Cyber Security Designing and

Maintaining Resilience

Board Impact of Cyber Security Breaches

Few would dispute that cyber-attacks are rapidly increasing in frequency and in intensity as well,
and most organizations ensure that they have suffered at least one cyber-attack incident.
However, do those organizations have a sense of the impact on the organization? After all, the
direct costs usually related to a data breach are less efficient than the “hidden costs” incurred.

Indeed, the “hidden” costs will amount to 90 % of the whole business impact on a corporation,
and can possibly be experienced 2 years or more after the event. These are basically among the
findings of the latest study by Deloitte advisory entitled, “Beneath the Surface of a Cyber-attack:
A Deeper look at the Business Impacts.”

Deloitte identifies 14 business impacts of a cyber-attack, that are classified as “above the surface”
or well-known incident costs, and “below the surface” or hidden or less visible costs. There are
seven impacts in every category.

But Deloitte knows this market value of cyber incidents is greatly underestimated since the public
emphasis on the surface impacts – the smallest proportion.

Consumer Breaches
As the data breaches continue to roll on, we take a look back at some of the biggest and most
harmful data breaches on record. Read on for a historical walk through breaches over time as
well as resources for preventing data breaches.

The Origin of Data Breaches

Data breaches have gained widespread attention as businesses of all sizes become progressively
dependent on digital information, cloud computing, and work force mobility. With sensitive
business information kept on local machines, on enterprise databases, and on cloud servers,
breaching a company’s information has become as easy – or as complicated – as gaining access
to restricted networks.

Data Breach Defence and Prevention Resources

With the ever-increasing number of data breaches and increased threats to security –
enterprise, small business, and personal security alike – data breach defense and prevention
has advanced accordingly, offering greater protections and a more proactive approach to
security to ensure the safety of sensitive information. The following resources offer additional
information on the advancement of data protection, as well as valuable tips for preventing data
breaches.

Members of the U.S. House of Representatives House Energy and Commerce Committee
have advanced a bill that addresses the increased threat of cybercrime to consumers. “The Data
Security and Breach Notification Act is a bipartisan solution to address the growing problem of
cybercrimes and protect vulnerable information from criminals. The legislation establishes a
nationwide safety regime for data protection and breach notification.”

Business Breaches
“Each organization is unique in terms of the impact, but across industries there are common
critical areas. For example, in retail credit card data is most important. In healthcare, PIN
(personally identifiable information). And with manufactures, intellectual property loss can have
the greatest impact. However, often the most under-estimated significant impact across
organizations is business disruption,” notes Erik Thomas, president and principal consultant at
EMT Consulting, and a member of the SIM cyber security group.

Maintaining Enterprise Resilience

Modern theories of the firm remain focused on transaction costs, operational efficiency,
employee motivation, leadership, strategy and other related factors. While any of these may
support our success at various times, none of them alone will facilitate it in the long run. Even
strategy, while vitally important, is set at a point in time and is vulnerable to change. The one
factor that enables our company’s long-term viability is Enterprise Resilience which enables a
company to adapt to a change.

Perimeter Protection with Firewall

The security of your network is evaluated daily. A rich question to ask is, "Are you the one doing
it?" The answer, hopefully, is that someone on your side is involved in assessing the
effectiveness of your defences; however, overwhelming evidence reports that you are not the
only party probing your network's perimeter. Internet-facing systems—computers with IP
addresses that can be reached from the Internet—receive between several and hundreds or
even thousands of attack attempts every day. Many of these are simple scans that we know
how to defend against, but others catch us by surprise, unexpectedly shifting us into incident
investigation and cleanup mode.

Incident Response Plan

Even the most effective info security infrastructure cannot guarantee that intrusions or
different malicious acts won't happen. Once computer security incidents occur, it will be crucial
for a corporation to possess an efficient way to respond.

The speed with which a corporation can recognize, analyse, and respond to an incident will limit
the harm and lower the value of recovery. A CSIRT can be on site and able to conduct a rapid
response to contain a laptop security incident and live through it. CSIRT is familiar with the
compromised systems and thus be a lot of promptly able to coordinate the recovery and
propose mitigation and response ways.

What types of CSIRTs exist?

CSIRTs come in all shapes and sizes and serve diverse constituencies. Some CSIRTs support an
entire country, for example, the Japan Computer Emergency Response Team Coordination
Center (JPCERT/CC); others may provide assistance to a particular region, such as AusCERT does
for the Asia-Pacific area; still others may provide support to a particular university or
commercial organization. There are also corporate groups who provide CSIRT services to clients
for a fee.
Typical phases in a cyber attack

CREST describes the following 3 basic phases of a cyber attack and recommended
countermeasures:

1. Reconnaissance

 Identify target
 Look for vulnerabilities

Countermeasures:

 Monitoring and logging

 Situational awareness
 Collaboration

2. Attack target

 Exploit vulnerabilities
 Defeat remaining controls

Countermeasures:

 Architectural system design

 Standard controls (i.e. ISO 27001)
 Penetration testing

3. Achieve objectives

 Disruption of systems
 Extraction of data
 Manipulation of information

Countermeasures:

 Cyber security incident response planning

  Business continuity and disaster recovery plans
 Cyber security insurance

Cyber risk management process

Cybersecurity risk is one of the components of the overall business risk environment and feeds
into an organization’s enterprise Risk Management Strategy and program. Cybersecurity risk, as
with all risks, cannot be completely eliminated, but instead must be managed through informed
decision making processes. The RMP is built on the premise that managing cybersecurity risk2 is
critical to the success of an organization’s mission in achieving its business’s goals and objectives,
specifically the reliable generation and delivery of electric power. Implementation of the RMP
will facilitate more informed decision making throughout an organization leading to more
effective resource allocation, operational efficiencies, and the ability to mitigate and rapidly
respond to cybersecurity risk.