In brief - Investing in security, developing an incident response plan and transferring economic risk are key to managing information security risks
Directors and officers risk litigation and criticism if they fail to give serious attention to information security and managing risks associated with information security breaches. There are significant financial and reputational costs associated with failing to respond proactively to this threat.
Trade secrets and intellectual property also fall under information security
We use the terms "information security" or "data security" rather than "cybersecurity" or terms associated with privacy law, because information and data security reflects a broader range of concerns. Although trade secrets and intellectual property are not protected by the Privacy Act 1988 (Cth) or its state counterparts, companies must still protect them. The word "cybersecurity" may unhelpfully imply that information security is just a "computer problem".
Physical security as important to consider as cybersecurity
Cybersecurity issues deserve substantial attention, but they must be considered in conjunction with physical security: the computers and networks used to handle confidential information must be protected from both physical and digital unauthorised access.
By way of example, software keyloggers covertly record which keyboard keys are depressed, then relay this information to an attacker. A USB keylogger is a small, easily installed physical device which does the same thing and can be readily purchased for roughly $US60.
Privacy Act and other regulations may apply to your company
Unlike other jurisdictions, Australia has no blanket provision which requires companies to take steps to protect "information" per se. Some organisations will be subject to the Privacy Act and comparable state legislation. Some industries (notably healthcare and telecommunications) are subject to additional privacy regulation.
Organisations subject to the Privacy Act are obliged to take "such steps as are reasonable in the circumstances" to protect the information which they hold. The Office of the Australian Information Commissioner (OAIC) has released guidance on how it decides whether security measures are reasonable.
At present, companies are not obliged to notify individuals whose data is compromised in a data breach. However, reports suggest that the LNP Coalition supports such an obligation and mandatory breach notification legislation is currently before the House of Representatives.
Federal government agencies are subject to the Australian Privacy Principles and the Commonwealth Protective Security Policy Framework. Mandatory information security requirements may be imposed under the framework and these requirements may also extend to private companies which contract with regulated agencies.
Companies could face hefty fines for breaches of privacy
While the OAIC has the power to investigate breaches of privacy, to date it has exercised its power to impose fines sparingly. The only fine we are aware of was issued to Telstra in March 2014. While the penalty of $10,000 was relatively modest, it is possible that the OAIC treated Telstra with lenience in view of the then current revisions to Australian privacy laws.
The OAIC has the power to levy fines of up to $1.7 million. Only time will tell how it will choose to exercise this discretion in future.
Significant financial and reputational risks
The costs of a breach of information security are often significant. The Ponemon Institute's 2014 Cost of Data Breach: Australia report found that the average cost of a data breach experienced by 22 Australian companies in 2013 was $AU2.8 million.
A publicised breach of information security can have deleterious effects on a company's reputation and balance sheet. The Ponemon Institute's report found that, on average, reputational losses and increased customer turnover constitute 28% of the cost of a breach.
Customers affected may feel anxious, that their privacy has been invaded and that their trust in the company was misplaced. However, if a security breach is handled promptly and effectively and if customers are kept informed, the breach need not lead to lasting reputational damage.
Lawsuit against Target in the US highlights risk of litigation
While we are presently unaware of any litigation before Australian courts which alleges loss arising from a data breach or a computer or network security incident, such litigation is well known in the United States.
The recent Target data breaches spawned roughly 140 lawsuits. The majority of these were filed by consumers whose information was compromised; roughly 29 were filed by banks and payment processors who allegedly suffered indirect losses from the breach and two shareholder derivative suits have been brought.
These shareholder derivative suits are noteworthy. They appear to be the first derivative suits brought by shareholders against the directors and officers of a company, alleging a failure to maintain adequate cybersecurity and a failure to manage a breach appropriately. While the prospects of this and other litigation are uncertain, even meritless litigation can still be a significant distraction and expense.
Corporate espionage may give your competitors the edge
Digital technology facilitates the rapid copying and exchange of vast amounts of information, which increases the threat of corporate espionage. Ultraportable storage devices can contain terabytes of illicitly copied data, or data can be stolen from the other side of the globe using the internet.
Edward Snowden's theft of 1.7 million documents from the National Security Agency is a striking example of the former risk. A compromise of confidential information could give your competitors a free ride or your interlocutors an edge in negotiations.
