Business theft and fraud have morphed into significant new threats as companies battle well-funded, highly motivated digital adversaries. Cyber defense rules have clearly changed.
Executive leaders must recognize how exposed their organizations are today and take steps to establish a holistic, end-to-end security strategy capable of protecting their most valuable assets and business operations.
2. 2
Business theft and fraud have morphed
into significant new threats as companies
battle well-funded, highly motivated digital
adversaries. Cyber defense rules have clearly
changed. Executive leaders must recognize
how exposed their organizations are today and
take steps to establish a holistic, end-to-end
security strategy capable of protecting their
most valuable assets and business operations.
This starts with aligning the strategic agenda
and business priorities with security.
Organizations face a
cybercrime wave
Unexpected losses. Disrupted strategies. Damaged brands.
Cyber-attacks can rapidly derail an enterprise’s ability
to create value—and frequency, reach and levels of
sophistication continue to grow. Last year, the number
of cyber-attacks against large companies increased 40
percent, targeting five out of six enterprises with over
2,500 employees.1
Attackers currently occupy the high
ground in the battle for company data. The barriers to entry
are low; with little investment and minimal risk, it’s never
been easier or more lucrative for adversaries to cash in on
their efforts. What’s more, cyber thieves that operate across
borders rarely face prosecution. “Attackers continued
to evolve, their targets continued to expand, and their
techniques continued to change. But the central narrative
stayed the same: Far too many organizations were
unprepared for the inevitable breach, allowing attackers to
linger far too long in compromised environments.”2
Organizations’ cyber defense
strategies aren’t keeping
pace with the new
technology landscape
In today’s 24/7 world, global connectivity enables
organizations to shrink geographic distances, bridge
borders and forge real-time links. But every revolution has
its casualties, and one victim of the connected age is the
peace of mind companies once had regarding the security
of their critical assets. Where a locked door and an on-
site security team were once the frontlines of protection,
today’s attackers can target the company’s core technology
infrastructure. They can take advantage of company
initiatives centered on emerging technology including
cloud, analytics, mobile communications and the Internet
of Things (IoT), to enter and peruse the most sensitive parts
of a business—all undetected.
Leaders unfamiliar with the specific details of how
pervasive cyber defense is becoming may fail to recognize
the gaps that exist in their digital security strategies.
It’s easy to do: Regulators and other government bodies
demand compliance with specific regulations focused on
meeting baseline security standards, which can drown
out other voices supporting dynamic approaches to cyber
risk management. Cybersecurity was once a part of the
business where meeting the lowest common denominator
was an acceptable management practice. Companies soon
learned that passing compliance assessments doesn’t equal
data security.
Likewise, a strategy focused on acquiring the latest security
products and add-on applications can quickly drain a
security budget, while not appreciably improving the
organization’s defensive posture.
“The reality is that no organization can
defend itself from everything, even if
the resources existed to support such
an endeavor. Leaders need to embrace
a new approach.”
@AccentureSecure
3. 3
To thrive, business leaders should follow
these three approaches to bring risk down
to a manageable level:
Actively engage to make the business
a better security “customer”
Strengthen the partnership between
the business and security
Continuously exercise
organizational defenses
1
2
3
www.accenture.com/cyberdefense
4. 4
A solid cyber defense requires that companies interlock an
organization’s business stakeholders, its risk management
office and the security team—and develop a true
relationship that asks every employee to own responsibility
for security. Much like lean and total quality management
drive efficiencies and cost savings in the product
lifecycle, securing the enterprise requires a similar pivot
organizationally to prioritize this challenge.
Some organizations are inadvertently and unknowingly
bad “security customers,” especially when they fail to
understand the broader responsibilities and role the
enterprise has in protecting itself. The likelihood of cyber
threat detection and elimination significantly drops if the
business side fails to fully interlock with the security team.
Some typical challenges include:
• Security lacks sufficient top management access.
Most companies recognize that digital security is an
important agenda item, but in many cases, the chief
information security officer (CISO) does not have top-
level access. More than half (54 percent) of security
decision makers say security and risk at their company is
still mainly technology-focused, and a similar percentage
report that their CISO continues to report into IT
(55 percent).3
Consequently, most CISOs focus on
technology instead of concentrating on security from
a business-centered, holistic perspective.
@AccentureSecure
• The front lines remain unengaged in security issues.
Another study found that 62 percent of information
security professionals say employees do not care enough
about security to change their behavior.4
Articulating
the importance of security and doing it in an engaging
manner starts at the top. One effective method for
creating user engagement is through gamification that
provides employee incentives and rewards. This can be
an effective tool if the organization also creates and
enforces robust accountability policies, and develops
easily captured reporting measures.
• Ambiguity regarding who “owns” the systems
under attack. Business teams are trying to meet
customer demands; they’re agile and entrepreneurial
and continually create new applications and data
stores. When these systems are under attack, the
security team needs to know who “owns” the
compromised system and its criticality to the business
in order to coordinate an effective response. Many
firms do not have this asset information immediately
available due to lack of collaboration between security
and the business, which can impede action and reduce
the effectiveness of the response.
Actively engage to make the business
a better security “customer”1
5. 5
Leaders should take steps to ensure the organization can
preempt, detect and respond to current and future threats.
