17 Apr Cyber Risk Management – A Handbook for Corporate Management
Inhaltsverzeichnis
- 1 The Handbook – Cyber Risk Management
- 2 Understand cyber security not only as an IT issue, but as a building block of enterprise-wide risk management
- 3 Understand legal implications of cyber risks
- 4 Ensure access to cyber security expertise as well as regular exchange
- 5 Other principles of the manual
- 6 Promote cross-company collaboration and the exchange of best practices
- 7 Conclusion
With the current handbook on cyber risk management, the BSI has published a very exciting and, in our view, groundbreaking guide as part of the “Alliance for Cyber Security” and the “Internet Security Alliance”. Whether SME or large corporation, the document should be familiar to every CEO, CIO, CISO or person with management responsibility. It briefly and succinctly describes the issues that need to be addressed if you want to establish a modern and, above all, effective strategy against the numerous threats in your own company.
In this article, we would like to present our view of the handbook. We will deliberately not go into the content point by point. Everyone can read this for themselves in the original. Rather, we want to explain why we think the handbook is so important. Before we get started, however, a brief word about the people involved.
Internet Security Alliance (ISA):
… is a U.S.-based nonprofit organization whose mission is to improve cybersecurity by promoting best practices and collaboration between the public and private sectors. The ISA is committed to helping businesses and government agencies work together to create a secure digital environment. The organization promotes the development of standards and best practices to help organizations detect, prevent, and respond to cyberattacks.
Alliance for Cyber Security (ACS):
… is an initiative of the German Federal Office for Information Security (BSI) and the German Association for Information Technology, Telecommunications and New Media (BITKOM). The initiative was launched in 2012 to help companies and organizations in Germany improve their cybersecurity capabilities. The Alliance for Cyber Security targets companies and organizations of all sizes and industries, providing them with a platform to exchange ideas about cyber threats and share best practices. It works closely with other national and international organizations to raise awareness of cybersecurity and foster collaboration between different stakeholders. The initiative also supports the development of standards and best practices in cybersecurity and advocates for the creation of policies and laws that improve data protection and privacy for businesses and individuals.
The Handbook – Cyber Risk Management
Back in 2014, the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance (ISA), produced the first version of the handbook. In 2018, the first version of the German handbook was published, which has now been adapted again to current conditions in 2023.
The handbook comprises a total of 6 principles:
Back in 2014, the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance (ISA), produced the first version of the handbook. In 2018, the first version of the German handbook was published, which has now been adapted again to current conditions in 2023.
The handbook comprises a total of 6 principles:
These principles are not new and most are probably already familiar with them in one form or another. Even the indications from the ACS that the threat situation is increasing and that SMEs are being affected more and more will no longer shock informed responsible parties. We live in times when not a week goes by without one or sometimes even several companies having to announce a ransomware attack. One has almost become accustomed to it, it is also clear that something has to be done. The exciting question is just what exactly?
With our Security Assessment we check the infrastructure of companies and evaluate the results with a risk-based approach. This helps to document the current status in a way that both administrators and management understand. However, the findings are often addressed in a selective and less sustainable manner. Fundamentally, very few change anything in IT operations.
Why is that?
Many IT service providers offer security products and tools to help control the threat situation. At first, this sounds great – I buy tool XY and I am “safe” afterwards. However, a single tool or even several tools will not change the fundamental situation. Tools have to be operated, the findings in the various dashboards have to be processed. Often there is not enough time and sometimes not enough know-how in IT operations. It often ends up in a situation where the IT operation doesn’t know how to handle all the extra work and management wonders why nothing is really getting better, even though large sums have already been invested in tools. As a result, the “cash flow” dries up and there is no budget left for the really important measures.
Alternatively, some companies invest in larger security projects, but fail to transfer the changes sensibly into operations. As a result, security is increased in the short term, but the changes disappear again after a while, because the company was not taken along or was not put in a position to adhere to the security strategy in the long term.
Two examples
We experience again and again that of >20% of all user accounts (including service accounts and admin accounts) the passwords are not changed regularly. This represents a high security risk. The current recommendation of the BSI, for example, is to switch all service accounts to (Group) Managed Service Accounts and to change compromised passwords immediately. The solution is quite simple at first…
-
- Delete accounts that are no longer needed
- Introduce Fine Grained Password Policies to force a password change
- Introduce (Group) Managed Service Accounts à If the application supports it
- Automate password change procedures or at least document them step-by-step
- Define a process to enforce password change on a regular basis and document the process
However, if you only need half a day per account on average, the total effort is still quickly several hundred person-days. Management is often unwilling to spend money on such an activity, and IT operations does not have the time to address the issue. As a result, account passwords remain outdated and users sometimes use compromised passwords that are never or very rarely changed.
Another example is the issue of system hardening. With our free tool – TEAL Audit Proof – any system can be checked against a common hardening standard (MS Baseline, CIS, BSI etc.). Again, the results are sobering. Conformities of < 30% are often standard. Which is equivalent to an unhardened IT system. As a reminder, management must ensure that IT systems are operated according to the “state of the art”. Hardening is included in all current standards, but often it is not yet implemented. This is also due to effort. System hardening depends on how standardized an environment is. The more heterogeneous the environment, the more costly system hardening is.
In summary, in our opinion, the wrong priorities are often set. This is partly due to the fact that IT security is still not seen as a management task. Very few companies really take a close look at it. The result is that a pentest is carried out here and there, or that one or the other tool is implemented. However, this only marginally increases overall security.
The operating teams themselves often see the problems and have already addressed them. However, there is a lack of communication with management. In some cases, the operations team cannot express itself in a way that conforms to management standards; in other cases, management lacks a deeper understanding of the issues. This also results in situations as described above.
