The last in a series on ‘Risk intelligent governance in the age of cyber threats’ addresses the less commonly asked but yet very important aspects of the cybersecurity risk management questions: How do we control what software is running on our devices? How do we limit the information we voluntarily make available to cyber adversaries?
“My smartphone has been acting funny”
From viruses and worms to rootnets, trojans, bots and more, malware – short for “malicious software” – has become the cybercriminal’s weapon of choice for subverting digital devices.
No device is immune: Malware can infect anything that accepts electronic information, including such unconventional targets as cash registers, cameras and even cars. Mobile devices, especially, have seen a boom in malware infections as their popularity has grown. This increase may represent a significant vulnerability in environments where employees use smartphones, tablets, laptops and other mobile devices for both personal and business purposes.
An organization with highly mature anti-malware capabilities will address the problem from both the user and the technology sides. On the user front, a company should develop, communicate and enforce policies that limit the use of personally owned devices for business purposes and vice versa. This can help prevent users from infecting corporate devices with malware prevalent on sites visited mainly for personal reasons, as well as reduce the risk that an infected personal device will contain sensitive corporate information. Users should also be educated on the need to report suspicious device behavior (such as repeated crashes) to IT for investigation.
On the technology front, companies should employ software to help keep malware off their devices in the first place, and to help identify and remove any malware that slips through – ideally, before it does significant damage. Be aware that standard anti-virus programs are usually not effective against malware, which often requires more specialized techniques. Because of this, a company board may want to ask their executive team specifically about what malware-focused technologies an organization has in place.
Loose lips still sink ships
No one questions the need to protect information that the organization explicitly designates as confidential. However, what many people don’t realize is that cybercriminals can also benefit from information that the company and others intentionally share. HR may unknowingly put details in a job description – say, for an IT security position – that reveal exactly which version of what enterprise resource-planning platform your company is running and what security software you’re using to protect it. Or an employee posting to a social media site may mention in passing that he or she manages the company’s passwords, thereby telling cybercriminals exactly who they need to target, using phishing and other social engineering tactics, to gain access to your company’s network.
A mature cyber threat risk management capability will recognize the need to manage risks that may arise from sharing information that, while not strictly confidential, can still give cybercriminals valuable clues about how to infiltrate your organization. Elements to look for here include enterprise-wide policies and training on issues such as the extent to which employees may discuss their work on Internet forums or use personal email accounts for business purposes. These policies and training requirements should be customized for different organizational roles, and they should be especially stringent for departments such as HR, that commonly release information known to be useful to cybercriminals. Similar policies should be written into the organization’s agreements with suppliers and contractors.
A company can also take advantage of advanced search and filtering technologies to monitor the Internet and other electronic data sources for the appearance of information that may indicate an increased cyber threat risk. Any such monitoring effort should consider the universe of available information as a whole rather than each piece of information individually, since cybercriminals – using the same kind of technology – can mine a variety of sources for bits of information that, while each harmless in itself, can collectively reveal enough to pose a threat.
Mature cyber threat risk management
To conclude the series, we would like to note that the approach we’ve outlined in our series is not intended to substitute for a formal, rigorous IT security assessment performed by specialists. However, it can give companies a fair start toward understanding their organization’s capabilities for managing and mitigating the ever-present risk that cyber threats pose today.
The insights a company may gain through the discussed steps can help guide further inquiries that examine the issue in more depth, which may include requesting a formal assessment to determine how an organization might move its cyber threat risk management practices toward a more proactive, preemptive, and mature approach.
In closing, we believe that exploring cyber threat risk with the executive team can yield value beyond helping a company to improve governance over this area of risk alone. It can also give the opportunity to build a more productive dialogue with executives about IT risk management in general.
We encourage companies to use these discussions with management both as a way to strengthen the company’s cyber threat risk management practices, and as a springboard to greater engagement with the management team on all aspects of IT risk.
Information in this series is based on the Deloitte white paper “Risk intelligent governance in the age of cyber threats.” You can access Deloitte Risk Intelligence white paper series free at www.deloitte.com/us/RiskIntelligence.