Keeping Watch Against Cyber Espionage
In Part 1 of this series, we looked at four myths around cyber espionage. In Part 2, we’re examining how companies can adjust to this evolving threat landscape.
As state-sponsored hacking worldwide fuels debate about how nations can deter sophisticated digital attacks, companies across the globe might feel powerless to address espionage in cyberspace. In the latest sign of government action in this arena, the Group of 20 largest economies this month affirmed their 2015 commitment to banning cyber-enabled economic espionage and further pledged to address security risks, threats and vulnerabilities in the digital economy – a new agreement that the White House said echoed U.S. efforts to promote risk-based cybersecurity efforts. Industry, however, also has a key role to play in blunting sophisticated cyber risks. Increasingly, businesses can seize opportunities to be more watchful; to better understand the risk landscape; to proactively mitigate cyber risks in ways that meaningfully improve security; to reduce the likelihood of breaches; and to ensure business continuity in the event of a major incident.
PwC believes that companies that think broadly and act boldly to improve cybersecurity and privacy are not only less likely to be successfully hacked, but are also better able to demonstrate that they and their leaders undertook due diligence and aggressive security measures in the face of legal, insurance, board, and other stakeholder challenges in the aftermath of a major attack.
Focusing on prompt detection of intrusions – not all breaches are preventable – and better leveraging the power of cybersecurity information sharing can enable companies to more effectively understand the threat landscape and allocate limited resources to counter the most significant cyber risks. Timely sharing of actionable threat data can also support rapid adjustments to cyber controls based on emerging challenges.
In recent years, government and industry efforts have sought to foster the sharing of cyber threat data in critical sectors and beyond. The United Kingdom’s Cyber Security Information Sharing Partnership, which was launched in 2013 after a pilot effort called Project Auburn, has promoted the sharing of cyber threat and vulnerability information in order to make U.K. businesses more secure. In 2015, the White House launched its information sharing and analysis organization (ISAO) initiative, which aims to broaden the sharing of cyber threat data beyond critical infrastructure sectors by developing a new ecosystem of cybersecurity information-sharing hubs across the economy. The ISAO model offers organizations of all sizes a new way to achieve the kind of information sharing that can enable better management of cyber risks.
In addition, strengthening corporate oversight of cybersecurity can make organizations harder targets for sophisticated hackers. Direct involvement by the board of directors in managing cyber risks across an enterprise and building an organization’s resilience can curb the chance of data breaches; help indirectly deter adversaries by denying them benefits of hacking; increase the likelihood that key operations will continue in the event of a major cybersecurity incident; and better posture companies to be high performers in the digital economy.
Further, organizations can better identify and counter sophisticated hacking schemes by applying an integrated approach to countering cyber and fraud risks. For instance, PwC has advised financial institutions to focus not only on cybersecurity but also on anti-fraud and anti-money laundering efforts. Integrating or at least better coordinating these three disciplines – and others – could help illuminate the threat landscape and enable stronger risk management.
Government resources are available to companies seeking information on when, what and how to report a cybersecurity incident to authorities. In the United Kingdom, for instance, UK-CERT has published a list of government entities that can help organizations with cybersecurity incidents. In the United States, new guidance to industry based on a White House directive explains that the FBI leads U.S. government investigations of major cyber attacks while the Department of Homeland Security focuses on mitigating vulnerabilities, identifying other entities that may be at risk, and sharing threat information across the public and private sectors. In some cases, including under the EU’s General Data Protection Regulation (GDPR) starting in 2018, industry faces mandatory reporting requirements.
Differences in laws governing data privacy and national security around the world pose significant hurdles to the voluntary sharing of cyber threat data across international borders, PwC concludes in its second study on the ISAO concept, Information Sharing and Analysis Organizations: Putting Theory Into Practice. Ultimately, however, the growth of commercial services for cybersecurity information sharing and the development of common standards for automated sharing could possibly help organizations around the world overcome those hurdles. Such cross-border collaboration should not be expected to eliminate the unwavering reality of cyber espionage, but it has the potential to give the private sector a new means of blunting some advanced persistent threats.