MMBI Cybersecurity Special Report webcast: Highlights and quick checks
INSIGHT ARTICLE |
MMBI WEBCAST HIGHLIGHTS
On July 12, 2018, two of RSM’s security, privacy and risk principals—Daimon Geopfert and Ken Stasiak—led a webcast to discuss highlights from the Middle Market Business Index (MMBI) Cybersecurity Special Report.
The MMBI Cybersecurity Special Report was released by RSM US LLP and the U.S. Chamber of Commerce earlier this year. Backed by industry data and surveys gathered from a panel of 700 middle market executives, the report analyzes the biggest cybersecurity risks facing middle market businesses.
The webcast highlighted trends, challenges and insights that all middle market businesses should consider as part of their risk management strategies. Here are some of the biggest takeaways.
One goal of the Cybersecurity Special Report is to help key stakeholders make more informed decisions. Our data uncovered a level of cognitive dissonance of which these stakeholders should be aware. Cybersecurity threats have grown, yet confidence in handling these threats has also grown. Is this confidence warranted? Let’s look at the numbers for middle market businesses.
- 160 percent increase in breaches at midsize businesses since 2015
- 47 percent of companies expect they will face unauthorized users attempting to access systems and data (increase of 39 percent since 2015)
- 43 percent reported instances of social engineering attacks in past year
- 41 percent view ransomware attacks as likely
- 18 percent experienced a ransomware attack in the past year
- 38 percent do not carry a cyber liability insurance policy
- 22 percent of directors expressed dissatisfaction with the quality of cyberrisk information they receive from their teams
- 97 percent say they are moderately to very confident in their organization’s ability to safeguard data
Midmarket executives and stakeholders remain highly confident in their ability to handle cybersecurity threats, but this confidence doesn’t exactly match the numbers. Many of them acknowledge they are not getting the whole story from their security team. Many do not carry a cyber liability policy. Almost half admit they are likely to experience attacks in the near future. Threats and breaches are on the rise. Where is the disconnect?
One reason for this confidence is that cybersecurity spend is on the rise overall. Average cybersecurity spend as a part of the information technology (IT) budget is 5.6 percent, according to a recent study by Gartner. The fact that businesses are spending more on cybersecurity may account for increased confidence.
However, this confidence may be inflated because attacker techniques evolve much faster than enterprise-wide technologies can be budgeted, approved, tested and deployed. Often, by the time defensive controls are implemented, they are less effective. Of course, robust cybersecurity budgets certainly help mature security posture and knock out low-hanging fruit. But, expensive technological controls do not solve all problems. Technology needs to be tuned effectively, budgets need to be allocated appropriately, and security needs to be integrated into the core of a business’s processes and culture in order to see real risk mitigation.
As discussed in the webcast, articulating cybersecurity risks clearly to executives and board members might also temper confidence levels to more realistic levels. Vulnerability and risk reports are often sanitized of the most egregious findings by the time they reach these individuals, meaning they make critical business decisions based on incomplete information. Providing more visibility and transparency into the current cybersecurity landscape will help them make more informed and impactful business decisions.
To give a more accurate sense of the confidence organizations should have in their ability to combat cyberrisks, the webcast also provided a few quick checks so businesses can get a cursory baseline of their security programs.
- Do you have a cybersecurity steering committee?
- Live polling during the webcast indicated only 32 percent of respondents had this committee. These committees provide a forum for representatives from multiple business units to discuss threats, risks and mitigation plans and to communicate this information to key stakeholders.
- How much are you spending on cybersecurity?
- Average cybersecurity spend as part of IT is 5.6 percent.
- Live polling during the webcast indicated that the vast majority of cybersecurity budgets have increased or remained the same, while only 2 percent of budgets have decreased. While this trend is encouraging, the allocation and management of this budget are just as important as the amount. A budget needs to be tied to areas of greatest risk and most effective mitigation in order for it to mean anything. Don’t let an increased budget give you a false sense of security.
- When was the last time you conducted a risk assessment and correlated the findings back to the cyber insurance policy or questionnaire?
- Live polling revealed that most (54 percent) perform a risk assessment annually, 9 percent perform one more than once a year and 37 percent perform one rarely or never. Risk assessments help you prioritize remediation areas, and can also provide insight into whether your insurance policy is adequate.
- A cyber liability insurance policy can offload some (not all) risk as long as your answers accurately reflect the state of your environment. Have security personnel reviewed your policy responses to ensure they are accurate? Are there improvements you can make to either reduce coverage gaps or lower your premium? Have you confirmed that your policy actually covers your greatest areas of risk as determined by a risk assessment?
