Cybersecurity practitioners have developed their own “lingua franca” to enable accurate, efficient and understandable communications amongst themselves. The terminology used in cybersecurity discussions frequently involves the use of acronyms, like EACMS, and “terms of art”, like phishing, to communicate information about threats, risks and other topics that are important to doing the cybersecurity job. Some of these concepts and terms may not be familiar to some members of a Board of Directors or even some C-Level executives. This article aims to translate some of this cybersecurity jargon into familiar, everyday concepts, using analogies, to help BoD members and C-Level business executive familiarize themselves with these cybersecurity concepts. We start by describing Cyber Risk, using an analogy of a trip to the grocery store in your automobile to connect the dots.
Scenario:
You are driving to the grocery store in your car when a dump truck, full of construction debris, pulls out from a side street, directly in front of you, and you see that construction debris is falling from the truck onto the road directly in your path of travel. What can go wrong?
As you follow the dump truck, trying to avoid the falling debris, your best efforts fail and you run over a nail resulting in a flat tire, which is the consequence of running over the nail, resulting in some level of impact, i.e. the recovery cost of a flat tire.
Key Concepts:
Keep in mind, with regard to cyber risks, the 3 most common attack paths used by hackers are: 1. People, 2. Software, 3. Supply Chain. Protecting those 3 attack paths can prevent the most common attacks, such as ransomware, data theft and other egregious acts.
Your Company and all of its personnel are represented by the car and driver.
The hacker community is represented by the dump truck.
The falling debris represents all of the tactics, techniques and procedures hackers use to carry out their cyber-attacks.
The nail represents a threat which results in a potential risk to your Company.
The tire, filled with air, represents a vulnerability that can be breached by the right threat, the nail.
The combination of the nail in your path of travel and your vulnerable, air filled tires, represent an "Indicator of Threat" (IOT), a/k/a a risk.
Running over the nail, resulting in a flat tire equates to the realization of a cyber risk by your Company – the attack has occurred and you are now a victim of a cyber-crime.
The consequence of running over the nail is a flat tire, the consequence of a cyber-attack depends on what was breached, i.e. an attacker obtained login credentials of a system administrator and was able to login to a privileged account on a critical business system. The flat tire is an "Indicator of Compromise" (IOC). The consequence can be thought of as the "minimum impact" from a cyber event.
The impact of this event is what happens after the flat tire occurs – did you run into a guard rail as a result of the flat tire, causing more damage to your car or was the impact confined to just the flat tire. Did the ship sink after hitting an iceberg. Likewise, the impact from an attacker obtaining login access to a privileged account on a critical business system can be very serious. The cyber-attacker could encrypt all of the business data and system files, demanding a ransomware payment in the millions of dollars. This is why impact is such an important factor in understanding risk and methods to mitigate risk. Risk strategy is frequently based on assessments of impact, helping to determine which risks should be accepted, avoided or mitigated.
Recovery from the flat tire and resulting impact depends on what happened after the flat tire occurred. The same is true for a cyber-crime. Your recovery time and cost are determined by the impact of the cyber-crime – how widely was the hacker able to disrupt your operations and bring harm to the Company. Recovery activities may include restoring infected systems, which also includes eradicating all of the threats a hacker may have planted in your digital ecosystem, and could include a public relations campaign to restore any harm to reputation. Recovery from a cyber-crime can take many months and costs can run well into millions of dollars and can be extremely labor intensive. Once you become a victim of cyber-crime you never stop asking yourself, did we really eradicate all of the threats that the hackers planted in the Company, and the topic of cyber-risk becomes a regular discussion point at BoD meetings.
Analysis:
Risk = Likelihood times Impact. The likelihood is high that the driver of the car will drive over something in the construction debris that causes harm; the dump truck is directly in front of the car and construction debris is all over the road. Some Risk Management experts, i.e. David White of Axio refers to likelihood, in this context, as "susceptibility" which may be more semantically accurate, but less recognized in the cybersecurity community. The impact depends on what happens after the consequences of the threat become realized and the real impact has occurred. BoD and C-Level executives cannot prevent hackers from introducing risk any more than the driver of the car can stop the dump truck from pulling directly in front the car. The risk of a cyber-crime is ever present.
Cybersecurity practitioners attempt to identify and rank risks using tools such as threat hunting, risk registers, a risk matrix, and other practices designed to identify and manage risk. A risk matrix can be very effective at communicating the most concerning risks identified by cybersecurity personnel to BoD and C-Level executives. Key takeaway: No Company can stop hackers from introducing risk and Company executives must be prepared to deal with these risks. A risk matrix can be very effective at communicating cybersecurity risks to BoD and C-Level business executives.
Mitigation – what could the driver of the car do to mitigate against the threat (nail in the road) and potential risk – a flat tire + whatever other impact is realized? I suppose one answer is to never drive the roadways without having a street cleaner directly in front of your car. This would help, but street sweepers may miss some debris, so there is always some level of uncertainty with regard to your mitigation measures. The same is also true for your cybersecurity mitigation methods. You cannot prevent a hacker from entering your path and you cannot control what threats a hacker may put in your path – you must be prepared to deal with the risks that hackers present to your Company. Other factors also need to be considered, for example what is the cost of mitigation measures and how does this compare to the cost of recovery. For example, hiring a street sweeper and driver as your constant companion on the roadways could be quite expensive as compared to the cost to replace a flat tire. Key Take-away: Mitigation measures must be commensurate with the Risk that could be realized. This is where risk strategy and risk appetite come into play.
We’ll keep risk strategy and risk appetite as a topic for a future article.
Why should BoD members and C-Level Executives be concerned about a Company’s cybersecurity posture and protections? The answer may be evident, thanks to a recent court decision in Delaware that could allow shareholders to hold BoD and C-Level Executives personally liable for damages resulting from the effects of a cyber-crime that caused financial harm. BoD members and C-Level Executives could be held personally liable for harm to affected parties from poor business judgement decisions that failed to ensure cybersecurity measures were being implemented and were effective, which resulted in financial harm to shareholders and others with a vested interest. BoD members and C-Level executives may want to ensure that Company cybersecurity practices are producing and preserving tamper-proof evidence showing that a Company was prudent and diligent in their cybersecurity practices in order prevent any potential personal liability resulting from a shareholder lawsuit. This tamper-proof evidence data could be vitally important to any defense. Consult an attorney for a legal opinion on this point.
People looking for a deeper technical understanding of the type of threats that exist should consider reading this article.
[UPDATE 3/7/2022: Sinclair losses mount from ransomware attack]