Instead of relying on the security team to play “clean up”
after a breach, organizations need to factor potential cyber
threats into today’s business decisions. Many cyber defense
veterans feel their teams are catching frequent “Hail Mary”
passes from the business; but as sports fans know, hope is
not a strategy. Instead, leading cybersecurity players take
proactive steps to align the business side’s commercial
needs and the security team’s cyber defense requirements
by forging an effective business-security-risk management
partnership. Four elements of such a partnership are:
• Keep security on the agenda. If organizations
can operate under a concept called “presumption of
breach,” acknowledging that a hacker will get into
their networks, perspective on the right security
strategy becomes laser focused. Having the right
security strategy and cyber defense capabilities are
core elements of business resilience and brand trust.
Accenture recently collaborated with the Ponemon
Institute, an independent research center specializing
in security trends and best practices, in a study to
understand key characteristics to improving security
effectiveness. The study suggests that a focus on cyber
defense innovation and strategy separates leading
organizations from the laggards.5
These organizations
embrace and implement new ideas, develop officially
sanctioned security strategies, make information
security a business priority and do a better job of
making employees fully aware of the business’
security requirements.
• Recognize the complexity of the challenge. The best
organizations view risk management in dynamic terms,
prioritizing the protection of critical information and
recognizing that future costs could rise significantly. It’s
important to determine where to “set the bar” regarding
loss tolerance. Part of the challenge is recognizing the
complexity of roles; the organization has revenue goals
and other business targets, and the security team has its
own set of objectives. While the aims may differ, each
group should align fundamentally in its dedication to the
company’s success.
• Work together to identify the organization’s
critical data. While all risk can’t be mitigated,
it can become manageable by applying a level of
triage. Most organizations can pinpoint their most
consequential risk in a small percentage of their
networks—giving them a greater level of protection.
By triaging and prioritizing what is truly critical,
an organization can reduce the bulk of its risk and
mitigate the line of the attacker. In addition, from a
data management perspective, as part of a continuous
cycle, organizations should industrialize processes to
delete, rationalize or encrypt dated and non-critical
information with regular cadence.
• Evolve the organizational culture to attract and
retain top-tier security talent. Given the intense
focus on digital security, the war for top talent has
reached new levels, triggering bidding wars for the
elite cyber defense talent. More organizations are
evaluating traditional hiring guidelines to attract
and retain “Millennials” with in-demand skills.
Today’s security talent want challenging roles with
opportunities to continuously develop technology
skills. Organizations that fail to deliver face increased
attrition and recruiting cost. Think proactively about
talent pools, working with universities to develop
key cyber defense recruits, and looking for expertise
outside of normal channels.
www.accenture.com/cyberdefense
Strengthen the partnership between
the business and security2
“Volume matters; to cash in on PII
[personally identifiable information],
cybercriminals want to steal as many
customer records as possible. Hackers
pick their victim organization carefully,
learn its business, understand its partner
relationships, and test for weaknesses
and vulnerabilities.”6
6. 6
The cyber defense story is compelling, but what can leaders
do to improve the enterprise’s data security? Focus on
developing organizational defenses:
Relentlessly test cyber defenses. One way to become
more resilient is to train like a professional athlete.
Athletes who train exclusively with a static punching bag
won’t stand a chance against a real opponent. Likewise,
an enterprise focused totally on conventional defenses
will quickly fall prey to today’s increasingly aggressive
digital attackers.
“Individual hackers and organized
criminal groups are using state-of-
the-art techniques to infect hundreds
of thousands—sometimes millions—of
computers and cause massive financial
losses, all while becoming increasingly
difficult to detect.”7
Organizations leading the way in cyber defense are training
with third-party “sparring partners” equipped with the
skills and technologies (but none of the malice) that
attackers bring to bear. Organizations that consistently
engage in sparring sessions benefit from the feedback loop
such training provides, developing a real understanding of
how well the enterprise detects, defends and responds to
cyber-attacks. They learn from mistakes without facing the
catastrophic effects of a real attack.
Hunt inside the organization’s defenses. When leaders
assume the enterprise is already compromised, they find
better methods to constantly look for intruders across the
entire enterprise. Design security architectures and business
processes for emerging technologies and proactively hunt
across systems to better anticipate attacks and significantly
reduce detection timeframes—versus waiting for a static
indicator of compromise, which will likely happen too late
to minimize the impact of an attack.
Improve response effectiveness. As the organization
spars with an elite security assessment team—going
through the same tactics as the attacker would use—over
time they develop much needed “muscle memory.”
The more time fighters spend in the ring, the more their
comfort levels increase and their performance improves.
Likewise, organizations that spar repetitively and
consistently work more effectively to minimize an event’s
impact. They read their opponent more effectively and
improve their abilities to actively defend their business with
speed, strength and accuracy. As companies become more
adroit in response to incursions, the better they become at
mitigating impact.
Continuously exercise
organizational defenses3
@AccentureSecure
7. 7 www.accenture.com/cyberdefense
Conclusion
Fraud and theft are nothing
new, but the intensity, impact
and level of sophistication of
current digital attacks make
cybercrimes uniquely dangerous
for digital businesses and
governments. In this ever-
changing environment, business
leaders need real solutions to
improve resilience—and that
starts with aligning security to
strategic imperatives.
Put the 100-day cyber
defense plan into action
Once an enterprise takes the
pulse of its cyber defense
strengths and weaknesses,
developing an action plan is
critical. That means assessing
where the organization needs
to invest and architecting triage
procedures to handle security
concerns now and in the future.
By following assessments with
clear-cut 100-day and 365-day
plans, organizations can build
the momentum needed to realize
their cyber defense goals.