Know the Current Liabilities
Before the cloud, everyone had his or her own little medieval IT castle—the data centre. Much like a real castle, it had a perimeter wall (network edge), a gate with guards who allowed or blocked access (firewall) and different defence zones within the walls (network segments). It was pretty simple to identify liabilities—they came from the guys trying to ram in the castle door.
Today, the perimeter is gone. We live in a network of small villages where the data now resides. An attack could come from anywhere. Most people, especially if they’ve been in the business for a long time, have not moved to the new paradigm, yet. They’re not thinking about outside services, but they should be. It’s the cybersecurity manager’s responsibility to shift that paradigm, so people are thinking about vulnerabilities from the attacker’s position, not from a supposedly safe spot inside their own castle walls.
To do that, the cybersecurity manager needs to know how much the company has been exposed to security risks, now and in the past. This is cyber exposure, and it doesn’t just mean data leaked to the public or breached from the organisation. Data can be leaked from partners, the supply chain, employees, clients, or anyone with access to company information.
Types of Liabilities Due to Cyber Exposure
We have met a number of cybersecurity managers who had long careers in their companies. They got very nervous after learning that they never knew about many of their liabilities and cyber exposure. Now, they wondered, were they hacked three years ago, but the cybersecurity manager was never informed?
If you’re new to the job, make sure you won’t be surprised about the past. Do your homework about exposure so you’re not blindsided by people coming to you with exposures. As the security expert, the cybersecurity manager must be the one to inform others. That’s the job.
If a cybersecurity manager has the means to learn about their liabilities; they should use that means. Surprisingly, many people decide not to do so; they decide not to be informed. That’s sorely misguided. Here’s some of what they are missing:
The liabilities can be split into eight different categories or sectors. Any new cybersecurity manager needs to know if any of these things has happened already—or, in the worst case, is happening on their very first day on the job.
Disclosure of Sensitive Information
The first category of liability is disclosure of sensitive information. Every company has internal emails, documents, data, and pricing. Tech companies have source code, proprietary software they’re developing, and trade secrets. If this stuff gets leaked out, it is first and foremost a reputation risk. This must be looked at from two perspectives: what it means for the business and what it means to risk management people.
External Data Breach
The second category is an external data breach. This is a data breach through third parties—business partners, supply chain vendors, HR, payroll companies, payment processors, and financial institutions. It’s a theft of company information, and the company doesn’t have any control over it. For example, if HR gives their employees’ private information to an outsourced payroll company and that system gets hacked, every employee’s address and bank account numbers could be breached.
Once the data is stolen, there’s nothing the company can do. The data is out there, and it’s no longer within their control to protect it. The liability in these cases will be viewed as the company’s, not the external service providers. In the eyes of the users, the data was in the hands of the company and it was stolen—they don’t care that a third party vendor was the source of the leak; they trusted the company to protect their information. They will say, “I gave the information to you, and you lost it.” This category of breach is common with cloud service providers.
Black Market Activity
The third category is black market activity. This happens when people sell company information to the highest bidder, usually on the dark web. Black market activity might be initiated by a rogue employee who’s offering to sell information for money or by an outsider soliciting an employee to sell them information. There are dark web forums that specialise in inside information trading. These marketplaces allow users to say what kind of information they want and ask how much it would cost. Then the hackers start bidding. “You pay me $250 or $500 and I’ll get all 50,000 customers home addresses and social security numbers for you.”
Black market activity is dangerous, even when the information hasn’t been lost or breached. Just the fact of someone saying publicly that they are willing to pay for or sell this kind of information makes it more likely such a transaction will take place in the future. An alert cybersecurity manager wants to know if their company is being talked about on the dark web. Whether the data has been lost or not, you need to be aware if someone is talking about you. You need to know if you’re a target.
Exposed Financial Information
The fourth category is exposed financial information. If the company is sending money to someone else, there’s a transaction log, and these get leaked quite often. Usually, transactional information is stolen, but thieves may also walk away with complete credit card or bank account numbers.
It sounds like it might not be a big deal—companies send millions of dollars to one supplier and thousands to another. But if hackers know how much money clients are routinely sending to which companies, they can pretend to be those companies and send out fake invoices or emails claiming the customer should have sent a larger amount, thus duping the company into paying a fake invoice to the hacker’s bank account. Or if a company sends 10 million dollars every month, one month they might get the same invoice with a different bank address. People are routinely selling information gleaned from credit card access and database dumps that are stolen from banks with all of their customer records and transactions at the ready. A cybersecurity manager needs to know if this has happened already.
The fifth category is exposed credentials. This includes passwords, usernames, combinations, or some kind of security token. When hackers steal this information, they can access company systems. The challenge is, it doesn’t matter how well you’re secured, how many systems you have, or how many people you have working on your cybersecurity team. If someone gets the password, they can log in, and no one will be aware of it because it’s a legitimate login.
