Cyber Risk Opportunities Case Study
Introduction
The CIO of a fast growing Internet startup needed to create and rapidly mature a cybersecurity program to protect his company’s assets so as to not derail their plans for continued growth. He wasn’t sure where to begin. But, he knew he wanted to avoid a costly false start and preserve the company’s profitable growth and entrepreneurial culture. In short, he wanted to manage cyber as a business risk. Working together, we created and assisted with the implementation of a Cyber Risk Business Strategy.
Insights
Over the course of two weeks, we collected risk scores from 13 of their internal experts from across their company. Each questionnaire consisted of a customized subset of 145 standard questions, all scored using a standard score key.
The data we collected confirmed the CIO’s perception that the startup’s cyber risk program was overall immature. In fact, they were significantly under-performing against its minimum target scores across the board.
After conducting a statistical analysis, we determined its top five cyber risks were:
As a new company without legacy systems, the technology team (located in Asia) had adopted cloud services across the board instead of building their own servers in a rented data center. This was a cost-effective and flexible approach. Then they centralized the production data on those virtual servers and heavily defended them with network firewalls.
At the same time, the executives and operations teams (based in North America) directed the employee’s computers and devices to be administered by each user. Then, they established a consumer-grade network at their headquarters for everyone to share. And, they encouraged each team to acquire and use whatever cloud services allowed them to be most productive.
Since 90% of all cyber-attacks start with phishing, they were more exposed than they realized: One successful phishing attack could result in the compromise of an administrators’ account (and everyone was an administrator of one or more computers), which would allow the attackers to have direct, silent access to the cloud services from the victim’s computer. Because the startup had no methods for detecting intrusions, this kind of compromise would likely persist for weeks or months until the cyber-attackers were ready to strike.
Worse still, the members of the workforce individually configured their own devices and cloud file sharing without clear guidelines nor centralized systems administration. In addition, company management had no clear understanding of how many cloud services were being used by their work force (ex: Dropbox, ShareFile, etc.) nor how to secure the digital assets when staff departed.
The data collected also showed that the Executive team and non-IT managers were over-confident in the IT teams’ ability to manage cyber risks. This was the result of functional silos located in different parts of the world (Far East versus Americas) along with several false assumptions about how well the IT team was managing various cyber risks, such as business continuity and developing and deploying secure software into production.
Solution
Cyber Risk Opportunities worked with the startup’s senior decision makers to create a prioritized cyber risk mitigation plan that would economically close the gaps for their top 5 cyber risks.
The plan included an approach for substantially decreasing the likelihood of malicious code becoming active on user devices and protecting critical data should malware activate anyway.
A separate Cyber Hygiene scorecard was used to help prioritize and incentivize completion of these technical mitigations in easy-to-complete steps over an 12-month period.
The Cyber Risk Mitigation plan also identified 12 additional, low-cost, high-value mitigations with a $34,080 three-year total cost of ownership (see cluster of circles on the right side of the “Cyber Risk Mitigation Visualizer”).
These 12 mitigations formed the basis for a cyber risk management program that would keep up with their fast growth and more appropriately protect their digital assets. The rest of the mitigation plan focused on such actions as:
- Creating their incident response, disaster recovery, and business continuity plans
- Managing personnel-related cyber risks
- And, the creation of an ongoing technical vulnerability management program
To track progress, and provide the executive team with a useful communications tool, we provided them with an easy to read cyber risk scorecard:
Over the next few months, we held Monthly Check-In phone calls to monitor progress implementing their mitigations.
The Monthly Check-In is a 1-hour meeting designed to support implementation of the customer’s Cyber Risk Mitigation Plan. During this time, we focus on removing blockers, celebrating successes, and exploring how recent and expected changes in the cyber risk landscape affect their scores.
As an example, a project to activate whole disk encryption stalled due to lack of hardware support among the majority of the startup’s laptop fleet. To remove this blocker, we facilitated an analysis of several options and assisted the customer in making a good decision that pushed the project forward despite the delay and additional cost.
We also alerted our customer to new and relevant developments involving cyber risks. Examples include:
- Explanation of standard-setting FTC consent decrees and/or court rulings involving cybersecurity and cyber insurance
- Trends in cyber-criminal behavior and tactics
- News events, such as the spread of NotPetya and WannaCry, that directly impact customer cyber risk management
- And, noteworthy geo-political events that may impact customer cyber risk, such as cyberwar in Eastern Europe
At the one-year mark, we will conduct another data gathering exercise to measure how the organization’s cyber risks had changed over the past year. Depending upon the new insights, and the advances being made by cyber-attackers around the work, we may adjust the mitigation plan to accommodate shifting priorities.