Manifesto_final

A Manifesto for Cyber Resilience

Cyber DefinedUnknown Unkowns

Fighting Yesterday’s

battles Human Factor

Understand

w

here you stand

BYODCyber Resilience Employee Threat

Revolutionaries

2 3

Cyber Resilience DefinedCyber increasingly describes our online work and play; it’s a big and growing element of our real lives. Today, some 2.4 billion global internet users, 34% of the world’s population, spend increasing amounts of time online.1 All our Cyber activity adds up to a lot of online business making it an unstoppable movement – the type that starts revolutions.

To some, the benefits of our Cyber lives and new business models come with understandable and acceptable risks. Others feel such mass movements demand more considered responses. But there is little time for debate. What we really need is a Call to Action.

De-risking our Cyber lives means understanding four opposing forces – all of which bring different Cyber Risks and demand urgent management attention:

Democratization – ‘Power to the people’ as organizations learn to work with customers via the channels they dictate.

Consumerization – The impact of the many devices, or more importantly the apps, which span work and play in our Cyber lives.

Externalization – The economics of the cloud, slashing Capital Expenditure and shaking up how data moves in and out of organizations.

Digitization – The exponential connectivity created when sensors and devices form the ‘Internet of Things’.

Solving Cyber Risk for one of these trends merely raises the importance of the next in line. As with most other ‘best-practices’, there are several right answers meaning, at best, you can optimise your organization’s environment to reduce its exposure. Thanks to these powerful forces above, Cyber Risk cannot be eradicated.

This Manifesto sets out a plan to reduce, not eliminate, the real and growing risks we face as individuals, businesses and governments. Its goal is simple, to make us Cyber Resilient.

Democratization

ExternalizationDig

itiz

atio

n

Consumerization

4 5555555555555555555555555

What We Know TodayCyber makes the previously impossible, possible. Without Cyber, our lives would literally resemble the past. Consider:

• Which bank customers would give up the freedom to move money across international boundaries in milliseconds?

• What would force businesspeople back into queues for airline tickets, phone booths or to post parcels ?

• Why would anyone air-freight a component which could be printed out for less?

The situation today is complex, fast-moving and potentially devastating for organizations? While

just 15% of the world’s internet traffic is mobile right now, that figure is growing thanks to five billion mobile phones, and a third of them are internet-accessing smartphones.1 Each day 500 million photos are shared and the average user checks their messages 23 times a day.1

Cyber-attacks claim 1.5 million victims every day and add up, conservatively, to $110bn of losses each year.2 Malware, or malicious software attacks, on the web increased 30% in 2012

and on mobile devices grew 139% in the same period.3 Crucially, of the websites serving up malware, 62% were from legitimate sites that had been compromised.3

Worried yet?

These Cyber threats will only increase, as will their sophistication. This is because older targets, such as PC operating systems, are giving way to new web-based and mobile platforms as well as social apps. Changes to what security experts call The Threat Landscape are hard to address. Without levels of security, previously only seen in large enterprises, you are exposed. As we shall see, size is just one of our worries.

6 7

The Unknown UnknownsUnderstanding the future enriches lives. By contrast in the world of Cyber, unknowable intentions and unexpected consequences create chaos. It is impossible to predict all the new Cyber Threats which your organization will face – some are yet to be dreamt up.

Whether disgruntled ‘hacktivists’ or Cyber criminals, Cyber terrorists, or even state-sponsored Cyber armies, most have the advantage of surprise over us. Their motivations are wide-ranging, from peaceful protest to malicious intent, political gain to personal gain, or a combination of these. However the means to create Cyber Risks at their disposal are increasing exponentially, stacking the odds against the unprepared.

More and more ready-made malware kits are made available over the Internet, paid for with virtual currencies far from prying eyes. The ‘Black Economy’ of Cyber is thriving and there really is honour amongst thieves. Their Centres of Excellence, hidden behind very secure protection, are where they can outlearn all but the most knowledgeable of security experts. There they can share data, stolen without the knowledge of their victims, the original owners. For a price, they share their secrets with other Cyber conmen. Your law-abiding organization is unlikely to receive a backstage pass.

As a victim, unlike the natural world, being a small fish in a big pond does not help. In fact it makes

it worse, with 31% of Cyber-attacks affecting organizations with just 1 to 250 employees.2

While large enterprises are well used to Cyber Threats, their smaller suppliers are much more attractive to those with bad intentions. Infiltrating a major company’s supply chain is best achieved from below, rather than above.