Although the annual global cost of cybercrime is said to be $1 trillion, this figure is dubious. Suffice it to say that any company with valuable confidential information should review its information security practices very carefully.
DDoS attacks and malware can interrupt business
Normal operations can be disrupted in a variety of ways: (distributed) denial-of-service attacks may prevent customers from accessing your websites, or malicious software (malware) can infect computer networks.
This may either disrupt activities directly, or the security implications of the malware may necessitate the suspension of operations until the malware can be quarantined and removed. The disruption of a business partner's operations may have flow-on effects which disrupt your company's activities.
Four questions about information security all businesses should consider
We must consider four questions when thinking about information security:
- What is the organisation's current security posture?
- What information and resources require protection?
- What threats must be guarded against?
- How are those threats most likely to materialise?
While the answers to these questions vary across companies and industry sectors, it is possible to say that some sorts of threats are, historically, more common than others.
Nine categories of breaches describe most cases
Verizon recently stated in its 2014 data breach investigation report that nine broad categories of information security breaches describe 92% of 100,000 data breaches reported over the last decade. Those nine categories are:
- point-of-sale intrusions
- web application attacks
- insider misuse
- physical theft or physical loss of device
- crimeware / malware
- card-skimming attacks
- denial-of-service attacks
- miscellaneous errors
What we can learn from recent cyberattacks and security researchers
Below we look at a number of recent examples of cyberattacks or lapses in security and what the results were for their victims. We also examine some attacks discovered by security researchers which have not yet been exploited by cybercriminals. They illustrate the complexity of the modern security environment, the ingenuity of researchers and, by proxy, the inventiveness of attackers.
Credit card information and personal details stolen from Target's network
In December 2013, the US Secret Service informed Target that its computer systems had been compromised. Hackers gained access to Target's network using credentials stolen from one of Target's contractors. These credentials allowed some access to Target's non-public computer systems.
The hackers were then able to infiltrate Target's network and install sophisticated malware on point-of-sale terminals in Target's stores. This malware recorded credit card information and collected personal customer information, which was then encrypted (that is, translated into "ciphertext" which can only be decoded by parties with the secret decryption key), aggregated and transmitted to the attackers.
This is illustrative for a number of reasons:
- The initial breach of Target was achieved by compromising a trusted third party.
- Although the malware was complex, the pattern of the attack was typical: the malware is injected into the victim's network and then escalates its privileges and traverses the network until it is in a position to achieve its goals. It then works to fulfil its mission, which in this case involved the acquisition, collation and exfiltration of data.
- An external party notified Target of the breach, which is unsurprising as modern malware tends to operate covertly.
The effects of the breach included:
- $US61 million spent dealing with the breach (as of February 2014)
- a drop in share price partially attributable to the breach and its aftermath
- one of Target's vice-presidents was summoned to testify before the US Senate's Judiciary Committee about the data breach
- the resignations of Target's CEO and CIO
Phishing emails compromise hedge fund's trading systems
Recent reports indicate that an unknown US hedge fund suffered a data breach in late 2013 when an employee was fooled by a "spearphishing" email (a bespoke phishing email which is handcrafted to deceive an individual or a well-defined group of individuals).
The email purported to contain capital markets analysis, but its true purpose was to cause its recipient to install malware on the hedge fund's network. This malware successfully delayed the execution of trading orders placed by the fund and reported the fund's trading strategies to its masters.
Theft of unencrypted devices leads to class action
In December 2009, a number of laptops were stolen from AvMed, a US health insurer. The laptops were unencrypted and contained the personal details of large numbers of AvMed's insureds.
AvMed's insureds brought a class action against AvMed and in March 2014, the court approved a settlement for $US3 million. As part of the settlement, AvMed undertook to implement security awareness training and to improve the physical and logical security of its systems.
Australian government inadvertently publishes data to the world
Closer to home, the Australian Department of Immigration suffered a data breach when it unintentionally published to its website a document containing confidential information relating to 10,000 asylum seekers. It appears that a departure from normal procedure, ignorance and haste to comply with a deadline were factors which contributed to the breach. A number of the affected individuals are pursuing litigation against the Department and the incident received substantial media attention.
