Moody's Cyber Risk Group: “Cyber becomes more and more important.”
On November 12, Moody’s announced its intent to start incorporating in its credit rating method the degree to which an organization faces risk of major impact from a cyberattack. This follows the news, back in February 2018, that the Securities and Exchange Commission issued additional guidance on its requirement that public companies must “inform investors about material cybersecurity risks and incidents,” even if they have not yet been the target of a cyberattack.
Both of these announcements are important acknowledgements that cyberattacks—besides compromising the privacy of constituents, customers, and consumers—can also impact a company’s viability and performance. When security controls can no longer keep up with the complexity and rate of change in the enterprise, organizations must adopt a risk-focused approach to cybersecurity and shore up the ability to detect and respond to attackers—both insider threats and those coming in from the outside—who will inevitably establish presence within the environment.
Coincidentally, on the day of the Moody’s announcement, Ponemon released a study called Managing the Risk of Post-breach or "Resident" Attacks. This study, designed and sponsored by Illusive, looks at how well-equipped security teams are to prevent business impact from these “resident” attackers. As part of the study, Ponemon surveyed over 600 IT and IT security practitioners across the US.
Which cyberattacks do security leaders fear most?
Although cybertheft of PII, EHI, and payment data routinely make the news, survey respondents say executives are primarily worried about attacks that could disrupt operations or steal strategic information:
- 60% of respondents said that the worst consequence of a cyberattack would be tampering with or compromising the integrity of their products or services.
- 58% are concerned about disruption of their core business network.
- 55% fear exposure of the company’s intellectual property or strategic
Align security with the business: Old refrain, new data
To address these critical risks effectively, organizations need vertical engagement and shared focus—from the Board level down to the security operations level. Yet the results from the study are troubling; day-to-day functioning of IT security is not well-aligned to business needs, and organizations suffer from a lack of guidance and communication between senior business executives and security teams.
- Although 56% of respondents say business leaders consider cybersecurity a top business risk, only 29% say business leaders communicate their business risk management priorities to IT security leaders.
- Only 35% say their IT security leaders are proactively included in planning
and decision-making for new technology and business initiatives.
The hit it takes on threat detection and incident response
For cybersecurity teams, the work is never done. Given the resource squeeze, the noise level in the SOC, regulatory pressures, and all the other challenges, the ability to reduce cyber risk rests in part on the ability to prioritize routine maintenance, monitoring, and incident response based on what matters most to the business.
The survey shows that, of course, this is easy to say but much harder to do:
- When a system is compromised, only 37% know what critical services may be impacted
- 56% say inability to prioritize incidents based on potential impact is a top obstacle to better IR
- 55% say inability to determine which alerts to escalate is a top obstacle to better threat detection
It’s not surprising, then, that only 38% of respondents “agree” or “strongly agree” that they can detect and respond to attackers before they cause serious business impact.
Budgets in the next 12 months will put greater emphasis on the post-breach stages of the attack. Survey responses suggest that allocations will shift significantly away from preventive controls toward greater proportional investment in threat detection and response.
Money, alone, can’t solve what is in large part an organizational problem--and neither can security technology. But we believe vendors must provide features that help catalyze risk-aware action and prioritization.
In future blogs, we’ll highlight the ways that Illusive can help. In the meantime, we are confident you’ll find useful insights in the report.
Download the Ponemon Managing the Risk of Post-breach or "Resident" Attacks here.