Article

Global Cyber Executive Briefing

Mehr als nur Strategie

Cyber-Risikomanagement ist längst mehr als eine strategische Komponente. Es ist ein grundlegender Bestandteil jeder Geschäftshandlung. Dennoch ist für viele CXOs die Bedeutung noch nicht absehbar. Das Cyber Executive Briefing beleuchtet anhand von ausgewählten Deloitte Fallstudien die Gefahren und zeigt Lösungen auf.

Besonders betrachtet wurden die Branchen: High Technology, Online Media, Telecommunications, E-Commerce, Insurance, Manufacturing und Retail.

Lessons from the front lines

Incident classification pattern Percentage
Point of Sale System Intrusions 14%
Web App Attacks 35%
Insider Misuse 8%
Physical Theft/Loss <1%
Miscellaneous Errors 2%
Crimeware 4%
Card Skimmers 9%
Denial of Service Attacks <1%
Cyber-espionage 22%
Everything else 6%

Table 1: Frequency of incident classification patterns from 1367 breaches during 2013. Source: Verizon 2014 Data Breach Investigations Report 1

 

Cyber-attacks can be extremely harmful. Tangible costs range from stolen funds and damaged systems to regulatory fines, legal damages, and financial compensation for injured parties. However, what might hurt even more are the intangible costs -- such as loss of competitive advantage due to stolen intellectual property, loss of customer or business partner trust, loss of integrity due to compromised digital assets, and overall damage to an organization’s reputation and brand -- all of which can send an organization’s share price plummeting, and in extreme cases can even drive a company out of business.

Being resilient to cyber-risks starts with awareness at the board and C-suite level; a recognition that at some point your organization will be attacked. You need to understand the biggest threats, and which assets are at greatest risk -- the assets at the heart of your organization’s mission. 

Who could potentially target your organization, and for what reasons? Which assets are attackers likely to view as most valuable? What are the possible scenarios for attack (see Table 1), and what is the potential impact to your business? 

Questions such as these can help determine how advanced and persistent the cyber-threats to your business are likely to be. This insight allows you, as a C-suite executive or board member, to determine your organization’s risk appetite and provide guidance that helps internal and external security professionals reduce your risk exposure to an acceptable level through a well-balanced cyber-defense. Although it isn’t possible for any organization to be 100 percent secure, it is entirely possible to use a mix of processes for prevention, detection, and response to keep cyber-risk below a level set by the board and enable an organization to operate with less disruption. 

To be effective and well balanced, a cyber-defense must have three key characteristics: secure, vigilant, and resilient.

Secure: Being secure means focusing protection around the risk-sensitive assets at the heart of your organization’s mission — the ones that both you and your adversaries are likely to agree are the most valuable.

Vigilant: Being vigilant means establishing threat awareness throughout the organization, and developing the capacity to detect patterns of behavior that may indicate, or even predict, compromise of critical assets.

Resilient: Being resilient means having the capacity to rapidly contain the damage, and mobilize the diverse resources needed to minimize impact — including direct costs and business disruption, as well as reputation and brand damage. 

This executive briefing is a starting point for organizations to understand their most important cyber-threats. It highlights the top threats for seven key industry sectors -- retail, manufacturing, e-commerce & online payments, online media, high technology, telecommunications, and insurance – and offers real-world stories and practical insights to help your organization begin to assess its threat profile and stay a step ahead of cyber-criminals.

By highlighting real-life cases, we hope to make clear that being hacked is nothing to be ashamed of. Breaches occur at all organizations – not because they are badly managed, but because hackers and cyber-criminals are getting smarter every day. By sharing information about breaches we can learn how to better protect ourselves – an imperative being promoted by the Partnering for Cyber-Resilience 2 initiative of the World Economic Forum.

The stories clearly show that breaches are inevitable: your organization will be hacked someday. They also show that we all depend on each other for a resilient cyber-space. For example, online media can be used to spread malware; vulnerabilities in the high-tech sector affect other industries that use digital technology; and disruption in online payments impact e-commerce. By sharing and understanding these cases and taking responsibility at the C-suite and board level, we can all work together towards a safer cyber-space.

 

----------------------------------------------

1 http://www.verizonenterprise.com/DBIR/2014/

2 http://www.weforum.org/issues/partnering-cyber-resilience-pcr

Download the report.

High Technology

The high tech sector is often ground zero for cyber-attacks. One obvious reason is that these organizations have very valuable information to be stolen. However, another more subtle reason is the nature of high tech organizations themselves. High tech companies – and their employees – generally have a higher risk appetite than their counterparts in other sectors. Also, they tend to be early adopters of new technologies that are still maturing and are therefore especially vulnerable to attacks and exploits. For example, employees in high tech are more likely to use (and self-administer) cutting-edge mobile devices and the latest mobile apps, which might not be secure. In addition, many high tech organizations have open environments and corporate cultures that are designed to stimulate creativity and collaboration, but are more difficult to defend. As a result, high tech organizations typically have a very large attack surface to protect.