CryptoLocker a particularly damaging form of ransomware
Ransomware is a subset of malware which renders a computer unusable until the ransom is paid. CryptoLocker and similar programs are particularly pernicious. Once installed, they begin encrypting files stored on the victim's computer and network and render files unusable once encryption is complete. CryptoLocker then demands that the victim pay the ransom to have the files decrypted.
Removing CryptoLocker does not decode the files; decrypting the ciphertext without the decryption key is believed to be computationally unfeasible. Users can either choose to restore backups which predate the CryptoLocker infection, or pay the ransom, although there is no guarantee that the attackers will then decrypt the files.
In early August 2014, two IT security firms that had obtained the CryptoLocker decryption key announced that they were helping victims decrypt data encrypted by CryptoLocker. However, this is not a long-term solution to CryptoLocker, as extortionists may easily switch to another encryption / decryption key pair. Neither is it a development that assists victims of other file-encrypting ransomware.
Appliances and devices connected to the internet may not be adequately protected
The "internet of things" refers to an increasing trend to connect novel appliances and devices to the internet. This includes everything from internet-accessible home thermostats, to televisions, baby monitors and smartphone controllable light bulbs.
Unfortunately, many of these systems have vulnerabilities which leave the user's data exposed. (See Internet of Things Research Study, HP, 2014.)
Security researchers discover malware that turns telephones into listening devices
Researchers recently discovered that attackers with physical access to Cisco IP telephones could install malware on the telephones.
The malware infected other networked telephones and transformed each infected telephone into a listening device which transmitted all sound the microphone detected – even if no call was in progress – to its master.
This vulnerability in the operating system could have been exploited by, for example, a visitor left unattended in a conference room.
Security researchers find access to WiFi that allows eavesdropping
In 2014, security researchers discovered that LIFX's WiFi controllable light bulbs broadcast the passwords to their owner's WiFi networks in an insecure manner. A malicious party could exploit this weakness in order to obtain access to the wireless network. This would allow them to eavesdrop on network traffic and launch further attacks.
Proactive risk management is crucial
While perfect information security is effectively impossible in the modern corporate context, it is possible to improve information security. Fortunately, most cybercriminals are not exploiting loopholes in your telephone's software. Verizon's 2013 Data Breach Investigations Report suggests that, out of all the attacks it analysed:
- 75% were opportunistic, that is, the target was selected because it was vulnerable
- 78% used relatively simple methods to penetrate the target's network
Therefore, proactive risk management can significantly ameliorate the risks of a breach of information security.
Reduce residual risk to acceptable levels
The residual risk posed by a breach of information security can be reduced to acceptable levels by:
- Preventing risk - engineering systems and shaping behaviour to reduce the probability of a breach. In other words, make it harder for people to penetrate your computer systems.
- Mitigating consequences - developing an incident response plan to mitigate the consequences of a breach.
- Transferring economic risk - insuring against the economic risks of a breach.
Cybercriminals continuously look for new attack methods
Cybercriminals continuously innovate in response to attempts to secure data. Unfortunately, the battle between the data owner and the computer hacker is asymmetric: an attacker need only penetrate a network at one point, while a defender must continuously guard all points of ingress. Attackers have the initiative, while defenders are typically reactionary.
Conduct a broad-spectrum security audit
We previously suggested that directors and officers need to consider the assets they need to protect, the risks they are exposed to and the mechanisms by which those risks might crystallise. In addition to this, we suggest that companies should conduct a broad-spectrum security audit which would:
- assess what sorts of information the company holds
- empirically determine where that information (and copies of it) are kept
- assess what level of protection is required for each kind of information
- review any IT security and security policies currently in force
- review the security training given to all staff members
- assess the adequacy of the policies and training
- empirically evaluate real-world staff member compliance with policies and training (through confidential interviews and other means)
- assess the physical security procedures in place
- assess the logical security of the corporate network and all devices which have access to it
- review third parties' and service providers' policies and procedures if there is a chance that an attacker could exploit the data or credentials they hold
Improve your security measures before a breach occurs
A security audit may well highlight gaps in security which need to be filled. This may require widespread upgrading of computer systems, revision of policies and procedures, and retraining. In our view, directors and officers should see this as an unavoidable cost of doing business: the choice is whether you remediate before or after a breach.
