Top executives appear to be uncertain about the impact of spending big dollars on systems to guard against cyber attacks on their companies. This is despite such attacks becoming highly sophisticated, prompting advice to focus on the “crown jewels” and efficiently containing the damage.
“There are only two types of organizations out there now: Those that have had an [cyber attack] incident, and those that claim they haven’t in fact but have,” said Terry Jost, who heads Ernst & Young’s risk practice.
And yet an E&Y report discussing the results of a recent survey, titled “Get Ahead of cyber crime,” actually found a decrease in the number of organizations saying their information-security function fully meets the needs of their organizations. There was also a decrease for those saying their information security function partially meets their companies’ needs—the vast bulk of respondents—and improvements are underway.
A full 56 percent of respondents said it is unlikely or highly unlikely their organizations would be able to detect a sophisticated attack. And while most companies reported having internal threat intelligence programs supplemented by information from third parties, to better ascertain evolving cyber risks, more than a third said they had no such program.
The report notes that a foundational component to cyber security are the processes and technology supporting an informational security function, most effective when centralized in a security operations center (SOC). However, over 40 percent of respondents reported not having a SOC, and of those that did more than half said they couldn’t tell or it was unknown how well their SOC met business operations’ needs, or the SOC simply didn’t interact with the business.
Those responses suggest companies are uncertain about where to spend their cyber security dollars, especially given the regularity of news about successful attacks on some of the biggest spenders on such systems, the major banks. Mr. Jost said cyber attacks have become inevitable, and their level of sophistication today often matches that once considered possible only by nation states. In addition, it has become increasingly uncertain just what the attacker’s goal might be, whether to disrupt the company, or to steal credit-card data or other customer information, an increasingly less profitable crime due to growing competition among criminals, or much more valuable intellectual property, which can cause long lasting harm.
Consequently, Mr. Jost said, companies must view cyber defenses from an economic perspective. Key is defining the key functions across the company and simulating the impact of an attack, to find where an attack could cause lasting harm. In the case of the treasury department, Mr. Jost said, it may be in areas such as financial planning, or hedging the company’s currency or interest-rate exposures.
That means understanding how to monitor it for breaches and how to move that data or function to reduce the impact of the attack. Drawing up a plan of action should a attack occur is vital, said Mr. Jost, noting that just as a homeowner confronting an intruder has several options, including grabbing a gun, running, or call the police, and so too does a company. That pertains to dealing with the immediate attack as well as the public-relations aftermath.
“There have been incidents where you wonder why it took the company 60 or 90 days to respond to news about a breach, and it probably didn’t have a good incidence response plan worked out,” Mr. Jost said.
Supplementing internal efforts with third-party intelligence about the latest attacks and attackers is also important. Unless it’s the first time a specific malware has been used, third parties specializing in this area have likely captured a “finger print” of the software that can help companies understand the nature of an attack much faster.