This situation can only be solved by the management itself and this is exactly where the management manual comes in. The perspective must be turned and the management needs the know-how to define a reliable IT security strategy and to accompany the implementation. IT security must also be thought of in management and not “only” delegated to the IT department. The management is responsible for defining a strategy, knowing the risks and evaluating them. IT and, more importantly, the other departments are responsible for implementing this strategy.
In the following, we will go into the six core principles of the handbook in a little more detail.
Understand cyber security not only as an IT issue, but as a building block of enterprise-wide risk management
“In the past, many companies and organizations classified information security as a technical or operational issue that was predominantly the responsibility of the IT department. However, cybersecurity is more than just an IT issue. This misconception was fueled by siloed structures that resulted in functions and business units within the organization not feeling responsible for the security of their own data. Instead, this essential responsibility was handed off to the IT department – a department that in most companies has too few resources and budget.”
– The Cyber Handbook
There is a lot of truth in this paragraph. IT departments are often left alone with the issue of IT security. Clearly, it is the responsibility of IT to ensure a secure environment. But that does not mean that the complete responsibility for this is to be found in the IT department. Rather, IT security must be considered in every single initiative in the company. This starts with senior management, which must incorporate the issue into risk processes. In addition, management must define a clear goal and a cyber security strategy, which must then be implemented accordingly. But specialist departments also have a duty. IT rarely knows which applications are business-critical. This knowledge lies in the specialist departments. All those involved must work together to define which systems are critical and how they can be better secured.
Understand legal implications of cyber risks
The second principle is primarily concerned with liability. Various regulations, laws, or insurers dictate how companies must behave in the event of a cyber incident. There’s the question of when to report an incident, but also whether management has done everything possible to prevent or mitigate attacks.
Here’s where it gets interesting. In Australia, Medibank, a health insurance company, lost nearly 10 million customer records in an attack. A lawsuit is underway, with several law firms suing for damages.
In the case of automotive supplier Continental, victims are also considering suing management.
Companies have to secure their systems according to the “state of the art”. Since this is a legal term, the question always arises as to what the state of the art actually is. Various standards such as BSI-Grundschutz, ISO or CIS-Controls serve as a reference. Companies should find out what their legal obligations are and what measures must be implemented in order to avoid being accused of negligence.
Ensure access to cyber security expertise as well as regular exchange
Often, the expertise for IT security is not or only partially available in the company management. At the same time, the threat situation changes frequently and set goals must be continuously reviewed and adjusted if necessary. With this principle, the handbook primarily wants to ensure that there is a continuous exchange on security topics in order to increase awareness of the issue. At the same time, consideration can be given to specifically reinforcing the executive board or management with expertise. The creation of board positions or staff positions is conceivable here. Exchanges with other companies in the industry, as well as external experts, are also useful and conceivable.
Other principles of the manual
“Ensure implementation of appropriate frameworks as well as resources for cyber risk management” as well as “Prepare risk analysis as well as formulate definition of risk appetite depending on business objectives and strategies.”
While Principles 1, 2, and 3 of this handbook focus on what management should do itself, Principles 4 and 5 focus more on what management should expect management to do. In order for management to effectively carry out its oversight responsibilities, it is important that it fully understands management’s responsibilities with respect to the organization’s cybersecurity. As stated in Principle 1, management should satisfy itself that management has an appropriate enterprise-wide approach to cybersecurity. At the same time, it should be clearly communicated that meeting regulatory requirements does not necessarily mean that the organization is secure. Therefore, an appropriate framework for the dynamic structure of the enterprise should be selected to meet the risk appetite established by senior leadership and management.
Promote cross-company collaboration and the exchange of best practices
The last principle recommends exchange and cooperation with other companies in one’s own or other’s industry. This can be encouraged, in particular, through the following initiatives:
Key considerations for company management:
-
- Developing a 360-degree view of the company’s risks and resilience in order to act as a socially responsible party in the broader environment in which the company operates.
- Build peer networks (for example, in the Alliance for Cyber Security experience and expert circles) including other members of corporate boards to share best governance practices across institutional boundaries.
- Ensure that management has plans for effective collaboration, particularly with the public sector, to improve cyber resilience.
- Ensure management considers risks arising from broader industry connections (e.g., third parties, vendors, and partners).
Conclusion
The “Management of Cyber Risks” handbook for corporate management is a very good guide that enables a company’s management to obtain a comprehensive overview of the necessary steps in dealing with cyber risks. Accompanying the handbook there is also a so-called toolkit, which provides concrete recommendations for action and accompanying material.
We are convinced that cyber security must become more of a focus for company management. This can create the necessary awareness to select the right measures for the company. Too often we see with our customers that numerous tools are introduced, but the real basics are not considered. We would like to change this and are happy to offer our help.
Sieh dir diesen Beitrag auf Instagram an
Sieh dir diesen Beitrag auf Instagram an
LATEST POSTS
-
Successful participation at it-sa 2024 – focus on resilience through system hardening
It was a special premiere for TEAL: together with our partner FB Pro GmbH, we were not only represented there as an exhibitor for the first time, but were also able to offer real added value for the 40 or so participants with ...
20 November, 2024 -
Data security with tiering – protection at every level
In this article, we give you a closer look at the importance of Microsoft Tiering for your IT security. We have looked at the underlying issues and the critical areas and systems that need to be protected to prevent total loss ...
16 October, 2024 -
it-sa 2024: Visit us in Nuremberg!
This year we will be represented for the first time together with our partner FB Pro GmbH with a stand and a specialist lecture at one of the most important IT security trade fairs in Europe: it-sa 2024 in Nuremberg...
15 August, 2024