A failure to implement adequate cybersecurity defences has prevented at least one company from obtaining cybersecurity insurance. We predict that cybersecurity underwriters will become increasingly discerning and will be increasingly reluctant to write policies for companies with inadequate security.
Maintain security measures and educate employees
Once adequate logical security is in place, those security measures must be maintained. New vulnerabilities are constantly discovered and remedied by manufacturers. Employees need to be aware of the necessity of keeping operating systems, software and firmware up to date with the latest security patches.
Review backup procedures and strictly segregate backups from live network
Enterprise data should be regularly backed up to an off-site location. The backup procedure should be periodically reviewed to ensure that all necessary data is backed up, and that if required, restoring data from backups is practical.
While there is some inconvenience involved, backups should be strictly segregated from the live network to protect against the risk that they will be compromised by ransomware like CryptoLocker.
Test computer systems for vulnerabilities
Security professionals familiar with the techniques used by hackers and cybercriminals can be retained to test computer systems for known vulnerabilities. In our view there are significant benefits in having such an independent expert evaluation.
While more penetration testing is likely to uncover further vulnerabilities, even abbreviated penetration testing is worthwhile.
Incident response plan may contain the breach, reduce its effects and deflect criticism
All companies should expect an information security breach at some point. One allegation raised in the Target shareholder derivative suits is that the directors and officers failed to manage the breach appropriately. Having an incident response plan in place prior to a breach is likely to help contain the breach, reduce its effects and deflect criticism.
A designated incident response team with broad-ranging authority to manage an incident should be appointed. This team will need to include senior staff, members from the board and management, information technology, legal, risk management, security, public relations and human resources.
When an information security event occurs, the team should:
- confine the breach and investigate its mechanism, nature and scope
- liaise with regulators, insurers and law enforcement bodies
- if warranted, retain external consultants and co-ordinate their investigation, which will probably require assistance from employees in IT and any other witnesses
- liaise with business partners and customers whose data may have been compromised so that these parties may protect their position
- monitor and manage any media coverage of the breach
Wargaming can test security and effectiveness of response plan
Once the incident response team is formed and a response plan is in place, it may be further refined through "wargaming". In a war game, external consultants attack the network to ascertain whether security is adequate and whether the response plan can be implemented in a realistic simulated situation.
Consider a more comprehensive cybersecurity insurance policy
Managing an information security event is expensive, but appropriate insurance cover can defray much of that expense. While cybersecurity cover may be available under some management liability or general liability policies, many significant information security risks may fall outside of this cover. Furthermore, any available cover may be the subject of relatively low sub-limits.
A general policy with limited cover is inadequate for any entity with substantial information security exposure. Accordingly, we suggest that risk managers consider purchasing a more comprehensive cybersecurity insurance policy which provides cover for a range of costs listed below.
These are the costs incurred by the victim of a breach, which often include the costs of a forensic investigation, legal advice, public relations expenses, the costs of notifying customers affected by the breach, credit monitoring and identity theft protection services and other miscellaneous crisis management costs.
These costs are often significant and some research suggests they may constitute 38% of the cost of a data breach.
This is the loss suffered by a business which is unable to trade because its systems, or the systems of a service provider, are disrupted by a cybersecurity incident.
This includes cover for the cost of defending and settling litigation brought by third parties who suffer loss caused by a cybersecurity incident targeting the insured's systems, and for fines and penalties.
Data reconstitution costs
These are the costs incurred in restoring data lost or corrupted during a cybersecurity incident.
Cyber extortion expenses
These are the costs involved in handling a cyber extortion demand such as CryptoLocker. These are likely to include forensic investigation or technical assistance and the ransom sum, if payment of the ransom is considered advisable.
In our view, directors and officers should retain independent insurance specialists to review the coverage provided by their insurance programme, to assess any gaps in its cover and to assess the policy limits with respect to their company's risk profile.
Invest in adequate security, develop incident response plan and transfer economic risk
All companies have exposure to breaches of information security. This exposure can be reduced by investing in adequate security and cybersecurity measures, by developing an incident response plan and by transferring economic risks to third parties.
Directors should take steps to inform themselves of their company's exposure to information security risks, information security policies and actual compliance (or failure to comply) with those policies. In addition, they should examine the adequacy of those information security practices and whether their insurance programme offers them enough cover for information security risks.
This article first appeared in the September 2014 edition of Governance Directions.