Protect Your Organization with Cyber Resilience
By Audrey L. Katcher & Frank G. Hogg
According to a 2013 study, the estimated average annual losses attributed to cyber attacks were $860,273 from security breaches, $585,892 from data loss, and $494,037 from downtime.1
With cyber attacks on the rise, contractors need to turn their cyber security concerns into cyber resilience strategies.
The highly publicized Target breach in December 2013 that affected approximately 70 million customers was allegedly traced to a mid-sized HVAC contractor in Western Pennsylvania (also identified as a victim in the crime).
Reportedly, law enforcement officials believe the theft of the vendor’s credentials used for the retailer’s electronic billing system may have been instrumental in helping criminals gain access to Target’s servers.2
Why Are Contractors at Particular Risk?
In today’s environment, the question for both small and large businesses of becoming victim to a cyber security attack is no longer “if” but rather “when.”
Contractors are especially vulnerable because they often are involved with building operating systems and regularly share real-time facility information (e.g., specifications and plans on energy, power, utilities, and other critical systems) across servers and networks.
Contractors must be vigilant stewards of not only their own records, but also their customers’ proprietary information and building assets.
Cyber security must be viewed as a continuous two-way street. You need to be wary not only of who might be hacking into your servers, but also how your company and employees are interacting with your clients’ systems.
While the threat of a cyber security attack has become almost inevitable, the risks associated with it can be managed through an effective cyber resilience plan. This article will provide an overview of cyber security as well as five key steps to building a cyber resilience plan to help effectively manage risks and protect your company.
Overview of Cyber Attacks
Cyber attacks are becoming harder to predict; nearly each new attack is more innovative and sophisticated, making it difficult to develop mitigation strategies. Attacks are impacting more than just an entity’s technology – they affect financial, reputational, and stakeholder value. The impact of a cyber attack can affect all stages of a company’s supply chain, from vendor to customer.
Current spending for cyber security is predominately limited to the areas of preventive controls (e.g., firewalls and virus protection software). But, it’s just as important to have detective and reactive controls. Entities need to link the investment in cyber security to the potential consequences.
According to the World Economic Forum, “Cyber security refers to analysis, warning, information sharing, vulnerability reduction, risk mitigation, and recovery efforts for networked information systems,” whereas cyber resilience is defined as “the ability of systems and organizations to withstand cyber events, measured by the combination of mean time to failure and mean time to recovery.”
Emergence of Cyber Resilience
The emphasis of cyber security has traditionally been on detecting and preventing attacks. However, a new wave of thought has expanded from the traditional components of security (confidentiality, integrity, and availability) to incorporate consideration for preservation of reputation, impact on customers, and consequences from attacks.
The basic tenants of what is known as cyber resilience are:
• Preservation of reputation
• Customer impact
Creating a Cyber Resilience Plan
A cyber resilience plan incorporates an understanding of modern attacks, a plan for defending/defeating those attacks, and potential responses to those attacks. This type of plan is critical for entities of all sizes and can be adopted through the following five key steps:
1) Assess the risks to your entity
2) Identify the systems, data, and hardware that require protection
3) Define the key players who are responsible for maintaining security and leading the response plan when an attack occurs
4) Communicate the plan to executives and management
5) Monitor and report on the plan’s effectiveness
Step One: Assess the Risks
The first step to developing a cyber resilience plan is to consider the business risk. Since budgetary spending on security is often limited, companies must identify their risks and prioritize their greatest concerns. The types of losses associated with cyber attacks may include:
• Loss of employee productivity
• Loss of revenue
• Loss of customer confidence
• Loss of a business opportunity
• Loss of business to a competitor
• Delay in product/service deployment
• Loss of client
• Reputational damage
• Remediation cost
• Damage to company value
Keep in mind that the greatest risk may be your company’s reputation – even more than the dollars directly associated with an individual attack.
At this stage, also consider reviewing:
• Client contract language with your attorney or legal advisor, as litigation often hinges on the express language contained within your construction contracts.
• Contracts with vendors, especially if you are storing information in the cloud or on external servers or allowing the vendor access to your systems.
• Mobile and “bring your own device” (BYOD) policies and use. The Internet Security Forum (ISF) highlighted BYOD trends in the workplace as a key security threat for 2014.3 With employees adding smartphones, tablets, and other personal mobile devices to their daily work life, company IT systems can easily become compromised.
One of the major threats is to confidential company or client information loaded on these devices; if a device is lost or stolen, then that confidential information becomes exposed.
Your company’s thought process should evolve from the type of protection to provide to all of the operations and assets to protecting the most important assets – including those of your clients. Consequently, instead of thinking about the inputs needed for a security plan, companies should focus on the outcomes or consequences it can live with as well as how to balance those risks with limited resources.
Step Two: Identify What Needs Protection
Once the priority assets and client accesses have been identified, the plan shifts to protecting against threats. The mind-set should move beyond the minimal preventive and defensive controls needed for compliance standards to how resources can be effectively aligned to protect an entity’s assets. As the effects of a cyber attack can impact all aspects of the supply chain, the plan should address security concerns without constraining the means by which business is conducted.
The plan should be flexible and allow quick responses to attacks and their consequences. The plan must also be specific, comprehensive, and most importantly, achievable by those within the organization. To do this, cross-functional teams from varying business disciplines should develop and test the plans.
