The Business Side of Cyber Security Why it Matters

Marc Petock, Chief Marketing and Communications Officer, Lynxspring, Inc Contributing Editor

Introduction

Smart buildings have created new opportunities for building owners and operators to leverage technology that maximizes operational efficiencies, deliver better performances, improves experiences for occupants and increases asset value. They have also increased the risk of cyber attacks and opened new opportunities for hackers looking to disrupt businesses. Businesses, no matter the industry, are cyber targets. Improving cyber security control and programs should be a priority for every organization because a successful incident can lead to a number of issues that directly affect the business side of an organization.

Generally, cyber vigilance within the built environment remains insufficient. Many companies continue to be unprepared to deal with cyber risk. No building owner, operator, system integrator, contractor, facility operations manager, service provider or technology provider want to see their efforts hindered by poor cyber security.

When it comes to the business side of cyber security, there are many concerns and resulting risks to be aware of. Here are several key points from a presentation I delivered recently.

A Look at the Numbers

The first public cyber incident occurred in 1971. It was the computer virus, known as “The Creeper” and was purposely designed and released on ARPANET and copied itself to the remote system displaying the words: “I am the Creeper: Catch me if you can.”

12,449 was the number of confirmed data breaches in 2018. This represented a 424% increase over 2017.

The average global cost of a data breach is $3.86 MM. This is up 6.4% from the previous year.

The average cost of a cyber incident in the United States is $7.35 MM

$148.00 is the average cost globally, for each stolen record containing confidential information --representing a 4.8% increase 2018 vs 2017

5% is the average drop in stock price immediately following the disclosure of a cyber incident

1.8% is the average decline of share price on a permanent basis after a cyber occurrence

$6T (Trillion) is the projected annual cyber damages costs by 2021

What are cyber criminals and bad actors interested in?

While there are many things cyber criminals and bad actors take notice of to find ways to take advantage of organizations, here are some of the more common ones:

Critical and specific data about customers, suppliers, and personnel- cyber thieves are interested in obtaining sensitive info like credit card numbers, social security numbers, and other data. At the same time, they will try to infiltrate into a corporate network to siphon information about customers, vendors, and staff as it can be sold from $10 to $300 per record in the dark world depending on the data value.

Banking credentials- Think from a hacker’s perspective- no cyber invader will hesitate to figure out a company’s banking credentials in order to swindle money and/or gain access to bank accounts.

Intellectual Property & Trade Secrets – The competitive business world has given rise to the increase in stealing trade secrets to stay ahead of the competition or with some malevolent motives. Secret formulas, software codes, design specs, and specific processes are valuable information to hackers.

Email records– especially top positions in both the private and well as the public sectors can prove valuable within the cyber world. It has been said that such data can bring $1,200 to upwards of $30,000 depending on the person whose account credentials have been stolen.

Supply Chain and Business Partners- trying to obtain credentials and access to passwords and accounts through a supply chain and working relationship in order to find their way into the network of an organization. This is especially true with larger companies.

What are the business concerns and consequences that can result from a cyber incident?

• Brand Erosion & Reputation
• The Decline of Customer Trust & Company Credibility
• Decreased Competitive Ability
• Reduced Revenue
• Market Value/Stock Impact
• Operational Impact
• Risk & Risk Management
• Compliance/Governance
• Fines/Penalties/Litigation
• Business Insurance
• Damage to Business Credit
  
• Board Responsibility/Accountability
• Financial (Multi-million problem)
• Loss of Intellectual Property
• Assessments & Ratings (Moody’s)
• Legislation/Regulatory/Disclosure
• Privacy
• Supply Chain
• Social Media Backlash

Ratings and Assessments

There is an increase in interest in the cyber posture of a company with rating and assessment organizations. For example, Moody’s, a leading provider of credit ratings, research, and risk analysis is integrating a company’s cyber security posture and the dangers posed by cyber attacks into its broader advice about how various creditworthy companies and industry sectors are.

Legislation

Cyber security has become a priority for lawmakers and law enforcement agencies, regulators globally.
Within the United States, there are now some 30 bills introduced in the House of Representatives and 7 bills introduced in the Senate that directly deal with cybersecurity issues. These bills promote a proactive, holistic and risk-based cyber strategy and, most importantly, requires senior corporate oversight.