Business impact:

Loss of intellectualproperty and customer information

Reduce a company’s competitive advantage

Great financial losses

Reputation damage

Online media

The online media sector might have the greatest exposure to cyber-threats. Since its organizations operate online, they have a huge attack surface to protect. Also, since its products are in high demand and completely digital, there is a high risk of being infiltrated and robbed of valuable content – both by individuals and organized crime groups.

Business impact:

Reputational damage

Spread propaganda

Manipulate public opinion

Telecommunications

Telecom companies are a big target for cyber-attacks because they build, control and operate critical infrastructure that is widely used to communicate and store large amounts of sensitive data.

Business impact:

Damage company’s reputations

Underminded customer trust

Loss of confidental information of organization

E-Commerce & Online payments

As more and more businesses move or expand from bricks to clicks, criminals are following suit. Many e-commerce websites are directly connected both to the internet and to a company’s back-end systems for data processing and supply management, making the website a prime attack point for gaining access to crucial information assets within the organization.

Business impact:

Loss of trust, money and services

Identity theft of customers

Non-Compliance issues

Insurance

Cyber-attacks in the insurance sector are growing exponentially as insurance companies migrate toward digital channels in an effort to create tighter customer relationships, offer new products and expand their share of customers’ financial portfolios. This shift is driving increased investment in traditional core IT systems (e.g., policy and claims systems) as well as in highly integrated enabling platforms such as agency portals, online policy applications and web- and mobile-based apps for filing claims. Although these digital investments provide new strategic capabilities, they also introduce new cyber-risks and attack vectors to organizations that are relatively inexperienced at dealing with the challenges of an omni-channel environment. What’s more, the challenges are likely to become more complex as insurers embrace big data and advanced analytics that require collecting and handling vast amounts of consumer information. As insurers find new and innovative ways to analyze data, they must also find ways to secure the data from cyber-attacks.

Business impact:

Tangible costs related to legal fees, fines, lawsuits, fraud monitoring costs

Intangible costs such as customers’ trust

Customer compensation

Manufacturing

Manufacturers are increasingly being targeted not just by traditional malicious actors such as hackers and cyber-criminals, but by competing companies and nations engaged in corporate espionage. Motivations range from money and revenge to competitive advantage and strategic disruption.

Business impact:

Reputational damage

Loss of a competitive advantage and production

Retail

Credit card data is the new currency for hackers and criminals, and retailers possess a lot of it. This makes the retail industry an almost irresistible target for cyber-attacks.

Business impact:

Damage company's brand

Cut into sales

Fines and settlement costs

Conclusion

This report focused on seven key industry sectors that are prime targets for cyber-attacks. Follow-on reports will highlight the top cyber-threats in other major sectors that are also highly vulnerable. After all, the single biggest takeaway from the stories and insights presented here is that breaches are inevitable -- and that no industry or organization is immune. Your organization will be hacked someday. 

Attacks can result in significant tangible costs ranging from stolen money and property to regulatory fines, legal damages, and financial compensation. But those are just the tip of the iceberg. The really significant costs are the intangibles, particularly loss of competitive advantage, loss of customer trust, and damage to an organization’s reputation and brand. Intangibles such as these can have a major impact on an organization’s strategic market position and share price.

The good news is that cyber-threats are a manageable problem. As noted earlier, a well-balanced cyber-defense needs to be secure, vigilant, and resilient. Although it isn’t possible for any organization to be 100 percent secure, by focusing on these three key attributes, it is entirely possible to manage and mitigate cyber-threats in a way that reduces their impact and minimizes the potential for business disruption. 

In closing, here are five takeaway questions to reflect on through the lens of a secure, vigilant, and resilient approach to cybersecurity:

  1. Are we focused on the right things?  
    Often asked, but difficult to accomplish. Understand how value is created in your organization, where your critical assets are, how they are vulnerable to key threats. Practice defense-in-depth.
  2. Do we have the right talent? 
    Quality over quantity. There may not be enough talent to do everything in-house, so take a strategic approach to sourcing decisions.  Are the security teams focused on the real business areas?
  3. Are we proactive or reactive? 
    Retrofitting for security is very expensive. Build it upfront in your management processes, applications, and infrastructure.
  4. Are we incentivizing openness and collaboration? 
    Build strong relationships with partners, law enforcement, regulators, and vendors. Foster internal cooperation across groups and functions, and ensure that people aren’t hiding risks to protect themselves.
  5. Are we adapting to change?  
    Policy reviews, assessments, and rehearsals of crisis response processes should be regularized to establish a culture of perpetual adaptation to the threat and risk landscape.
Fanden Sie diese Information hilfreich?