Step Three: Define Your Cyber Resilience Team
It is essential to form a cyber resilience team with clear authority to act to protect your organization’s well being. The team’s primary responsibilities are to maintain the security and lead the response. If an incident arises, the team should also ensure employees are prepared to respond quickly and communicate with all affected stakeholders. When assembling the team, be sure to include representatives from key areas, including:
• Executives – provide governance and are a conduit to the audit committee and board level questions.
• Internal Audit – acts as an independent resource to report on the processes supporting cyber security and resilience.
• Communications – develops a practice plan and call list.
• Insurance – provides clarity in the policy.
• Legal – keeps the company informed on current regulations and other legal insights.
• Technology – supported by an on-call technical response team already under contract.
• Finance – provides transparency in the cost.
• HR – performs cyber security checks on those who may leave the company.
• Supply Chain – ensure vendors have signed a commitment to cyber security with your company.
Cyber resiliency is an overall company matter, not just an IT issue. Therefore, the entire governance team must be concerned with addressing the challenges and finding solutions.
The CFO/Controller must be an active part of the core governance team and understand the company’s risk. In particular, the CFO needs to ensure full executive-level reporting of past and current issues, plan for all future contingencies with a cyber resilience plan, and protect classified financial information.
In testing the plan, CFOs should allow regular re-evaluation of both the prioritized assets and the actions needed to protect those priority assets as the security landscape evolves. This will help validate the security and responsiveness.
Step Four: Communicate the Plan at the Executive Level
Cyber resilience plans require executive buy-in, collaboration from different levels within the entity, and coordination with vendors and customers. When preparing your cyber resilience plan, remember:
• There are no answers that provide 100% assurance.
• It is not a question of if an attack or incident will occur, but rather when.
• There is a direct relationship between response time and the exposure to operations, finances, and reputation.
Therefore, communication of the plan, relevant updates, as well as what drives these updates should be delivered to leadership and the board regularly.
Step Five: Monitor, Report & Practice
According to the Ponemon Institute, “Fifty-seven percent of respondents expect to experience a security breach within the next year, yet only 20% regularly communicate with management about threats.”
Moving forward, companies should continue to monitor the evolution of their cyber resilience plan. They should communicate to stakeholders, both internally and externally, monitoring results and changes to the direction of the plan.
Contractors should also look to the different avenues available for properly reporting a cyber crime or attack to their online system. Filing an incident report with the proper authorities will assist law enforcement in possibly identifying the parties responsible for the cyber attack, and help them respond to and prepare for other cyber attacks within the industry. In addition, these reports provide critical information for analysts to develop new software to prevent similar attacks and defend an entity’s IT network.
The Bottom Line
The costs and frequency of breaches are rising exponentially. The qualitative costs include loss of customer trust, reputation, and stakeholder value. The quantitative costs average $188 per record, with an average of more than 28,000 records compromised per incident, resulting in a total average incident cost of $5,403,644.4
Do not assume that your company or one of its subsidiaries is not at risk. CNN reports nearly half of the data breaches that Verizon recorded in 2012 took place in entities with less than 1,000 employees. Symantec, a leading computer security firm, reported that 31% of all attacks in 2012 targeted businesses with fewer than 250 employees, and attacks were up 81% from 2011.
Cyber resilience should be viewed as an investment in mitigating the risk of cyber attack. Per the World Economic Forum, “Cyber resilience is no longer an afterthought and a cost. It is an essential component of any business of national strategy that seeks to be successful and sustainable.”
1. EMC’s 2013 IT Trust Curve Global Study.
2. Paul Ziobro, “Target Breach Began with Contractor’s Electronic Billing Link: Fazio Mechanical Services Says It Was ‘a Victim of a Sophisticated Cyber Attack’”, Wall Street Journal, Feb. 6, 2014.
4. The Ponemon Institute’s 2013 Cost of Cybercrime Study: United States, October 2013.
AUDREY L. KATCHER, CISA, CPA, CITP, is a Partner at RubinBrown, LLP in St. Louis, MO, where she provides IT and internal control risk advice, including “putting trust in the cloud” and cyber security management. This includes providing third-party assessment over service organizations (SOC1 and SOC2 reporting).
She has written and presented on the topic of cyber security, internal controls, and SOC reporting numerous times. In 2010, Audrey was named one of MSCPA Women to Watch Award, awarded the UMSL Salute to Business, and inducted into the Fort Zumwalt Hall of Fame.
She received a BSBA in Accounting from University of Missouri – St. Louis.
FRANK G. HOGG is the Partner-In-Charge of RubinBrown’s Construction Services Group in St. Louis, MO. He also works in the Assurance Services Group, Real Estate Services Group, and the Quality Control Department. Frank serves clients in the construction, mortgage banking, home building, and real estate industries.
Frank is a member of CFMA’s St. Louis Chapter, and also belongs to the AICPA, AGC, ASA, and NECA. He has a BS in Accounting from St. Louis University.
Copyright © 2014 by the Construction Financial Management Association. All rights reserved. This article first appeared in CFMA Building Profits. Reprinted with permission.
Contact firstname.lastname@example.org for reprinting information.