk Quantification, teams can increase their insight, agility and speed in remediation efforts. They can use scores to compare a forward-looking risk with dollar investments to mitigate against dollar impact. Teams can prioritize efforts based on the risk quantification score and the dollar magnitude of impact.

The leverage best practice, security and cyber teams must continue to diligently deploy and refine risk quantification methods – as a scalable discipline – and use them effectively to invest in the just the right areas as our cyber programs evolve with increasing digitalization.

 

Stay tuned!

Over the coming weeks, we will explore more best practices and how security and cyber teams are adapting to COVID-19, outlining how risk quantification methods tie to the digital asset/impact chain, how to move from risk to resilience, and orchestrate risk across IT, cyber, op risk, incident and crisis response and other disciplines.

Yo-McDonald

Yo McDonald Product Solutions

Yo McDonald, Vice President, Customer Success and Engagement, MetricStream, is a seasoned executive in Governance, Risk and Compliance (GRC) consulting and product solutions. She drives customer engagement and retention, while fostering a culture of customer success at MetricStream.

 
Blogs

Through the GRC Lens – April 2020

Blog Image
3 min read

Has “work-from-home” opened the door to more cyber-attacks?

In the last few months, the COVID-19 pandemic redefined risk management, forced businesses to review their cyber-attack mitigation strategies to understand the gaps in their approach to cybersecurity. Today, the world seems to be gradually re-emerging from the crisis and getting a grip on understanding the aftermath. Globally, businesses are beginning to prepare themselves for their return to work, anticipating the mid- to long-term implications of the crisis and working towards strategically responding to the challenges. While the world gets ready to adapt to the New Normal, let’s find out what made it to the headlines in April, through the GRC lens.

Redefining the remote work environment

In early March, JP Morgan, experimented by allowing 10% of their employees to work from home. A month later, JPMorgan’s Co-president Daniel Pinto, said that staff could work from home on a rotational basis more permanently, in line with the bank’s future vision of work. Recently, tech-giant Facebook also announced that most of its employees will be allowed to work from home through the end of 2020 and Twitter made WFH permanent for all its employees.

After witnessing no significant drop in productivity with the WFH regime, organizations around the world, seem to be getting comfortable with the idea. The new social distancing policies have also got organizations reconsidering their plan to get back to office.

Arguably, COVID-19 proved to be the greatest catalyst for rapid change in workplaces. According to the Bureau of Labor Statistics, only 29 percent of Americans were able to work from home before the COVID-19 era. It now appears that this could outlast the lockdown. However, this growing shift to virtual ways of working dramatically altered the cyber threat landscape, with a potential for greater risks, this year.

Strengthening the cyber defense

In the beginning of April, Marriott International revealed that a security breach may have exposed the personal information of 5.2 million guests. Soon enough, Cognizant was hit by ‘Maze’ ransomware attack, causing disruptions to some of its clients. Zoom, a heavily-used video-conferencing app, was again compromised by credential stuffing and over 5,00,000 credentials were sold on the dark web. Recently, Unacademy, an India-based online learning platform also suffered a data breach that exposed details of 22 million users.

Phishing increased by 350% since the coronavirus outbreak started (between January to March 2020), according to data gathered and analyzed by Atlas VPN. It goes without saying that remote work inevitably brings a new set of risks and challenges.

While we can’t solely blame the shift from office spaces to work from home for the increase in cyberattacks, organizations need to step up their cyber game to align better to this new way of working.

In a recent virtual conference, hosted by Global Cyber Center of NY, William Altman, the company’s Senior Analyst, said, “Organizations of all kinds are facing an uptick in email-based threats, endpoint-security gaps and other problems as a result of the sudden switch to a fully remote workforce…It’s now more important than ever to consider both the security practitioner as well as ethical-hacker perspectives in order to stay secure, that’s what this is all about.”

Looking at the brighter side, we can believe that every crisis comes with opportunities for reinvention and differentiation. Although, no one could have predicted the upheaval caused by the COVID-19 pandemic which disrupted businesses and economies around the globe, it has now become imperative for organizations to pay extra attention to the blind spots in risk management and strengthen their cyber defense.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 
Blogs

Through the GRC Lens – February 2020

blog
4 min read

Building a Future of Trustworthy AI

The European Commission recently unveiled its long-awaited proposal to regulate artificial intelligence (AI). But will the new proposal stifle innovation? Find out more through the GRC Lens – February 2020 edition. 
_____________________________________________

On the 19th of February, the European Commission (EC) President, Ursula von der Leyen, Executive Vice-President, Margrethe Vestager and EU Commissioner for Internal Market, Thierry Breton, held a press conference at the European Commission headquarters in Brussels, unveiling their ideas and actions to regulate AI.  

