Getting to cyber resiliency

May 28, 2013
The status quo methods of maintaining cyber security just aren’t up to the task

Information knows no borders; no single entity, company, organization, or government can guarantee or protect it. From South Korea to Saudi Arabia to the United States, there have been recent attacks that cross numerous sectors, affecting government agencies, media companies as well as oil and gas companies. In the past year, we’ve also seen numerous denial-of-service (DoS) attacks on financial institutions.

The status quo methods of maintaining cyber security just aren’t up to the task. It’s time to make investments to help detect attacks before they occur, while at the same time dedicating personnel and resources to create detailed plans of response to put into action when breeches do occur — because they will.

This is cyber resiliency in action, not mere cyber security. Building cyber resiliency requires far greater cooperation between the public and private sectors and among business partners, and much greater awareness by everyone from front-line employees to those in the C-level suites.

Think your organization is ready for a cyber attack? That you understand all the risks it’s exposed to, and that you have a plan in place to deal with them and bounce back? If so, you’re not alone. In fact, 88 percent of the 120 companies surveyed in the Deloitte 2013 Technology, Media and Telecommunications Global Security Study (TMT) believe they can prevent cyber-attacks, 68 percent claim to recognize the risks they face, and 62 percent think they have a plan in place to deal with them once they occur.

If you’re anything like the organizations we examined you might be over-confident. Among those we examined — the same companies that claimed to understand cyber threats and were prepared for an attack — most also reported a security breach of high or medium impact in the preceding year. And that’s just what the organizations were aware of.

Like the organizations we surveyed, yours might be more susceptible to cyber threats than you suspect. Make no mistake: you are vulnerable. There’s simply no framework that can provide total security in an environment where mobile devices mingle personal and professional information, where data is stored off-site, where information is shared with perhaps hundreds of third-party companies, and where persistent hacktivists can team up and put your systems in their crosshairs.

Mobile devices and cloud computing — the very technologies that are changing and improving the ways we do business — are at the same time making it much more difficult to keep information secure. Though many organizations may be aware of the risks brought about by these new technologies, some seem to be choosing the convenience and productivity they offer over security.

IA great number of respondents indicated they have joined the cloud computing crowd: 39 percent of all organizations surveyed do so, and within media companies, that figure rises to 61 percent. However, while it has become more widely acceptable to even store mission critical data on the cloud, companies need to ensure they are more effectively managing that risk.

Regardless of an organization’s size or industry, the greatest perceived threat to information security comes from third-party involvement. We found that a whopping 92 percent of large firms felt an average or high level of threat from third parties.

Despite recognizing the gravity and likelihood of third-party breaches, not all TMT organizations have taken steps to mitigate these risks. When asked whether they’ve broached the subject of cyber-awareness with partners and suppliers, only a third replied that they’d actively sought to increase awareness among those they do business with.

Limited funds stand in the way of many organizations that are seeking solutions. Almost half of the respondents identified their security budgets — or lack thereof — as hindering their progress. They pointed out that while cyber threats are growing both in numbers and in complexity, their budgets haven’t grown proportionately, if they’ve grown at all. Businesses must reevaluate and give a greater priority to securing their digital assets.

To achieve true resilience, to respond to and recover from threats quickly, organizations must plan for the unknown and operate under the assumption that they will experience a breach at any moment. Prevention alone is no longer enough; having a plan of response in place is necessary in addition to detection.

Leaders must create a culture of security throughout their organizations, one that involves and includes all stakeholders. Educating employees and third-party suppliers, many of whom have little or no security training, can help build trust and organizational resilience.

Sharing information about breaches — with partners, customers, other industries, and government agencies — is the best way to know the enemy, and counter their attacks intelligently.

The good news is that organizations realize they must do more than merely what the law requires. More companies in 2013 prioritized having a strategy and roadmap for information security, raising awareness, and addressing mobile security. In 2012, organizations were more concerned with mere regulatory compliance.

There is also a growing voice of leaders that advocate a stronger collaboration and information sharing between the private and public sectors. Last year, the World Economic Forum launched public-private initiative called Partnering for Cyber Resilience (PCR). Deloitte and other private organizations are working alongside the public sector to address global cyber risks. This marks the beginning of a long journey towards cyber resiliency.

About the Authors:

Jolyon Barker  is Managing Director of the Global TMT Industry at Deloitte Touche Tohmastu Limited.

JR Reagan is the U.S. Federal Chief Innovation Officer at Deloitte & Touche LLP