For years, cybersecurity at Prime Equipment Group was confined to strong firewalls and an off-the-shelf anti-virus/anti-malware package. After all, the privately held Columbus, Ohio-based manufacturer of poultry processing equipment, with annual revenues of $40 million and 150 employees, was relatively small. They were confident that their size and niche business would not interest cyber criminals. All that changed when they relocated into a much larger facility in June 2018 to address a growing backlog.
“We got some press on our fast growth, which raised our visibility,” says company president Joe Gasbarro. “Articles noted not just our new manufacturing facility, but also some of the disruptive technologies we were beginning to use.… Suddenly, we were on the radar screen for hackers.”
A barrage of both mass phishing and personalized spear phishing attacks ensued. “Just last week, I got an e-mail from one of the owners of the company asking for a ‘favor,’” Gasbarro says. “He wanted me to wire 30,000 euros from the remaining balance on a particular project to an account in Spain, to pay a vendor. It wasn’t unusual to forward money ahead of schedule, but it wasn’t common either. I mentioned the request to our CFO, who investigated and discovered the e-mail was a targeted spear phishing attempt.”
Days after talking with Chief Executive, Gasbarro forwarded another e-mail he had just received that appeared to be from a company officer. It asked that he click on a link to update the person’s contact information. His suspicions aroused, he called the officer, who confirmed the e-mail was fraudulent.
“Something I didn’t have to think all that much about in the past is now very much on my mind,” Gasbarro confides. “I’m worried mostly about our cash, but also about the theft of our design and engineering blueprints. I’m also worried about a disruption in business. We’re so busy we can’t afford one day down, much less two or three.”
Digital technology tools have been a boon for business, making operations leaner, more efficient and customer-focused. But the big downside is the growing cost of protecting the organization from their inherent security flaws. All corporate information security budgets are finite, making it imperative for CEOs to ensure that capital is properly allocated to mitigate the most important cyber risks.
This is far easier said than done. The list of defenses is formidable. Software measures alone include state-of-the-art firewalls, network security, anti-malware, anti-virus, identity management, access control, penetration testing, cloud security, intrusion detection, network monitoring, application security and endpoint security. Many companies also shell out to hire in-house information security personnel or outside expertise and to train their workforces to beware phishing and spear phishing attacks.
Slicing up this big pie into the right-sized pieces is delicate surgery. “Companies have trouble figuring out their optimal cybersecurity spend,” says Syed Ali, who leads Bain & Company’s cybersecurity practice. “Not just midsize companies, but even many large enterprises don’t look at cybersecurity in a top-down strategic manner to know where the money should go.”
Every Company is at Risk
Certainly, the need for more thoughtful budgeting has never been greater. A 2018 survey of 3,600 chief information security officers (CISOs) conducted by Cisco reported that nearly half of all cyberattacks cost victim organizations more than $500,000 on average. Those are the lucky ones: Eight percent of the survey respondents endured more than $5 million in direct and indirect costs and 11 percent suffered losses between $2.5 million and $4.9 million.
Small wonder that nearly six in ten companies in EY’s 2018 global information security survey increased their cybersecurity budgets last year. What is alarming is that the survey’s 1,200 respondents (a mix of CISOs, CIOs and other technology executives) say the budget increases are not nearly enough to fight a winning battle. An astonishing 87 percent say their budgets need to increase by at least 50 percent, yet only 12 percent anticipated an increase of more than 25 percent in the coming year.
While large enterprises arguably have more capital to spend on cybersecurity, midsize and smaller businesses at risk of attacks must also fund measures to fend them off and mitigate damage.
Take regional insurer Penn National Insurance. The company has sustained thousands of the fraudulent emails on a daily basis for several years, reports CEO Christine Sears. “Like all insurers, we have an enormous volume of customer data, making us a target,” she says.
These customers include both businesses and consumers, since Penn National provides a broad array of commercial and personal lines of insurance policies, including workers compensation, automobile insurance and various liability insurance products, among others. Data is the lifeblood of an insurance company, guiding underwriting and pricing decisions, as well as those involving claims administration and resolution. “We simply must have a very disciplined approach to cybersecurity, as our risk resilience is part and parcel of the trust that policyholders place in us,” Sears says.
Both Prime Equipment and Penn National recognize the dire threat represented by a successful and especially punishing cyberattack. Whereas Penn National has budgeted targeted capital resources to defend the organization for some time, Prime Equipment is just beginning to figure out the optimal defensive posture. “We don’t have a CISO, so we’re still studying where we can get the biggest bang for the buck,” Gasbarro says.
Slicing Up The Pie
This puzzlement is the norm in many companies, since there is no such thing as a cookie-cutter cybersecurity budget, where, say, 50 percent is allocated to software tools, 30 percent to hiring additional cybersecurity staff and 20 percent to workforce training. “The cybersecurity budget must be based on each company’s unique business strategy, which indicates which data needs to be protected the most,” says Carolann Shields, CISO at audit firm KPMG. “We evaluate how these risks apply to our known environment—which systems or data are more important that others, where those systems or data are located, and how they are accessed.”
