Author: Hongting Su | hongting.su@students.mq.edu.au Institution: School of Computer Science, Faculty of Science and Engineering, Macquarie University Date: 14/07/2022
There are many parts that contribute to the success of a business. Organisations these days rely on technology on a more regular basis, whereby data and information are one of the most valuable aspects of today’s business streamlining and they support an organisation to stay prosperous and maintain competitive advantage. Due of their value, they are susceptible to external attacks that may occur at any time anyplace and internal data leaks that can accidentally result from human errors. Without proper cyber security strategy in place, an organisation cannot defend itself against the threats posed by such vulnerabilities.
In an organisation, the top management and board are responsible for providing strategic direction, monitoring the strategic direction and supporting the strategy with resources and financial budget. All the decision-makings are driving organisational performance to maximise the delivery of value to all stakeholders (Australia Institute of Company Directors, 2016). Thus far, the top management and the board in most organisations have been largely independent in their workings.
This essay will discuss the integral role management and board will play in the cyber security picture and why they should direct and oversee the establishment and adherence to the enterprise-wide cyber security strategy.
The board and management should be engaged in cyber security picture for these reasons: cyber security is a strategic approach enterprise-wide, it requires board-level oversight; cyber incidents can have impacts on all stockholders in the company, it needs board to understand the risks it will bring in context of their company’s business operations and conduct risk assessments just like other enterprise level risks; an organisation not only need technical security solutions, but also need board and management to provide an enterprise level management framework that digital solution relies on.
Cyber security is an enterprise-wide risk concern, it involves each entity and system within an organisation’s ecosystem as they are interconnected with all the others. Understand what are the organisation’s most important information assets and where do they reside, how and with whom those assets are interconnected are the affair of both the management and the board (North, J and Pascoe, R, 2016). Data compromise can happen anywhere within the ecosystem, a secure system is not just partially secure of the system’s core components, but all organisation’s partners, suppliers, affiliates and customers (Larry, C, Josh, H & F van der, 2020).
Retrospectively, significant cyber-attacks usually start from the vulnerability in one component within the ecosystem, and gradually penetrate the entire system and impact downstream businesses and services. Many today’s organisations are attempting new ways of managing data, managed service is a popular and cost-efficient practice of data outsourcing (Larry, C, Josh, H & F van der, 2020). By residing some organisation data to Managed Service Providers (MSPs) on external networks, the organisation adds those third-party companies to its ecosystem, and this also introduce new risks. This increases the number of possible vulnerabilities and expands the scope of the risk assessment. When data is outsourced, organisations have limited direct access to secure the data, but the organisation itself must have adequate risk management procedures such as understand the security and monitoring tools provided by those MSPs or third-party vendors.
The board has an obligation to oversee the management conducts the cyber security risk management encompasses not only the organisation’s own network but also the entire ecosystem in the context of its business operations. Vendor access is the key point for the management to investigate, and understand what software packages in deployment are provided by those vendors. Determine what intellectual properties and confidential data they have the access to (Brumfield, C & Haugli, B, 2021). After this identification, the management should implement an effective enterprise-wide risk management processes that can monitor the entire network including supply chain risks, any security flaw in the system can have the potential of becoming a catastrophic.
In July 2021, All the shopping systems in a Swedish supermarket chain Coop were malfunctioned, they had to close down 800 of its stores for almost a week due to a cyber-attack that is not directly targeting the supermarket itself but its MSP Kaseya. Kaseya is an American software company that provides software solutions to Coop (Joe, T, 2021). On 2 July, Kaseya incident response team detected a breach that result from an authentication bypass vulnerability in their Virtual System Administrator (VSA) software (Michael, H, 2021). The attacker exploited this vulnerability to distribute malicious payload and compromised more than one million systems and asked for 70$ million ransom payment to release all affected systems. On 5 July, Kaseya said that between 800 to 1500 downstream businesses were impacted by the attack (Raphael, S, 2021), and Coop is one of their customers.
The characteristics in this cyber-attack are prominent and can be listed as follow: the vast majority of systems are compromised; numerous company’s downstream businesses are impacted; the attacker uses a simple technique to exploit the system.
