The New Security Risk Management Paradigm
Stepping outside of Teneo headquarters in Midtown, Manhattan, we are presented with constant reminders of the very real security risk around us. Police and fire sirens scream by regularly, while helicopters pepper the skyline during rush hour or major city-wide events. NYPD officers in fatigues armed with machine guns patrol Grand Central station, in obvious contrast to the business-suited commuters dodging one another to board trains home. We tune out the noise by scrolling through our mobile news feeds, consumed with the latest cyber breach to hit Wall Street or the newest scandal impacting the political elite.
For companies located in major cities like New York around the world, attuned to a high-threat environment, this is all business as usual. For the most part, these organizations take the necessary precautions when it comes to security risk management, either based on past security incidents or a current view of the risk. Other organizations not accustomed to operating in a high-threat environment view risk through a different lens, perhaps deprioritizing security initiatives by adopting a ‘wait and see’ mindset, leading to potential significant
Whatever the approach, no organization is immune to risk. It is imperative that businesses understand that the threat landscape today is evolving at a pace never seen before. The proliferation of emerging technologies and the heavy reliance on social media as a primary news and information source, have created unforeseen and increasingly complex security challenges in both the cyber and physical domain. Organizations will need to address this dynamic by implementing a new security model that replaces the traditional reactive, one-size-fits-all approach with a more targeted, proactive and anticipatory methodology.
What We’re Up Against
- Insider threat, whether or unwitting or malicious, is considered one of the biggest threats to business today, and social engineering has become a primary tactic to reach insiders as pawns in criminal schemes.
- The growth of and real-time nature of social media as a tool for information dissemination has also inadvertently created a new threat domain and new channel for organizations to manage and monitor for reputation risk.
- The Internet of Things (IoT) and an estimated 25 billion connected devices by 2021 confirms that physical and cyber security are becoming inextricably linked.
- Workplace violence and active shooter incidents have challenged businesses to think differently about prevention, training and means to identify ‘pre-attack’ behaviors.
- Concerns over climate change and impact to the frequency and size of natural disasters like hurricanes, fires and floods means that businesses will increasingly brace for impact and will need to have robust crisis management and business continuity plans in place to recover.
Breaking it Down
Mitigating Insider Threats
In an increasingly fast-pace and high-stress business operating environment where employees are expected to manage large amounts of data, process information quickly and respond to clients near real-time, mistakes can happen. Unwitting insiders, rushed and distracted, may inadvertently click on a bad link, send the wrong file or download harmful software from a ‘phishing’ attack. Alternatively, disgruntled employees motivated to cause harm or achieve financial gain may use inside information and privileged or unauthorized access to disrupt operations, steal money or leak valuable data. In either case, ‘insider threat’ has become one of the biggest concerns today for businesses grappling with cyber security risk. The 2019 Verizon Data Breach Investigations Report found that 34% of all breaches happened as a result of insider threat. The report went on to note that sectors most impacted by insider threat are healthcare, IT and financial services due to issues like sheer processing error, misconfigurations, theft and phishing attacks.
In the same vein, ‘social engineering’ is another means by which bad actors infiltrate organizations to gain access to systems and critical information by impersonating something or someone familiar to the target. Attackers study and deconstruct behavior patterns of the individuals they are targeting, and then set up social media profiles or email accounts to generate direct social media messages or email content that appears genuine in order to engage with colleagues or other individuals in the target’s network. The target will often be coaxed into clicking on a bad link, sending confidential information or downloading a file, believing that they are responding to someone familiar to them as either a favor or as part of an urgent communication. Malware or ransomware have become commonplace tools by which attackers are able to take control of or steal information from such unwitting employees. The end result can be as simple as stolen login credentials or as damaging as loss of millions of private records.
More recently, attackers are using these types of social engineering tactics to target or emulate CEOs for financial gain, primarily because they typically hold extremely valuable and confidential information and / or have top level access to such information, dubbed in cybersecurity circles as “whaling”. Colleagues and direct reports to the CEOs receive what appear to be legitimate or urgent requests to open accounts, wire money or provide credit card information or confidential login credentials. And normally, when the CEO asks, you answer.
So how can businesses mitigate risks resulting from these seemingly authentic, socially engineered stunts? The answer lies not just with technology – but also in regular employee training aligned to the current threat environment, diligence in identifying and reporting suspicious behavior and a commitment to building a security-focused culture which encourages employees to surface issues and protect the organization. Forward thinking organizations build insider threat training into their onboarding programs and regularly message the importance of cybersecurity risk management from the CEO down within the organization.
