This article is provided by Ernie Hayden of Verizon. Ernie is the "Managing Principal – Energy Security" with Verizon's Global Energy & Utilities practice. He can be reached at email@example.com, 206-458-8761.
Note from Eric Byres: As cyber threats directed at industry become more common, it is important for top executives to become involved with their organization's cyber security policies. The following article by Ernie Hayden comments on the situation from an IT perspective. My point of view is that today's threats to operational systems merit the same degree of management attention. Enjoy Ernie's article and make use of the data in Verizon's excellent report.
In reading about critical infrastructure protection and cyber security issues every day, I'm beginning to see a theme in our industry that is of special interest to me – cyber threats.
When I attended the RSA Conference at the end of February, the first day of the conference included an announcement from Carnegie Mellon and RSA about the results of a survey conducted by Carnegie Mellon's CyLab regarding governance of enterprise security. Using the Forbes Global 2000 list, the CyLab survey revealed that most corporate executives and external boards of directors are still not involved in governing their company's cyber security strategy. A good summary of the results and some thoughts from Kelly Jackson Higgins of Dark Reading can be found here.
Sadly, the CyLab survey is on the mark and we need more leadership from corporate boardrooms and executive suites to help our fellow chief information security officers be successful in this very dynamic world of cyber threats.
That theme is underscored by this recent item in Insurance Daily under the headline: "Directors must wake up to cyber threats."
Not only should corporate boards grasp how exposed their companies are to the digital threat environment, but they should gain some understanding of the cyber threats they face and to make sure adequate procedures are in place to mitigate the consequences of a serious data breach.
So, what does this mean? Leadership from the top is vital in setting cyber security policies and defenses. It is important for all employees and corporate contractors to be diligent about protecting the corporate assets – including data and information. At Verizon we have found that this sensitivity cannot be easily "pushed up" from the CISO but really needs to have the tone set by the CEO and board.
I don't think anyone would ever say that cyber security would be easy. However in today's environment of attacks and threats from cyber criminals, nation-states and the disgruntled employee should be top of mind with corporate boards and the executive suite to make sure every employee remains at the front line of defense.
Verizon recently released the 2012 Verizon Data Breach Investigations Report (DBIR), the company's landmark report series that examines the state of cyber crime and data breaches around the world. Be sure to get copies to your board members, your CEO and executive team so they can gain a perspective of the global security trends and how to better protect your enterprise.
How informed is your leadership team on cyber security? Let us know your challenges and perspectives.
- New SCADA Security Reality: Assume a Security Breach
SCADA Security: Justifying the Investment
Cyber Security Nightmare in the Netherlands
S4 SCADA Security Symposium Takeaway: Time for a Revolution
Press Release: 2011 Report on Control System Cyber Security Incidents Released
The 2012 Verizon Data Breach Investigations Report (DBIR )report indicates that remote attackersare the most common vector for malware.
While the DBIR covers many industries, the recent RISI 2011 Report substantiates this trend for the control industries. It Indicates 35% of ICS security incidents were initiated through remote access.