PricewaterhouseCoopers (PwC) has released a very interesting report on the current state of cybersecurity. I was reading
Managing Cyber Risks in an Interconnected World: Key Findings From The Global State Of Information Security Survey 2015 when I realized there is one significant dimension that I don't see PwC or anybody else addressing.
First, I want to share two quotes from the report:
It seems certain, given the technical sophistication of today's well-funded threat actors, that a substantial number of incidents are successful but not discovered. In fact, one cybersecurity firm recently estimated that as many as 71% of compromises go undetected.
The U.S. Federal Bureau of Investigation (FBI), for example, disclosed that it notified 3,000 companies — including banks, retailers, and defense contractors — that they had been victims of cybersecurity breaches in 2013.
What this tells us is that when you read a survey and it says, for example, 85 percent of respondents report that their company has been hacked, that just means that the other 15 percent don't know they have been hacked.
Organizations need to increase their attention to how they detect intruders and act to minimize damage.
I made this point in my previous blog post, "The State of Information Security and Cyber," which was based on a similar report from EY.
An additional thought was triggered when I read these additional points by PwC:
A survey of 46 global securities exchanges conducted by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges Office found that more than half (53%) had experienced a cyberattack.
A hacker group successfully infiltrated a U.S. public utility via the Internet and compromised its control system network, although the intrusion was halted before any damage was done. And sophisticated state-backed cyber adversaries employed powerful malware to infect the industrial control systems of hundreds of energy companies across the U.S. and Europe.
Even if we are fully prepared to resist and, if breached, respond to a cyberattack on ourselves, are we prepared for a cyberattack that disrupts the environment on which we depend?
The PwC report highlights that not only are our organizations at risk, but so are the extended enterprise and the organizations we depend on to keep running, such as utility companies, banks, Internet and cloud providers, and rail and trucking companies.
Some companies are wisely asking their key suppliers to confirm they have a reasonable level of both information security and contingency planning in place. (I remember helping Business Objects answer questions about that from Intel.) But are we prepared to survive and even thrive should they fail?
I suggest a risk workshop with the appropriate parties to talk about the level of risk and how we could respond if any part of either our extended enterprise or those we depend on to operate should fail, whether for a moment or a significant period.
If you want to be really sophisticated, ask how you could take advantage of opportunities should one or more competitors fail!
I welcome your comments.