Keen on building “a digital Europe that reflects the best of Europe,” the EC released a white paper on AI that defines an extensive framework under which AI can be developed and deployed across the EU. The paper includes considerations to govern high-risk use of AI like facial recognition used in public spaces, with an overall ambition to shape Europe’s digital future”.

The proposal still has a long way to go. For now, the EC plans to gather opinions and reactions from companies, countries, and other interested parties before they begin to draft the laws. And although the AI white paper is open for suggestions until May 19, lobbying has already begun.

Worried AI Vendors: Will Regulation Stifle Innovation?

Although many AI experts have said that the regulation of AI is necessary, especially due to ethical concerns, there is considerable worry around the consequences of regulation. Europe’s new proposal has already had far-reaching implications on the big tech brands that have invested in AI. After the EC declared a 12-week discussion period, several tech leaders from large organizations have journeyed to Brussels to meet with EU officials.

Their major concern – will tough laws hinder innovation?

AI vendors are worried that if the process of regulation, considered a slow process that can be subject to interference and distortion, is applied to a fast-moving field like AI, it can stifle innovation and divert the technology’s enormous potential benefits.

To illustrate this concern, a recent article in Analytics India Magazine, used the example of neural nets to explain how the regulation of AI could possibly hamper innovation. Neural networks work by finding patterns in training data and applying those patterns in new data, enabling researchers to solve problems that they couldn’t earlier.

For instance, CheXnet, an AI algorithm from Stanford, has an incredibly powerful ability to detect pneumonia among older patients through chest X-rays. But for technologies like these to work, they need a certain amount of creative and scientific freedom (within ethical boundaries, of course). If there is a ban on “black box” AI systems that humans can’t interpret, could AI innovation be impacted?

Another area of confusion revolves around the definition of “high-risk” applications of AI. The report seems to be unclear about high-risk applications in low-risk sectors, leaving companies uncertain on how to approach this issue.

The Need for AI Regulation: Consumer Protection

There is no doubt that AI has enormous potential to be used for good. But its accelerating adoption across industries comes with multiple ethical concerns.

According to a survey by KPMG, 80% of risk professionals are not confident about the governance in place around AI.

What happens when decisions are made by AI without human oversight? Recent instances have shown that automated decision-making can perpetuate social biases. In addition, deep fakes, surveillance technology, autonomous weapons, and discriminatory HR recruiting tools come with multiple serious risks. The focus of AI regulatory authorities is on developing frameworks to govern AI.

Like Anna Fellander, Co-founder of the AI Sustainability Center, said at the GRC Summit in London, “It’s no longer just about what AI can do, but what it should do.” In a similar vein, Andreas Diggelmann, “Office of the CEO,” Interim CEO and CTO at MetricStream said, “We need technology that serves humanity, not the other way around.”

Looking Forward to Trusted AI

AI expert Ivana Bartoletti, Technical Director, Deloitte – Cybersecurity and Privacy Division, speaking at Impact 2020 conference, said: “The reason why we’re talking so much about ethics in AI is over the last few years we have seen the best of technology – but also the worst.”

With its novel approach to AI regulation, the EC wants to promote the development of AI while respecting human fundamental rights and addressing potential risks that come with the technology. The EC wants a digital transformation that works for all, reflecting the best of Europe: open, fair, diverse, democratic, and confident.

The new AI proposal has already begun to receive acceptance in some industries. Ted Kwartler, Vice President, DataRobot, said the vendor welcomes calls for regulatory approaches that don’t stifle innovation. Christopher Padilla, VP, Government and Regulatory Affairs, IBM, also was reported saying in Protocol, “By focusing on precision regulation — applying different rules for different levels of risk — Europe can ensure its businesses and consumers have trust in technology.”

It appears now that big tech companies that want to tap into Europe’s market will have to play by the rules that come into force. Like the GDPR in 2018, will the new AI proposal inspire similar, tough regulatory action in other parts of the world? Read the MetricStream Blog to stay updated on more news.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blogs

Through the GRC Lens – January 2020

blog-banner
4 min read

Introduction

Over the past decade, fraud has evolved to become more sophisticated and systemized. Thankfully, innovations in technology now enable businesses to better combat fraud. But there’s a catch. Modern technologies also present new opportunities to cyber criminals, making fraud harder to detect and easier to commit. This raises the question – is digitalization making fraud easy? Find out ‘Through the GRC lens’ – January 2020.