Cybersecurity Systems and Risks Reporting Act

H.R.5069-This bill amends the Sarbanes-Oxley Act of 2002 to apply to cybersecurity systems and officers the same requirements regarding corporate responsibility for financial reports and managements’ assessments of internal control structures and procedures for financial reporting as applying to public company’s subject to oversight by the Securities and Exchange Commission (SEC).

In addition, the Securities and Exchange Commission has stated it expects companies to disclose cyber security risks and incidents that are material to investors, including financial, legal, or reputational consequences.

Congress introduces a bill to improve 'internet of things' security

The Internet of Things Cyber security Improvement Act wants to make sure the federal government isn't buying devices that can be easily hacked. If passed, the federal IoT security bill would require recommendations from the National Institute of Standards and Technology on security standards the federal government should follow.

Within the States, this past year also witnessed a host of strong state cyber security regulations. New York, for example, now requires affirmative sign-off on cyber security plans and programs (see 23 NYCRR 500), which could potentially open up directors and officers to individual liability.

The State of California has taken a leadership role toward cyber security with new a new regulation for Internet-of-things (IoT) devices. Beginning January 1, 2020, all manufacturers of a “connected device” must equip that device with a “reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

Within the EU, in addition to the GDPR, they have reached additional agreements on establishing a cyber security framework to assist the Member States in effectively responding to cyber-attacks. The Cyber Security Act also creates a framework for European Cyber Security Certificates for products, processes and services that will be valid throughout the EU.

Litigation

In the wake of the number of significant cyber incidents, companies-and their directors and officers can face a flurry of private lawsuits from a range of different constituencies: individual customers whose personal information has been compromised, shareholders alleging failures by the board and senior leadership in preparing for and/or responding to cyber attacks, and other third-parties.

Are you exposed?

Shodan    https://www.shodan.io/
Zoomeye  https://www.zoomeye.org/
Censys     https://censys.io/

Cyber incidents keep giving and giving

A cyber incident does not just come and go. It is long lasting-i.e. Target-this incident took place in 2013 yet here we are in 2019, and it is still being talked about and referenced.

System Integrators and Service Providers

System Integrators and Service Providers need to take a proactive approach to cyber security and vulnerability mitigation. They must understand threats and risks and practice best practice cyber security methods. They need to demonstrate their cyber security credibility in their proposals especially as more RFPs/RFIs are requesting that cybersecurity protection is addressed. In addition, integrators are getting assessment letters asking them what their cyber programs look like and how they’re protecting the data, equipment and devices.

[an error occurred while processing this directive]Summary

In today’s data-driven economy and smart based buildings, it is essential we collect, store and adequately protect data and proprietary secrets. Failure to do so will significantly damage a company’s brand, have an adverse effect on operations and directly impact revenue and profitability. 

The frequency of cyber attacks is only going to accelerate over the coming years. Therefore it is vital that we have a full understanding of the inherent business risks and implications. Balancing cyber security priorities with business flexibility and agility is a tough challenge. But it’s a challenge every organization faces as it strives to drive growth, achieve competitive advantage and maximize operational and performance efficiencies.

Cyber security is hard and always will be. Attackers will continue to innovate with new techniques, deception and determination. The challenge isn’t people, process, or technology; they all exist today and are available. The big issue is the internal culture at companies and the understanding of cyber security from a business perspective and why it matters.

It all comes to one thing-- risk. How much are you willing to take? We can no longer take a wait-and-see philosophy or “it’s not going to happen to us” approach when it comes to prioritizing and aligning cyber initiatives within our buildings. As we operate in an interconnected environment, we must look at their entire ecosystem and spread and share responsibilities, creating security partnerships. Cyber security is no longer an individual company effort; it is a shared responsibility among us all.

Resources
Here are some resources that you may find useful.

Baldrige Cybersecurity Excellence Builder Key questions for improving your organization’s cybersecurity performance

Cybersecurity for Building Control Systems Workshop Series

https://www.nibs.org/page/cybersecurity

Intelligent Building Management Systems: Guidance for Protecting Organizations

https://www.securityindustry.org/wp-content/uploads/2018/08/Intelligent-Building-Management-Systems-Guidance-for-Protecting-Organizations.pdf

Building Automation & Control Systems. An Investigation into Vulnerabilities, Current Practice & Security Management Best Practice