Most employees will reuse their work-related usernames and passwords in external services. Usernames are typically based on email address that contain the domain name suffix of the company. It’s a little like tagging your house keys with your home address. When your keys get lost, the burglar who finds them will know exactly where to go. When company credentials are stolen, it’s the same story—the thief now knows how to access your company.
This is nearly impossible to control because it happens completely outside the company. There’s no way the organisation can watch what’s happening everywhere. This exposure is beyond the company’s reach.
The sixth type of liability is personal information. This includes people’s names, physical addresses, social security numbers, hospital data, and even personal hobbies. The risk here is identity theft and fraud. If a thief has enough information about a person, they can open a bank account, get a payday loan, or credit accounts to make fraudulent purchases.
Sometimes hackers get all the information they need from data breaches, and sometimes they have to search for more to complete the picture. If the information is leaking from the organisation, hackers can construct complete profiles of people and then use that to further hack into company systems or to buy things.
Identities are hard currency. They enable synthetic fraud. In this type of fraud, criminals use personal information to construct real-looking profiles and sign up for services, make unauthorised purchases, and so on.
Also, consider this. if you get an email from your boss from his LinkedIn account, and you check that account looks like his, then agree to click a link, how can you know if you were fooled by a spear-phishing email? Or was it actually from the boss? Most people have no means of distinguishing a well-crafted fake profile.
Know What, Where, and How
Stolen passwords are still the most common method hackers use because personal and credit card information are the hard currencies of cybercrime. To protect yourself, make sure you know what these are, where they’re stored, and how they’re secured.
Hacker Group Targeting
The seventh category is called hacker group targeting. There are many hacker groups online, and they don’t even know each other, at least not their true identities. They’re all anonymous, hiding behind avatars and nicknames. Even though they want to remain anonymous, hacker groups still want to communicate with each other. They talk about what company they want to target next, and some groups even publish their targets months before an attack. If a company is listed as a target, they need to know before it happens.
Typically, hacker groups launch DDoS attacks against a company’s critical e-services or its website, disrupting normal traffic. While individuals are most often targeted by spear-phishing campaigns, companies suffer more at the hands of DDoS.
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
Take Care of Your People
Companies need to be concerned about their people even when they’re operating outside the company’s own systems. Attacks won’t necessarily come from an employee’s work email; they can also come from a Gmail account or a LinkedIn exchange.
Companies need to care about their people and even their families. These concerns are no longer limited to corporate territory. It’s not just about work anymore; it’s about the whole society.
Internal Data Breach
The last category is the internal data breach. All the other categories we’ve discussed are from external sources, but this breach comes from internal systems. This is a breach perpetrated by someone inside your own organisation, system, or database. For example, it could be your Windows domain controller machine was accessed by an employee who dumped all the accounts, plus all the documents, and published it on the dark web for a profit.
So seven of these categories occur outside of the organisation and one inside the organisation. In a way, it really doesn’t matter who’s causing any of these categories of breaches because the damage is the same. The cybersecurity manager needs to find out about all of them when they start the job. That information will inform policy and decisions going forward.
Using this eight-fold model can be extremely helpful—with it, you will find out about your exposure from an outside attacker’s perspective—but it also creates liability for you as a cybersecurity manager. Now that you know where to look for problems, you’re going to be held liable if you don’t discover them.
Migration of Data to the Cloud
Ten years ago, an IT setup would have looked like this: internal company systems resided in servers on the company’s physical premises and were protected by a firewall, database servers, and some workstation networks, and these were divided into zones containing all of your secure information. That’s an outdated model. There are very few internal mainframes still operating. Most companies go asset-light. Maybe some banks still do things that way, but most companies have migrated over to using cloud services.
Cloud computing has changed everything. By using the cloud, companies can store their information outside of the fortress, usually in tens of different cloud services. All the new business applications they build are based in the cloud. Companies often prefer now to buy software as a service (SaaS) instead of building their own solutions; it’s cheaper and faster. Information is becoming much more externalised. As you can imagine, this creates challenges for the cybersecurity manager. One challenge is that while data is put to these SaaS cloud systems, the old security controls that used to apply in the fortress model no longer apply. Say you want to scan vulnerabilities or do a penetration test of your application. Now that it is in the cloud, that probably won’t be possible. Even if you can do it, with the permission of the vendor who runs the SaaS application, you probably won’t get useful results. Instead, cybersecurity managers should look for solutions that focus on monitoring and protecting the data instead of system vulnerabilities.
It’s important that the cybersecurity manager understands what kinds of systems the company has, what kinds of information is in each system, what kinds of services they provide to those systems. This can be done with technical tools, and usually some in-person interviews are needed as well.
The latest regulations in the European Union and the United States require that every large company has a data protection officer, but the cybersecurity manager can’t rely on them. Data protection officer is a different role than cybersecurity manager. The data protection officer is there to find out where confidential customer information is stored in the company and to protect it. They are responsible for controlling and securing it adequately, not doing the protection or design work that will help implement the security processes. The cybersecurity manager needs to know just as much as the data protection officer and much more besides.
What is the cloud? It’s just somebody else’s computer.