8 9

The Human FactorWhile 84% of data breaches take hours or less to complete, discovering them takes months, in 66% of cases, and containment takes months or years for 22% of us.4 Why is this?

You might think the difference between a Cyber-Resilient organization and the ones open to exploitation is better computers, software or faster telecommunications. Sadly, it is almost never the case. It may well be necessary to have the very best technology you can get to secure your organization. However, necessary may not be sufficient. Newer, faster, shinier pieces of kit in isolation seldom save the day.

The weakest link in Cyber Security is the person reading this manifesto – You and I.

IT is the beating heart of all modern organizational processes infiltrating every department and IT has traditionally been responsible for Cyber Security. However its former role, as the lead purchaser

of technology, is fast-changing to one of trusted adviser. Recent research has shown 14% of cloud storage, 13% of social media and 11% of office productivity software is purchased without the IT department’s knowledge.5

Gartner data shows the movement of IT budget away from its traditional ‘owners’ to other departments is already well under way. The marketing department is a front-runner and due to outspend the IT department on technology by 2017.6 All of this means the human element of Cyber Risk is likely to be highest within your organization but outside the IT department.

Today, concentrating Cyber Security knowledge solely within the IT department is not business as usual, but just a way to add Cyber Risk to your organization. To err is human so why keep the burden of Cyber Resilience solely within one (IT) department? It’s high time to move to a security culture which is all-inclusive.

initial compromises take hours or less

breaches are not discovered for months

breaches take months or longer to contain

84%

66%

22%

10 1111

Risk 1 Businesses Are Small Compared to the Threat

Globally, few organizations have the resources to stay on top of all the Cyber threats a highly-motivated team can mount. Even multinational organizations can only employ relatively small teams. The bad guys are also smart guys. They learnt long ago how to collaborate by forming virtual teams across national boundaries for mutual benefit. They sell their tricks to each other and trade stolen identities, to defeat security systems mostly built for a pre-Cyber, pre-mobile and even pre-Web, nation-based set of risks.

Cyber attacks themselves remain comparatively unsophisticated, but scale alone is not the issue. Most organizations already have the basics of Cyber Security right and this limits to 10% the number of Cyber attacks which could be carried out by the average user. It is the next level which is hard, because 78% use only the ‘basic’ resources available online and no customization.4

One issue could be approach. The natural reaction of a traditional security professional is to buy more security tools, but such a piecemeal approaches

fail at scale. It would be better to get fuller visibility into where their organization is today and react accordingly.

In the future Cyber Attackers will likely have even more to aim at. As the drive for efficiency means linking ever more systems together, using smart meters to manage energy use, sensors to control production lines and RFID tags to track shipments means the largest users of Cyber are no longer the IT department, nor are they even human.

With threats global in their nature, only a privileged few organizations, mostly in the defence sector, can spend all their time fighting Cyber wars. The rest of us still have the day job, be it sorting out insurance claims, selling shoes or servicing cars. We have to spend wisely to become more Cyber Resilient. What chance then for the smaller guys? The answer for security professionals is to ‘club together’ just as their attackers have already done. Pooled resources and shared knowledge about the severity of threats could even up the fight.

12 1313

Risk 2 Fighting yesterday’s battles loses the war

As Cyber Risks have become more subtle, personalized and distributed, detecting them has become increasingly hard. So hard, it would be a brave person who would claim any IT systems connected to the Internet (virtually all commercial systems) were impregnable.

Historically, ‘walls of steel’ have a bad history– human intelligence bypasses them. Today’s smarter Cyber threats are seldom full frontal assaults but are more personalized and attack many vulnerabilities simultaneously making them more devastating.

Their payloads, whether arriving by web, email or mobile, wait patiently and silently as resident botnets on infected systems and can then awake from their slumber on command – even after the infection was detected and the ‘door has been

shut’. Yesterday’s thinking on Cyber Security is of limited value.

Given this fiendish amount of cat and mouse, the best strategy is not the isolated removal of threats, but a slow, determined and ongoing process of Cyber Resilience. Cyber Resilience accepts there is no silver bullet, no cure for the common cold and certainly no cavalry coming over the hill. It counsels but that the best offense is a considered defense. Its objective is to create an uneven playing field, where accessing your systems is tougher and less profitable than others.