Firstly, the attack has a broad range of impacts as around 800 to 1500 of Kaseya’s downstream businesses are involved. This embodies the intimate connection of each entity within a business ecosystem, and they can have chain reactions when risks diffuse. It is important that the management fully assess the potential risks in the ecosystem that might impact the organisation’s own network and report and inform any detected vulnerability to other entities within the ecosystem.
Secondly, the attacker encrypts over a million of the systems from Kaseya, and this reflects that Kaseya has access to most of its customer’s data and systems. On the client-side, it is easy to overlook the importance of establishing principles and frameworks to manage the risks that come from the MSP. Kaseya is the MSP of the Coop organisation. The management of Coop should have a well-established enterprisewide risk management procedure to mitigate the risk. In this incident, the Coop organisation should be aware that their network is interconnected with Kaseya; the least privilege principle needs to be compiled when outsourcing company data or systems to MSPs so as to limit the access of MPS and reduce the likelihood of being affected by the data breach from the external network (Domenic, A, 2017).
Thirdly, during this attack, the attacker simply sent a note password and granted a session cookie that the attacker could bypass the authentication. The security is already in place and should be able to detect and intercept the malicious activities. Nevertheless, this did not happen because Kaseya was a trusted company and there was no monitoring in place. The board and management need to have enterprise level risk awareness that even trusted partner companies should not be granted unlimited access to all the systems (Donny, J, 2021).
Once the management and board know the risks, they need to understand enterprise cyber security is not just an Information Technology (IT) task, it needs the guidance and strategic direction from them. The responsibility of addressing cyber security concern cannot be dedicated to a single department; rather, there must be a well-established and reviewed secure culture. Enterprise cyber security management framework is a critical aspect of cyber security.
There are many cyber security management standards in existence, but no one of them that will apply perfectly to all organisations. Different framework is used to address company’s specific needs, therefor it is important for the board and management to identify those that can maximise the delivery of value to the organisation’s objective regarding cyber risks. Commonly, a security management framework serves a key purpose: Establish a common language that allows management team, organisation staff and technical personnel to start communicate cyber security and provide guideline that against the risks and threats. (Domenic, A, 2017).
On 12 May, 2017, An American credit reporting agency Equifax inc. encountered massive data breach. The vulnerability was exploited by the hacker when Equifax was late to install a new version of Struts to its website. The information that first compromised was the employees’ credentials and this allows the attacker to perform further scans under the guise (Bomey, Nathan, 2020). Until 29, July 2017, The Equifax discovered the breach, and on 7 September, Equifax disclosed the data breach and its scope that this incident impacts 143 million Americans and result in severe sensitive personal data disclosure (Mathews, L, 2017) and on march 2018, an additional 4.9 million figure was reported bring the total number to 147 million (Weise, E & Bomey, N, 2017).
It has become quickly evident after this incident that the Equifax company has significant flaw in its security management framework. When the breach is detected, although there was an incident response procedure, not all the employees who were involved in the incident followed it (Wang, P. and Johnson, C). This displayed the lack of clear and common communication between departments and will ultimately result in delayed decision making.
From the management and board’s perspective, cyber security should be the top priority and strategy concern, especially when the company store or process any kind of customer data. Equifax data breach teaches the management and board that individual employees should not be blamed for the security breach, even if that is caused by human error. Cyber security is an enterprise-level concern, not just an IT task. It is necessary for an organisation to work collaboratively to prevent such incidents from happening. (Tom, L, 2018) To achieve this, it will need management and the board involved to develop and adopt an efficient cyber security management framework. The top management should establish a set of procedures that ensure employees in each business unit knows their roles and responsibilities to withstand cyber security threats.
On the enterprise level, the cyber security legal and disclosure implications are also important and need board directors involve to understand the implications that related to the organisation’s specific circumstances. When it comes to public disclosure and reporting, an organisation and its management and board has obligations to understand and quantify any cyber risks and inform investors and the public in a timely fashion (Larry, C, Josh, H & F van der, 2020). According to the guidance approved by the US security and Exchange Commission (SEC) on 2018, an organisation needs to have an incident disclosure procedure.