Looking in the Right Places
Most security managers spend about 80 percent of their time securing the company’s internal assets. They look very little at the outside, even though critical data for any company always lies outside the organisation. Seven out of the eight liability categories we listed above are external, so most of the cybersecurity manager’s efforts should look outside.
For example, fewer and fewer companies now own their own IT systems and networks; they lease them and use cloud systems, outside maintenance, and outside development. They pay for what they use and give the control to a third party. When they give the control out—for instance, letting a partner operate the service desk—they must monitor it carefully. Handing information to that third party, the company becomes responsible for monitoring that third party’s security. If the information is stolen, the company is liable. If they didn’t monitor or even vet the third party, they are even more liable.
Few people understand the extent of the liabilities and the exposure they take on when services are outsourced. This is one of the biggest challenges cybersecurity managers face right now. The misunderstanding leads to arguments over who is to blame for a breach. Is it the board’s problem? The owner’s problem? A management problem? This gets especially tricky if management remains silent for fear of revealing how much data has been exposed already.
The cybersecurity manager could be held liable as well, so doing a baseline health check is crucial. A new cybersecurity manager should find out about all liabilities as quickly as possible, so they can show that the problems existed before they started.
Discover Past Incidents and Identify Future Risks
The cybersecurity manager needs to learn what people within the organisation know about past incidents and get on the same page as them. It’s a good idea for the cybersecurity manager to get the pre-existing liabilities in writing, so they don’t get blamed for something that predated their joining the company. They should document and analyse any significant past security incidents.
Gathering information about past incidents is fairly easy to do because people tend to remember what’s gone wrong. If there were successful cyberattacks in the past, usually those are recorded somewhere, often with risk managers or previous cybersecurity managers. Get copies of past emails, meeting notes, or reports discussing the incident. Then work to understand the reasons and root causes that led to the incident. After learning of prior incidents, the cybersecurity manager should inform senior management or the owners of the company in writing. At that point, it’s no longer the cybersecurity manager’s liability.
The cybersecurity manager also needs to find out what people inside the company don’t yet know. They must collect information from internal and external sources to find out if there are ongoing risks of potential breaches and to understand the magnitude of any vulnerability. Gathering this information can be more of a challenge, as external breaches may have gone unnoticed inside the company. For example, if a SaaS provider has been breached, the company may have no idea. There are tools available for monitoring this; the cybersecurity manager should use them.
Need to Know
Get the best information available about the exposure your company has. Know and give the right information to the right people at the right time.
Data Liability and the Cloud
Companies want to collect data, but the more they collect, the more liabilities they take on. Data collection is cheap to do, and just about every company does it; unfortunately, many don’t realise that all of that accumulating data can become a liability. The more data that exists, the more data can be leaked.
For example, think about fifteen years ago—how many systems had your credit card information? Probably one or maybe even none. Possibly just the bank that issued the credit card. Now credit monitoring companies, advertisers, and aggregators collect and sell your information. Data collection has always been around, but there is so much more data today, and it’s stored in many more places. Everybody is collecting information, even down to individuals’ shopping behaviour. Customer data is valuable. Many companies recognise that value and want to mine it, but they should be careful because the repositories become interesting targets.
For example, PCI-DSS standard dictates that cardholder data can’t be stored if there is no business reason to do so. Right after the credit card transaction has been processed, the company must remove that data from their systems or make the card numbers. Not storing the data offers the strongest protection.
Simply put, the more information a company collects and stores, the more liability they have. It’s not just Facebook. Any company-collected data that resides in the cloud or with external vendors creates even more liability. Along with that comes a responsibility to protect that data. Personal data should require consent and a valid reason to store it.
There are significant legal repercussions for failing to store data securely. For example, let’s say a financial institution uses an external service provider and that vendor gets breached and loses 100 million credit card numbers. The law in most Western countries mandates that legal responsibility falls on many shoulders: the merchant who lost the numbers, the bank that issued the card, the processor who sent the transaction, the vendors who built their IT systems, and so on. Determining who is at fault may take some time because the liability falls on many shoulders.
The Impact of Data Breaches
Research shows there’s a strong correlation between a company’s share price and the number of data breaches. This is an ownership issue.
For example, in the United States, it’s mandatory to provide an identity theft monitoring service for customers who are affected by the breach. Those services aren’t cheap, and if you multiply that cost by 100 million customers, you’ll see how a single breach can cost a significant amount of money.
In Europe, a new regulation called the General Data Protection Regulation (GDPR) mandates strict procedures for securing customer data. It also provides for massive fines if companies don’t comply. The fines for repeat offenders can easily be in the tens of millions of dollars. The GDPR is a regulation with sharp teeth.
The legal requirements for securing data are increasing all over the world; companies that fail to protect their customers’ information will see their liability grow, too, especially if they are careless with data. The risks are high right now—regulators are eager to get their first big case just to make an example out of a company. They know if they handle the first company too leniently, they’ll have to do the same for everybody, so we expect judgments to be heavy-handed and penalties to be stiff.