With better information comes better decisions. After all, taking no risks can be just as risky a decision in today’s business environment. Having a clearer view of the threats your organization faces is the best way to build up your Cyber Resilience.

14 15

Risk 3 Ignoring the role of Employees Employees are often cited as the greatest asset an organization has. The reality is they can also be the greatest liability from a security point of view. Identity theft and the physical theft of unprotected devices, often encouraged by today’s generous BYOD policies, greatly complicate matters.

Where once security was the sole responsibility of IT professionals, today it cannot be left to them alone. One person’s ‘Shadow IT’, or non-sanctioned technology spending, is another’s fast track to innovation. Aggressively cracking down on what others regard as productivity tools, is a sure way for IT professionals to remove themselves from future discussions – we already discussed yesterday’s battles.

Employee attitudes do need to change a little too. Surveys show 53% of employees believe it is OK to

take corporate data because ‘It doesn’t harm the company’.7 But is that their call?

Surely better to empower non-technical employees and reduce non-intentional malpractice. This will give them the knowledge to increase the organization’s Cyber Resilience through their technology decisions and the processes they enforce. Important when such behaviour accounts for 35% of all data breaches and, unsurprisingly, such immorality spikes up steeply as individuals prepare to exit companies.8

Far from being an abdication of responsibility by IT, here is a chance to convert IT expertise into competitive advantage. There is a new deal to be struck between non-IT professionals and their more technical IT colleagues, showing them how Cyber Resilience can increase their organization’s potential. In Cyber, ignorance is not bliss – it’s a communication and an organizational challenge. In other words an untapped commercial opportunity.

16 17

How To Become Cyber Resilient 1 Understand where your organization stands

A well-known management saying is you cannot manage what you cannot measure. However most Cyber attacks are unnoticed, let alone measured, as are the risks they pose.4 How can we then assess how at risk we are?

The answer hated by schoolchildren, loved by quality organizations globally, is external assessment. More precisely for organizations at risk of Cyber attack, a comprehensive Cyber Assessment of people, processes and products is essential. Honesty, boring as it may be to some, is the start of the journey to Cyber Resilience.

Of course, an independent audit of vulnerabilities, base lining the technology and processes at use in your organization is a good start. But this is just a start to the journey. How about a benchmark to relate your score with that of your peers? How

about some practical recommendations based on a gap analysis of where you are and where you want to be? Now IT is becoming genuinely strategic.

Armed with such information, the path to Cyber Resilience becomes clearer. Better still, when those Unknown Unknowns we mentioned start to become visible action items, not just for the IT department, but across an entire organization. Such insights then become your unfair advantage.

Even though Cyber Resilience does not equal immunity from Cyber-attack, the very point of Cyber Resilience is to make your organization’s vulnerabilities less appealing to attack. But only once there is a baseline and a corporate-wide goal, can you prioritize and start work on the toughest Cyber issues facing your organization first.

18

Once upon a time a small number of people were responsible for IT. This worked well when computers were locked up in rooms by computer scientists. Now critical confidential data is walking around in employee’s pockets and sometimes the pockets of your organization’s partners and their partners and so on…

Things have changed. For one, your Unknown Unknowns mean the genie is out of the bottle. Best practices for on-premise Cyber Security can only protect your organization to the extent that the weakest, least secure member of your team, or extended supply chain, practices them.

So while you may do a fine job writing and even enforcing password policies or locking down devices and complying with ISO standards, this will not make you Cyber Resilient. Unless you can assure similar standards are maintained from your contract cleaners to your auditors, your external caterers to your lawyers.

Secondly, as we have seen, analysts predict non-IT staff will shortly spend more on technology than those with ‘IT’ let alone those with ‘IT Security’ in their job titles. So it’s time to think outside of the box, outside of the IT department, outside of job descriptions and outside of your organizational boundaries. Thirdly, while you may have spent a career in IT, it is unlikely your experience to date has prepared you for the role of Cyber is assuming in our lives today.

While you are struggling to benchmark which Cyber Risks you are exposed to and where to start the journey to Cyber Resilience, for some an even tougher challenge looms. Dropping the tech-speak.

How To Become Cyber Resilient 2 Coaching your colleagues, ALL of them

Reaching out to colleagues is crucial but you will fail without one simple skill. The ability to unlearn decades of IT and IT Security jargon. It is not only unnecessary, it weakens your point. Truly, jargon is the enemy of Cyber Resilience.

20

As we have seen, working alone on Cyber Resilience is a futile exercise. Cyber Risk comes from unseen and clever enemies, made up of cells who can form, dissolve and reform fluidly. Matching this ability is neither practical, nor desirable and besides, who would do your day job?

Philosophers tell us “Those who do not learn lessons from the errors of the past, will repeat them”. But you are not alone. There is strength in numbers in Cyber. Why suffer while your organization decides which Cyber Resilience strategy to get onboard with? Much smarter to join up with others who share the same beliefs as your organization, pooling intelligence and developing strategies

Your skillset makes you ideally placed to help your organization become more Cyber Resilient. Some would say this is the only strategy which can succeed given the constant nature of the threat.

Imagine a nerve centre of Cyber Intelligence, like a highly stimulated virtual brain, pulling together billions of small observations from the Cyber

issues facing many thousands of organizations and millions of users, to create a clear overview of the Cyber threats faced by your organization.

Compare that future role, one at the heart of a Cyber Resilient organization out-performing its competition with today’s view of IT as who to blame when things go wrong. This is not to say the basics are unimportant, the information from existing security controls really matters.

IT’s new role is as the Centre of Excellence for Cyber Risk assessment. To provide new signposts for executive leaders to gauge their organization’s Cyber Resilience. Cyber Risk transcends IT, departmental and even national boundaries. Cyber Resilience is a team sport played by leaders. Like you. Catch the train now, it is ready to depart.

How To Become Cyber Resilient 3 Make Cyber Resilience your competitive advantage

22 23

ConclusionThe results of the move to Cyber are already impressive and we have only just begun. Amazingly this progress only requires the ability to send and receive data securely. Unfortunately this is a complex technological feat and as Arthur C. Clarke, a futurist and writer, said “Any sufficiently advanced technology is indistinguishable from magic”.

Cyber is too important to be just ‘magic’. On a personal level, Cyber Risks question our identity and our privacy. On a global level, Cyber Risks threaten the stability of our government and banking systems. Cyber needs to be understandable by businesses and public organisations leaders in the same way as power, water, talent and other vital real-world inputs. Today it is not treated this way.

No top-down edict will succeed. Cyber is too fast moving. Only a grass roots movement, informed but flexible, has a prayer of success. IT professionals have a critical role here only if they can:

1. Effectively baseline where their organization’s Cyber Resilience is today. Faster and with more rigour than previously.

2. Make their people part of Cyber Resilience. Educate everyone in their organization’s supply chain to balance the innovation they want with the Cyber Resilience they need.

3. Use Cyber Resilience for long-term strategic competitive advantage in their organization.

Hopefully the ‘idea grenades’ lobbed in this Manifesto will start the chain reaction your organization needs to get to Cyber Resilience. If it has you might want to join up with the experts at Symantec whose Cyber Assessment, security products and services are helping millions of users, to help thousands of Chief Executives to make their organization Cyber Resilient.

Cyber Resilience

Define Cyber

Baseline

BYODCloud

IT

Business

Supply Chain

Today

On Premise

Core IP

Educated Workforce

Future Supply Chain

Cloud

Outsourced

Transition

Tomorrow

Cyber Threats

Impact Evolution

Legacy Approach

Strategic Resilience

24 25

Contacts References

Symantec EMEA Headquarters350 Brook DriveGreen ParkReadingRG2 6UH

Tel: +44 (0)870 243 1080

1 – Mary Meeker, KPCB, 2013 Internet Trends

2 – Norton Cybercrime Report

3 – Symantec ISTR 2012

4 – Verizon DBIR 2013

5 – Economist Intelligence unit July 2013 ‘Security Empowers Business – unlock the power of a protected enterprise’

6 – Gartner Webinar January 2013 ‘By 2017 the CMO will spend more than the CIO’ by Laura McLellan

7 – Symantec ‘What’s Yours is Mine: How Employees are Putting Your IP at Risk’ paper 2013

8 – Symantec ‘Cost of a Data Breach Study 2013’

Unstoppable movements start revolutions. Symantec would like to engage with your Cyber efforts. Our products and services are acknowledge to be at the leading edge of Cyber knowledge.

Share today, be part of the resistance. To sign up for an initial CyberV assessment please contact us.

http://www.emea.symantec.com/cyber-resilience/

Symantec is a global leader in providing security, storage and systems management solutions to help customers secure and manage their information and identities.

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 12/12