Fighting Cyberattacks Requires Top-Down Approach
Mitigating cybersecurity threats requires organizations to reassess their approach to technical vulnerability, advised an internet security expert and author at the “Cybersecurity Threats and Concerns: An Overview” session of CIO’s Cybersecurity livestream on October 12.
In 2023, economic losses from cybercrime are estimated to cost entities $2 trillion annually, and projections are that costs will increase to $10.5 trillion by 2025, according to figures from the Internet Security Alliance, a nonprofit dedicated to integrating technology with economics and public policy to promote cybersecurity.
Prevalent cybersecurity threats demand that every organization employ “a completely different approach to cybersecurity from the top down … that every board of directors should be following,” said Larry Clinton, president of the Internet Security Alliance.
Organizations must move away from the posture that their IT division owns responsibility for safeguarding against cyberattacks, Clinton said.
“The original view was [threat protection] would bubble up from the IT department through the organization,” which has not happened, Clinton said. Instead, “what we really need is for cybersecurity to come down from the top of the organization … into the departments so that we have an enterprise-wide culture of security. It is the board’s responsibility to work with the executive team to s. It is not just an IT-centric issue.”
For public and private entities, Clinton advised designing a cybersecurity roadmap using six core principles adopted by the National Association of Corporate Directors, the Internet Security Alliance and the World Economic Forum:
- Recognize cybersecurity as a strategic business enabler;
- Understand the economic drivers and impact of cyber risk;
- Align cyber-risk management with business needs;
- Ensure organizational design supports cybersecurity;
- Incorporate cybersecurity expertise into board governance; and
- Encourage systemic resilience and collaboration.
Businesses and governments must also delve further into the low cost of entry for digital criminals and the high probability they will profit, Clinton said.
“We have focused too much in the past on blaming the victims, and not so much on stopping the attackers: We’ve tried to apply basically 20th-century and 19th-century regulatory methods to a 21st-century problem,” Clinton said. ”The problem really has its stem in the economics of the problem, [because] the fact is that all the economic incentives in the cybersecurity world favor the bad guys.”
For entities to effectively protect against cybersecurity concerns, Clinton advised developing a greater understanding of the problem, focusing on why the attacks occur instead of acquiring greater technology to prevent one. Cybercriminals are able to access dark web cyberattack wares at low cost, with the potential to reap costly damage.
On the dark web, “you can buy or outsource a distributed denial of service attack for about $500; you can buy access to corporate mailboxes for about $250; you can buy fake Instagram or [the platform formerly known as] Twitter addresses for $100; you can get a tutorial on how to conduct email attacks for $25; and you can purchase a template to show you how to do the attacks for $3,” Clinton said. “You can’t buy a Starbucks [drink] for $3.”
“We need to do more than be aware of cybersecurity,” he said. “We need to have understanding and action with regard to cybersecurity.”
For investment advisers and retirement plan members, Clinton advised:
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments;
- Conduct periodic cybersecurity awareness training;
- Implement and manage a secure system development life cycle program;
- Have an effective business resiliency program addressing business continuity, disaster recovery and incident response; and
- Encrypt sensitive data when it is stored and in transit.
The best practices to comply with recently enacted Securities and Exchange Commission rules include:
- Incorporate cybersecurity in comprehensive risk assessments and make sure risk assessments are done often, are updated and include internal and external third parties;
- Specify cybersecurity issues with specific roles and responsibilities;
- Routinely update security/anti-virus software, passwords and access;
- Routinely communicate and work with cybersecurity and IT professionals in the company and at any third-party vendor; and
- Have a plan in place for when a cyberattack occurs and know who notifies authorities and clients.