One of the latest and particularly troubling threats to emerge is the use of ‘deepfakes’, which are fake videos or audio clips that look and sound as though they are legitimate. Scammers are using deepfake audio to convince employees to transfer funds or make payments to erroneous accounts at the behest of what appear to be real and urgent requests from their managers, while other nefarious actors are using deepfake videos to spread ‘fake news’ on social media or create embarrassing videos to harm the reputations of public figures.
Notable deepfakes in the last year include altered videos of former President Barack Obama, Mark Zuckerberg, Nancy Pelosi and Kim Kardashian, all of which were real enough to garner initial viral attention before experts pointed out the key differences and glitches in the video feed which clarified that the videos were in fact, fake. In August of this year, a UK energy company was the victim of a cybercrime when a deepfake audio recording was used to trick the CEO into wiring over $200,000 to a fraudulent account at the direction of his German parent company CEO. The audio had perfected his German accent and the lilt of his voice so that the forged audio was literally undetectable.
Deepfakes are created using what are called ‘generative adversarial networks’ (GANs). GANs work as follows: two machine learning (ML) models work in parallel with the goal of creating a believable enough deepfake video. One model trains itself using massive data sets, in this case, real videos of e.g. a celebrity, to create an imitation. The job of the second model is to detect the imitation. The cycle continues until the second model can no longer detect a fake, and thus, a deepfake is born. These models work particularly well for recognizable, public figures like politicians and celebrities due to the sheer volume and availability of video and audio clips online to serve as the training set.
As we transition into an election year, members of the US government and intelligence communities have already expressed concerns related to the potential for deepfakes to pose potential serious disruption to campaign and election outcomes. In the lead up to the 2020 election, we should expect to see lawmakers intensify scrutiny on social media platforms and attempt to put in place policies and procedures to identify issues and protect consumers from the spread of disinformation. The challenge remains that the technology is developing faster than the solutions to mitigate or even detect deepfakes before they hit social media and go viral. While the problem searches for a solution, businesses and the public at large will need to be vigilant and maintain a healthy skepticism related to “fake news.”
Embracing Security Convergence
On the internet, the physical and cyber domains are converging quickly, some interesting and futuristic use cases include Jetson-esque refrigerators with direct online access to delivery services to reorder your milk and ice cream, or, watches that text biometric data to physicians for real-time health monitoring. In these two examples, the convenience factors are obvious, not to mention the ability to prevent potentially life-threatening health circumstances from becoming reality. However, the ‘connectedness’ implies a new and unexpected playground for cyber-attack in the form of machines, appliances and personal accessories.
Within a business context, every organization is connected to the Internet in some way, whether the business itself is an Internet platform, or the physical assets of the company are managed and controlled online. Since the 90’s, we’ve grown accustomed to ‘information technology’ and associated cyber-attacks on computers and network infrastructure through the Internet, including phishing, malware, and, now with the rise of crypto-currency, ransomware. The Internet of Things, which has largely enabled more efficient and automated processing of ‘operations technology’ through Internet connectivity, such as machines found in manufacturing facility assembly lines or office building infrastructure like elevators, escalators, turnstiles and doors, has also created an unintended new attack surface for malicious actors. Who could have imagined that a refrigerator, a watch or even an elevator could serve as an open door for a cyber-attack? The 2013 Target breach proved this is indeed possible – the company was hacked after the attackers stole network credentials from one of Target’s HVAC vendors who had remote access to heating, cooling and refrigeration systems for maintenance and troubleshooting. Hackers successfully tunneled in via the vendor’s network credentials and famously uploaded card-stealing software to cash registers.
This convergence of both the physical and cyber domains implies that security measures must also converge, else organizations are left exposed through increasingly unexpected entry points. No longer can organizations draw lines between their physical security and information security teams and expect that the two can achieve success while operating independently. Clearly, hostile actors will exploit weaknesses in either the physical or information technology domains to achieve their objectives. Heretofore siloed security operations within companies have failed to accurately recognize patterns and emerging threats when not considering the totality of the attack surface within an organization. To effectively manage security risk in today’s environment, businesses are best served to centralize both physical and information technology security under the leadership of the Chief Security Officer, who is then responsible to build and drive a culture of security mindedness as the shared fate of the organization.
Detecting & Preventing Workplace Violence
2019 has been plagued with tragedy related to active shooter and other workplace violence issues. According to the Occupational Safety and Health Administration (OSHA), more than 2 million American workers contend with workplace violence, ranging from threats and verbal abuse to physical assaults and even homicide.” Businesses are reporting a rise in workplace violence.