_____________________________________________________________________________________

Frauds are on the rise

Frauds are increasing every year at an alarming rate. The Federal Trade Commission received more than 3.2 million reports of fraud in 2019. The 2020 Global Identity and Fraud Report reported significant indications that business concerns around rising fraud persist, with nearly three in five businesses concurring that fraud has increased exponentially in the past 12 months.

Along with this increase is sophistication, scammers are also beginning to get extremely creative with their attacks. We recently witnessed the first case of CEO voice fraud using AI. An energy company in Germany, was cheated into allowing unauthorized transactions by mimicking the voice of its real CEO, reproduced using an AI software based on ML, to mislead the head of a UK subsidiary to transfer $220,000. The company managed to recover the amount later because it was covered by fraud insurance.

In another incident, PayPal users in the UK lost over £1 million to fraudsters in the last quarter of 2019, after being tricked by fake e-mails. E-tailers of electronics, vehicles, phones, and household furniture via online marketplaces, received an email allegedly from PayPal, asking for verification of a payment received for an item purchased. The fraudsters then sent a follow-up email asking for the tracking number, pressurizing the e-tailer to ship the item, without verifying his PayPal account, or the authenticity of the email, in order to provide the tracking number as requested. The clueless victims reported losing a total of £1,121,446.

Media stories such as these only go to show how fraudsters are continuously improvising scamming methods, often facilitated by developing technology.

Technology to Combat Fraud

Innovations in Artificial Intelligence (AI), Robotic Process Automation (RPA), Machine Learning (ML), and Blockchain, are helping businesses adapt to changing behavior and predict anomalies quicker than traditional tools. For instance, Highmark Inc.’s Financial Investigations and Provider Review (FIPR) department leveraged artificial intelligence to generate over $260 million in savings associated with fraud, waste, and abuse in 2019, reported Health IT Analytics.

According to the Association of Certified Fraud Examiners (ACFE) inaugural Anti-Fraud Technology Benchmarking Report, the amount organizations are expected to spend on AI and machine learning to thwart online fraud, is expected to triple by 2021.

Digitalization – creating a new spectrum of ‘smart’ fraud?

If technology has opened new doors for combating fraud, it has also allowed new and more pervasive forms of fraud to enter. Today, with the pace of technological advancements, it appears to be getting surprisingly easier to commit fraud.

Today fraudsters use sophisticated techniques to increase their success rate with high-quality attacks that circumvent bot-detection tools to enable greater efficiency with automated attacks. One such incident involved replicating human behavior such as faking human typing patterns.

And while technology can help predict an attack, a recent article by Payments Source, differentiated between basic and sophisticated attacks, pointing out that, “smart attacks work by using techniques that mimic human behavior and, by doing so, reduce the chances of being detected by bot-detection tools.”

“Expect criminals to increasingly utilize deepfakes to target the C-Suite and PSP’s authentication procedures to commit financial fraud.”, stated a recent article on Paypers, adding, “SMS spoofing impersonates a trusted party such as a PSP as the sender of an SMS message, that appears to be from their banks but is actually from fraudsters and acts out instructions believing to be from their PSP.”

How can organizations be better protected?

A recent report from Kount and Javelin, ‘Protecting Digital Innovation: Emerging Fraud and Attack Vectors’, revealed that the risk of fraud slows innovation across industries. However, fraud prevention strategies transcend industry, enabling different businesses to learn from each other and adopt similar fraud mitigation strategies and tactics when innovating their products and services.

As HelpNet security highlights, “digital innovation and the corresponding increase in revenue will never reach their full potential, without integrating suitable fraud prevention initiatives.”

Recent cases of fraud and social engineering are indicators of what fraudsters can achieve with technology. But even if these criminals try to stay one step ahead of their targets with technological advancements, organizations need to invest in the next generation of automated fraud risk management measures to ensure safety.

According to the 2020 Global Identity and Fraud Report, “…fraud prevention efforts are aimed at stopping fraud and reducing losses. But an effective program also makes it easier for your good customers to do business with you…It starts with moving away from a one-size-fits-all approach.”

To prevent fraud, preparation is key. By taking a holistic approach, employing tools that increase visibility into cyberattacks, and red-flagging unusual activity and behavior, with the right controls in place, organizations can identify anomalies before they occur, rather than after the damage is done.


 

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources