April 25, 2017What does cyber resilience mean to you? The answer will surely vary across industries. And, to some, the term might not mean anything at all. In fact, according to new research from Vanson Bourne, not enough organizations are making cyber resilience planning a priority.
Only 30 percent have already adopted a cyber resilience strategy, with about one-third still in the early stages of development or planning. Too many organizations are leaving themselves unprepared for the unknown, and it doesn’t have to be this way.
Organizations of all sizes need a cyber resilience strategy; no exceptions. Yes, security is critical, but not the only piece of the cyber resilience equation. Multi-purpose data archiving, business continuity and the ability to empower the end-user should also have equal consideration. This holistic approach to IT management is what we call cyber resilience, and this is core to our business and how we interact with our customers.
Cyber resilience resonates throughout everything we do at Mimecast – it’s engrained in our internal and external philosophy. But, we wanted to find out how other industry thought leaders are thinking about cyber resilience, and how they are applying it to their own business models. So, we took the great opportunity to tap into the powerful mindshare at RSA Conference 2017 by hosting the first-ever ‘Cyber Resilience Think Tank’ at the San Francisco NASDAQ Center. Insights from the event were captured in a Cyber Resilience Report released today from Cybersecurity Ventures.
I had the pleasure of leading this think tank discussion, which was made up of almost two-dozen leaders in the cybersecurity industry, and moderated by Ari Schwartz, Venable CEO and former member of the White House National Security Council. The impressive caliber of Think Tank participants – which ranged from Malcolm Harkins, chief security and trust officer of Cylance Inc., to Helen Rabe, head of information security for UK-based Costa Coffee – validates that cyber resilience is a hot-button issue that organizations of all sizes and across all industries should care about – and plan for.
The Think Tank attendees validated our approach to cyber resilience planning. It starts with the understanding that security alone simply isn’t enough. And it ends with a comprehensive plan to manage IT, and hopefully, a philosophy that helps drive your business and customer relationships.
Now, more than ever, organizations need a broad approach to cyber resilience planning and they can’t expect do it alone. Industry leaders need to continue to push cyber resilience and provide actionable insights and prescriptive advice to drive towards a more cyber resilient future.
Think Tank contributors included:
- Matt Crouse, Director, Information Security & Compliance, Lucky Brand, LLC
- Joe Gajdosik, Director of IT Security, Curtiss-Wright Corporation
- Jason Gunnoe, Chief Information Security Officer, Bridgestone Tires
- Cathy Hammond, Chief Security Architect, Teleflex
- Jim Hansen, COO, PhishMe
- Gary Hayslip, Chief Information Security Officer, City of San Diego
- Ed Jennings, COO, Mimecast
- Joel Lowe, Head of Information Security, Sonic Automotive
- Neil Murray, Chief Technology Officer, Mimecast
- Phil Owen, Global Head of Information Security, IHS Markit
- Helen Rabe, Head of Information Security, Costa Coffee
- Brian Reed, Chief Product Officer, ZeroFox
- John Sapp Jr., Director, IT Security & Controls, Information Security Officer, Orthofix, Inc.
- Ari Schwartz, Managing Director of Cybersecurity Services, Think Tank Moderator, Venable, LLC
- Maurice Stebila, IT Security, Compliance & Privacy Office, Harman International Industries
- Chris Wysopal, CTO & Co-Founder, Veracode
April 11, 2017
Imagine for a moment that you are the “rockstar” IT director of a Top 100 firm. You’ve just presented your 2017 plan to the board for major IT initiatives, which include a plan to support General Data Protection Regulation (GDPR) compliance. The presentation goes well, and you’re invited to stay and chat during the break.
Just as you’re about to walk to the coffee machine, a new board member comes up to you, thoughtfully sipping tea, saying: “Good presentation!” Before you can say thanks, she says: “You know, there are some things around GDPR which really worry me” - “What business value does GDPR offer us? With data in so many places, can we possibly get a quick win on GDPR risk mitigation? Is there a way to reduce the risk of data breaches for which we could be fined millions?”
As you listen attentively to the questions, your mind races as you think about the noise, alarm and scare-mongering of how organizations will be impacted by the GDPR. Phrases such as “fines of 20 million euro or 4% of global turnover”, and gloomy headlines like “Could new data protection rules mean the end of SMEs” have driven much of the concern and anxiety about the damage to a business’s reputation, impact on its share price or costs associated with GDPR. From her questions, it was clear that this new board member took these scare tactics to heart.
Being the “rockstar” IT Director you respond enthusiastically saying the senior executives and the board have been proactive in supporting the preparation and response to the GDPR. You talk unreservedly about how the GDPR can help the company become more efficient in the way they manage, process and protect personal data. It could also help them use data more profitably for their own ends, allowing them to become more competitive. Especially, if the business is intent on ‘transforming’ for a digital data-driven age, GDPR can form the foundation of that effort.
Time is of the essence
You agree with the board member that the business does need a quick win for implementing appropriate security and data protection measures for personal and sensitive data, as 25th May 2018 is not too far off. However, you explain that the process can be complex and challenging given the huge amounts of personal data such as email addresses, names, phone numbers, credit card details, and other sensitive information that may be stored across multiple data repositories, either onsite or in the cloud.
As the conversation progresses, more board members join the impromptu discussion around the coffee machine. You mention that you already have a plan for a “quick win” which will help in mitigating GDPR risk. You explain that almost every day we hear or read about losses of personal data, whether it’s a malicious attack or an accidental loss, or emails being compromised. You state a well-known fact that 91% of cyberattacks start with a phishing email – something which the board members find unpalatable. This is when you mention that it’s no wonder one of the GDPR measures gaining traction with IT managers is implementing appropriate advanced email security protection.
Now all eyes are focussed on you, and being the IT rockstar that you are, you stress that the business should use GDPR as an opportunity to get a firmer grip on continually evolving email threats. You describe how easily it can be done by putting into place measures which include multi-layered threat protection to defend against spear-phishing, ransomware, impersonation and other targeted email attacks.
You enlighten the board further on the new rights for individuals, which limit the personal data organizations are able to collect and store under the GDPR. You clarify how the business can use powerful cloud based archives to provide rapid search capabilities to find, remove or transfer personal or sensitive data. You also make it clear that these solutions ensure uninterrupted access to live and historic email data in the event of a sudden email outage or planned downtime.
Like any “IT rockstar”, you end on a positive note commending the board on their awareness of GDPR and growing cyber security risks. The new board member should feel confident knowing that, at the very least her concerns around a cyber resilient GDPR strategy are being addressed.
Find out how Mimecast helps to simplify GDPR compliance by visiting the Mimecast GDPR for email resources page.
Last week we launched our first of three videos called “Meet Jim, A Model Employee … and Phishing Target” where Jeremy Piven discusses a major cybersecurity issue hitting organizations on a daily basis. The issue that was covered was phishing attacks that target innocent employees to take action that puts their personal information at risk and would take control of the corporate network. The message seems to be resonating with over 142,000 views within one week.
The second video that we are launching this week called “Ransomware Just Put Katie’s System Into Lockdown” centers around the major issue of ransomware and again, how an innocent employee who is getting hundreds of resumes for her role as an HR recruiter, gets duped to download malware by opening up a resume sent as a Word document. The malware ends up being ransomware and locks-up her machine until she pays a ransom to release her data.
The Federal Bureau of Investigation said ransomware attacks cost victims $209 million in the first three months of the year, which is about $330,000 an incident. And, almost 40 percent of enterprises have been hit by ransomware in the last year.
Here are three things to consider when it comes to ransomware:
- Ransomware cybercrime kits are readily accessible on the black market, enabling non-technical cybercriminals to license and deploy them in the execution of a ransomware campaign.