As the open carry firearm debate swirls in the US, many major retailers like Walmart, Kroger, CVS and Walgreens this year issued policies respectfully requesting that customers no longer openly carry firearms in their stores. Other brands like Target, Starbucks and Chipotle established similar policies in prior years.
Companies are best served to implement policies, procedures, training and reporting mechanisms to protect employees and enable them to comfortably come forward if they notice unusual or suspicious behavior in and among colleagues. Some common steps recommended by safety and health agencies include:
- installation of safety measures like security cameras, alarm and lighting systems;
- education and training on what to look out for, what to do and who to notify, specifically active shooter, sexual harassment, data theft, hostile behavior;
- provision of clear policies and procedures related to zero tolerance and code of conduct; and
- safe and, where applicable, anonymous reporting mechanisms whether hotlines, mobile apps or open-door management policies to encourage employees to speak up without fear of retribution.
Bracing for Natural Disaster
2018 had the fourth-highest total costs from natural disasters since tracking began in 1908. Businesses that are most impacted and struggle to recover likely have not adequately prepared for continuity of operations or were ill-prepared as an organization to handle the disaster as it unfolded into a full-fledged crisis.
Good business continuity planning and crisis management frameworks enable resiliency and are central to boosting employee morale and confidence in dealing with crises. Key components of good continuity of operations and crisis management plans include:
- a thorough understanding of the critical assets of the company and the risks to the enterprise;
- mitigation strategies in place to address enterprise risks;
- an inventory of core business processes and “keep the lights on” operations and technology, as well as the people who manage those functions and their locations;
- designation of backup operations facilities if applicable and plans for remote access; and
- assignment of a crisis management and crisis communications teams with relevant policies, procedures and training in advance of disaster.
Overcoming Traditional Security Structures
Many organizations are still operating under a more traditional and frankly, outmoded security structure which will only serve to undermine well-intentioned security professionals. As we look ahead into 2020, and in light of the anticipated threat landscape, traditional security structures potentially create more risk and make it even more difficult to survive a major security event. As the spectrum of security issues that endanger businesses grows, the outdated model of “guards, guns and gates” fails to fully address and mitigate the current threat landscape.
Traditional corporate security departments were created to protect physical assets, and their employees were constructed with a relatively narrow operational scope. Physical security based in access control and screening measures, uniformed guard services and video surveillance, is generally characterized by their defensive, or responsive measures, yet fall short of fully addressing the current state of security risks facing an organization.
Social issues are rapidly becoming the underlying causes of insecurity within an organization and present a new security risk for companies globally. From social unrest to violence rooted in a particular political ideology, identifying emergent risks and building a new security strategy that mitigate their impact is essential to gaining a competitive edge. For organizations to achieve new business opportunities, especially in areas deemed too risky, increased security investments must be made that look beyond the traditional model.
Transforming to Meet New Security Demand
It remains hard to convince companies to spend more on security infrastructure, and even harder to have them divest from the traditional security methods. Companies annually spend millions on physical security guards that offer little-to-no return on investment yet are hesitant to spend thousands on digital protections that could protect them against financial and reputational disasters. Often, the reluctance to undertake a new model of security risk management is based in the fact that the Boards, CEOs, and other C-suite executives do not fully realize all the threats faced by the organization, therefore, to overcome this institutional reluctance towards change, a culture and governance change is necessary. Security leadership must create a culture of security awareness beginning with the Boards to highlight the risk and consequences of security incidents such as the insider threat, disinformation campaigns, workplace violence and the impact of natural disasters have in an organization. With greater understanding and awareness of the risks faced, organizations can establish the appropriate governance and oversight of the security risk management programs. Once established, a security risk management governance structure, attuned to the current state threat environment, will also reinforce and quicken deployment of saleable mitigation techniques across the organization. Collectively, proper security awareness and governance will prepare an organization to address a multitude of emerging and future threats.
The Bottom Line
Even the most well-conceived and accurately executed security program will not protect against all threats; organizations must understand that they will never operate in a zero-risk environment. While no organization is immune to security risk, it remains imperative that the current threat landscape facing an organization is understood throughout the organization; from the board room to the mail room. Building a new model that can address the impact of a dynamic threat environment will prepare organizations for security incidents that have a measured impact on corporate finances, operational functions and overall corporate reputation.
The best risk management strategy combines multidisciplinary security protocols, aligned to the threat environment and the creation of a corporate culture of security awareness. As threats in the physical and cyber domains increase and deepen during this age of extremism and decentralized attack tactics, protecting against impact of an attacks on an organization requires not only a greater awareness but the implementation of a new security model that replaces the antiquated reactive traditional security model.