- When was the last time you conducted an incident response (IR) tabletop exercise? Would you pay the ransom?
- An IR tabletop is a discussion-based exercise that simulates an evolving attack against your organization. Since ransomware attacks are on the rise, it is beneficial to incorporate this scenario into an IR tabletop so your organization can review your ability to respond to this attack.
- Do you have an inventory of the organization’s data?
- This quick check refers to another growing area of concern for the middle market: compliance and privacy regulations such as HIPAA, PCI and GDPR. Maintaining an inventory of data (PII, credit card numbers, financial data, education data, patient health information, etc.) is the foundation to ensuring that data is protected in line with regulatory requirements and best practices.
- Where is your organization with regard to GDPR or overall privacy compliance?
- Live polling revealed that only 12 percent are “feeling good” about their GDPR and privacy status, 30 percent have done some work but still have a ways to go, and 58 have done very little or do not plan to address it at all.
- Though it may take some time for GDPR to be enforced across the board, fines and penalties could be very heavy: up to 4 percent of annual revenue or 20 million euro.
- When was the last time you conducted a phishing campaign against the entire organization?
- Phishing is consistently the most successful attack vector overall, and regular phishing campaigns are essential to providing middle market businesses insight into their exposure in this area.
The webcast also generated some great conversation points. Here are some of the highlights from the question and answer session.
- Question: Our cyber policy is a "claims made" policy. Do you see many of your clients having policies that can be exercised without a claim being made?
Answer: Almost all of the cyber insurance policies we are involved with (i.e. our incident response teams called to a client) are claims made. However, several of the insurance carriers offer discounted rates for preventative services (e.g. penetration testing, security assessments, etc.) with select vendors. You can ask them or check on their portals.
- Question: Any data on the amount of loss of business revenue that has occurred within midmarket businesses?
Answer: Massive variation. Much of the data is in the NetDiligence report, which you can download for free. Revenue loss was primarily affected by the attack type (i.e. ransomware vs email account takeover vs live hacker) and the maturity of the organization. The same attack in two similar companies had large variations of damage depending on the security controls in place within each company.
- Question: If you are outsourcing your IT design and maintenance function, and working with them actively on a quarterly basis to discuss cybersecurity risks, does this simulate an ongoing vulnerability assessment? Particularly if you have periodic independent penetration testing?
Answer: It is close. Vulnerability assessments are a mile wide, an inch deep. They are typically very automated and meant to identify the majority of vulnerabilities in the environment in a quick and cheap manner. Penetration testing is an inch wide, a mile deep where someone is trying to demonstrate how far they can get into an environment. Their task isn't usually to try to find all vulnerabilities, just the most critical.
- Question: Do you assess cybersecurity risk to be lower for companies that operate a B2B model versus direct to consumer?
Answer: Not lower, just different. It all depends on the model. If you pass through data for business partners, and that data contains sensitive information, then you'd actually carry many of the same data privacy requirements as your customers. The second you touch it, you incur the obligations. You can also become a means for an attacker to access one of your customers. It all depends on what services you provide.
- Question: In today's landscape, breaches are commonplace, it seems. Every week you hear of a new story about a breach. The concerning thing to me is not so much that someone got in, it’s how long they are typically in and undetected. The Macy's breach revealed hackers were inside for six months. What's your stance on that, and how do you think organizations can manage that aspect of these breaches more effectively?
Answer: Very good point. Breaches have become so common than many companies start to ask, "Why bother trying to stop them?" It starts to turn into an issue that you're trying to show that you met all expected best practices but were still breached. You will still face some level of liability, but it is different from getting breached because you didn't bother to try to secure your environment (i.e. an issue of bad things happened vs negligence). As for the duration of the breach, our stats show an average timeline of 200-300 days before the breach is discovered. This highlights that more focus needs to be placed on security monitoring rather than just trying to harden the network.
- Question: I understand not firing someone who fails a phishing test, but is it reasonable to require certain additional training be completed if they continue to click the phishing email?
Answer: That's how we style most of our phishing campaigns. Users who fail get set up for additional training either automatically or manually. As an example, for the automated method, if they "click the link" in the phishing email, they are redirected to a "sorry, you failed, here is some training" page. For the manual method, the failure is noted, and they are tagged with the enhanced version of the training when the time comes for their annual training.