As the number of entity and member in an organisation’s ecosystem increases, the attendant cyber risks also increased. The SEC requires an organisation and its board directors should have a set of procedures for detection and identification of any risks that may have material impact on the organisation and its affiliates, and then take actions to inform the public about the risks and incidents. (Federal Information & News Dispatch, LLC, 2018) This once again point out the importance for management to design a comprehensive cyber security management framework that not only improve the efficiency of cross-disciplinary communication but also guide to identify and quantify cyber risk exposure.
Take the same examples from Equifax data breach, the breach had been identified in July 2017 and it took nearly a year to be entirely transparent to the public. As sensitive customer data leaked, this incident would have disastrous consequences. The failure to disclose data in a timely manner brought damage to the organisation’s reputation, investors and those whose personal data is compromised. It needs the board to oversee the management of cyber risks and have structures in place to quickly identify and report any risks or damage caused. This can also contribute to the decision making for the management on risk management strategy including whether to manage to transfer specific risks (Larry, C, Josh, H & F van der). If any risks or breaches can be identified and disclosed within appropriate timeframe to partners in common sectors that may create opportunities to acquire resources and information to prevent the breach or mitigate the damage (Domenic, A, 2017).
In this essay, we focused on two real-world instances where accusations were made that the organisations failed to fully evaluate the risks embedded in the ecosystem, establish a set of management procedures across departments which can mitigate the damage caused, failed to construct a strong cyber security management framework for managing cyber security that would have taught staff members how to respond to cyber risks collectively, and failed to disclose risks and breaches in a timely manner. Resolving such allegations is the responsibility of the board and management, who act as the organisation’s fiduciaries.
Looking back at history, many organisations have seen cyber security as a technical or operational matter that falls under the purview of the IT department. The IT department is overburdened to confront the cyber threats without sufficient resource and financial budget, and they are overwhelmed to deal with the complex relations of each entity within the ecosystem without a strategic guidance. The board and management need to be aware of this and understand that cyber security is a strategy as opposed to merely an IT task. At all times, the management and board should have adequate access to cyber security expertise and discuss security issues on a regular basis. A majority of boards have received briefings from expertise, oversee the establishment and compliance of security framework; and an increasing number of board directors are realising how vital it is for them to lead the organisation in order for it to survive the dangers and challenges that come with the technology advancement.
Reference list
Australia Institute of Company Directors, 2016, ‘Role of the board’, Governance Relations, pp. 1-2.
North, J and Pascoe, R, 2016. ‘Cyber security and resilience It’s all about governance’, Governance Directions, 68(3), pp.146-151.
Rothrock, RA, Kaplan, J, & Oord, F van der, 2018, ‘The Board’s Role in Managing Cybersecurity Risks’, MIT Sloan Management Review, vol. 59, no. 2, pp. 12–15.
Brumfield, C & Haugli, B, 2021, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework, John Wiley & Sons, Incorporated, Newark.
Larry, C, Josh, H & F van der, 2020, Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards, pp.12-14.
Domenic, A, 2017, The Cyber Risk Handbook, Wiley.
Joe, T, 2021, ‘Swedish Coop supermarkets shut due to US ransomware cyber-attack’, BBC News, 03 June.
Michael, H, 2021, ‘The Kaseya ransomware attack: A timeline’, CSO, 03 June.
Raphael, S, 2021, ‘Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says’, Reuters, 03 June.
Donny, J, 2021, ‘3 security lessons learned from the Kaseya ransomware attack’, Urgent Communications.
Wang, P. and Johnson, C., 2018. Cybersecurity incident handling: a case study of the Equifax data breach. Issues in Information Systems, 19(3).
Mathews, L, 2017, ‘Equifax Data Breach Impacts 143 million Americans’ Forbes. 03 June.
Bomey, Nathan, 2020, ‘How Chinese military hackers allegedly pulled off the Equifax data breach, stealing data from 145 million Americans’, USA Today, 03 June.
Tom, L, 2018, ‘The Morning Download: House Equifax Report Cites Faulty IT Structure’, The Wall Street Journal.
Weise, E & Bomey, N, 2017, ‘Equifax breach hit 2.5 million more Americans than first believed’. USA Today, 03 June.
Federal Information & News Dispatch, LLC, 2018, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, The Federal Register / FIND, vol. 83, p. 8166–.