Ali at Bain & Company agrees with this approach. “The most important question CEOs must ask their IT leaders is, ‘What is our highest priority in terms of the data we must protect?’” he says. “A pharmaceutical company might designate clinical trials data as its primary cybersecurity concern, whereas a manufacturer or an oil and gas company might decide to allocate the bulk of its security budget into strengthening the supply chain, and a healthcare company that’s highly regulated for patient data privacy might select this as the risk to focus on.”
KPMG, for instance, has identified client data as its highest cybersecurity priority. “Since we are constantly embracing new technologies on behalf of our clients, we make sure to budget the capital to build cybersecurity into these solutions from the start and throughout their development,” Shields says.
The Where and How
The next question a CEO should ask IT is where the high priority data is stored—on premises, in the public cloud or somewhere in between. In today’s fast-evolving digital and data landscape, answers are not easy to come by. “While many companies may know which data they need to protect, very few can tell you with a high degree of confidence where this data resides,” says Ali. “Obviously, that is not an acceptable answer; CEOs must insist on a comprehensive accounting.”
Assuming this information is forthcoming, the organization is positioned now to assess potential risks. A good start is to study how other businesses have been breached. “We look for common patterns in these breaches, such as the lack of software patching,” says James Shira, global chief information technology officer at professional services firm PwC. “We then perform an assessment of our ability to defend against these patterns, which helps illuminate the specific exposures.… By drawing these parallels, we can better prioritize our capital resources.”
Max Solonski, chief security officer at publicly traded BlackLine, a provider of financial and accounting automation software, conducts formal risk assessments guided by the ISO 27001 framework, one of the most respected information security standards worldwide.
“Drawing from different sources, we review a variety of threats, such as current trends in cyberattacks and common exploitation methods,” Solonski says. “Then, we prioritize identified risks as applicable to our environment and allocate capital to establish controls that mitigate or minimize those risks.”
To assist the risk assessment process, Penn National CIO Britta Schatz leverages the insurer’s competence in measuring client loss exposures to calculate and score its known cyber risks. “We’ve defined and documented 75 specific cyber vulnerabilities, which we track and measure on an annual basis to assess changes in their likelihood of occurring and potential impact,” Schatz says. “We also add any new risks that are identified to our risk register throughout the year and then re-rate all risks annually.”
This process helps guide Schatz to determine the optimal composition of her security budget. “If the annual assessment indicates we’ve made adequate improvements in hardening the firewalls and anti-virus/anti-malware software, we may lower the expenditures in these areas and allocate the capital to something else, like training or the hiring of additional staff,” she explains.
All the interviewees’ security budgets have increased in the past year, in line with survey findings. “Our budget is rising every year, with an increasing proportion of it spent on people,” says Shields. “We’re looking to recruit top security talent, which is in short supply and expensive. We’re also spending more capital on training our junior security professionals, enhancing their skill sets. Anyone who joins our team must have their CISSP (certified information systems security professional) within six months, which we consider to be baseline training.”
Solonski puts a designated portion of his security spend toward education, with the capital funding different types of training based on the annual risk assessment. “One year you might provide training to salespeople on their infosec responsibilities, but the next year you might decide that more of the budget should go toward training data engineers on new security roles and concepts,” he explains.
Like the other security specialists, Solonski believes qualified people are equally if not more important than sophisticated tooling. “Since it is not possible to completely eliminate all risks, breaches will occur,” he says. “A sound, tested incident response plan will help minimize the damage, but it requires effective controls to detect the incident and highly skilled people to contain it as soon as possible.”
Time is of the essence. “If you detect within 10 minutes that someone has broken into the network, not much data will be stolen,” he says. “What you don’t want is to detect someone downloading data four months after the break-in. Tools provide visibility, efficiency and convenience, but you need people who understand your specific environment to make intelligent decisions, especially when responding to an incident.”
Small Businesses, Big Risks
While larger enterprises have more capital to address growing cyber exposures, midsize and smaller businesses must be more careful and considerate when putting together their security budgets. Shields’s advice is to focus on the fundamentals. “There’s no point having all the shiny tools like the latest intrusion detection software if you don’t have a solid foundation,” she says. “There’s much to be gained by effectively managing the configurations of the servers and firewalls and having good identity access management practices—providing access to data based on specific work responsibilities,” she says.
To improve Prime Equipment’s risk preparedness, Gasbarro is considering the value of a cybersecurity consultant. “Our IT team has so much on its plate right now, incorporating new technologies to enhance our equipment value proposition,” he explains. “I’m open to any and all advice. What I’ve seen these last few months has made me realize we’re just as vulnerable as anyone else.”
Read more: Cybersecurity Pitfalls CEOs Should Avoid