- Most organizations focus only on prevention, without formulating a “Plan B” to rely on when prevention doesn’t work. Traditional preventive systems, such as AV, are increasingly unable to detect and block the constantly changing flavors of ransomware.
- There is no single “ransomware security product” available. Since no single product can provide adequate protection because of the multifaceted nature of ransomware, and the creativity of the attackers who wield it, protection from ransomware must also be multi-faceted.
So, what happens when ransomware hits an organization? A lot:
- Organizations suffer from crippled productivity.
- Employees are locked out of vital productivity tools like email, calendars and contact lists, as well as other applications and files on affected systems.
- Customers are often impacted because customer-facing operations that are highly dependent on IT are not functional.
- Organizations often succumb to the pressure to pay the ransom to regain access to their applications and data, motivating and financing attackers to expand their ransomware campaigns.
- Data can be lost, damaged or corrupted after an attack, as not all ransomware is bug- free. And, in some cases, the attackers, if not paid in a timely manner, will destroy the decryption keys or some of your data in retribution.
As cybersecurity issues, such as ransomware, continue to be top-of-mind, Mimecast is committed to educating the millions of employees, C-Suite and board members on the impact of not only cyberthreats but also, the fact that employees take an inadvertent active role as a trusted insider to launch an attack against the company.
Telling the story of who your company is, and what you do is a consistent struggle for any business. As the nature of cyberattacks continues to evolve and get more interest beyond IT and Infosec, we here at Mimecast took an approach to conveying the problems organizations face in a way that everyone can understand. In other words….information security has gone mainstream and everyone is talking about it.
Because of this, we're taking a different approach to engaging the market. We're adding personality and a familiar face to convey the passion we have each and every day at solving major cybersecurity issues for global organizations.
That is why we engaged one of my favorite actors - Jeremy Piven a.k.a Mr. Selfridge or Ari Gold.
Working with Jeremy Piven and the production team was a great experience. Jeremy is a true artist with a strong desire for perfection and challenged us to help him convey the problem in a way that everyone can understand. Being that I have worked in the information security industry for over 16 years, I have found that we (the proverbial InfoSec vendors and professionals) overcomplicate the problem organizations face…only to leave the Board of Directors and the C-suite wondering what the true ROI is on their Infosec spend. The challenge was accepted by our team and we came up with an approach and message that everyone can understand within 60 seconds. The commercial project was an amazing and humbling experience that resulted in a three-part video series that will be rolling out over the next several weeks. The first of three video segments begins this week with our Protect Against Malicious Email URL Attacks video.
So you can get a sense of the problem the market is facing and our solution that helps protect against phishing attacks, below is the script of the first video for your reference.
JEREMY PIVEN: This is Jim. Jim is a model employee. So, when Jim gets an e-mail with the subject line "Employee Survey" with instructions to "click here to complete the survey", he eagerly clicks the link to provide his feedback.
JEREMY PIVEN: What Jim doesn't know is that e-mail was actually a phishing scam, and by clicking that URL, he just downloaded a remote access trojan that has given a cybercriminal remote access to his
computer and the corporate network.
JIM: No, no, no, no. . .
JEREMY PIVEN: Phishing scams like these, fooling innocent employees, happen every day and can cost your company thousands.
JEREMY PIVEN: For protection from cyberattacks like these, get Mimecast.
JEREMY PIVEN: Industry leading protection from spear-phishing, impersonation, and ransomware attacks.
JEREMY PIVEN: Mimecast, making email safer for business.
JEREMY PIVEN: It'll be alright.
As information security continues to be top of mind for businesses and continues to go “mainstream,” I challenge the rest of the security industry to commit to educating all businesses and their employees, C-suite and Board of Directors to better understand the impact of cyberattacks. Also, let’s educate them on how to best safeguard against different types of email attacks and the role employees play in launching an attack. I say, challenge accepted.