Sense, resist and react: The ultimate cybersecurity strategy for Philippine companies

SUITS THE C-SUITE By Warren R. Bituin

Business World (02/27/2017 – p.S1/2)

(Second of two parts)

In the first part of this article, we discussed how recent events have brought to the fore the incidence, impact and prevalence of cyber risks. We then considered the current state of cybersecurity readiness of Filipino companies, taken in the context of the findings from EY’s 19th Global Information Security Survey 2016-17. We also looked at the first two components of an effective three-part cybersecurity strategy, which are sensing and resisting cyber threats.

The third component of cybersecurity — the ability to react to an attack and to recover from it quickly — is the area where the survey indicated mixed results from Philippine respondents. Overall, 42% of the respondents said that they do not have a communications strategy or plan in place in the event of a significant attack. Also, only 46% have formal incident response plans and the ability to conduct a thorough investigation as to the root cause of an incident.

Another interesting finding is that a majority (58%) of Philippine respondents have not experienced a significant attack. But those who have experienced it said that the attack was discovered mostly by the business units, followed only by the security operations center. This indicates that the discovery was only by chance. About 25% do not have any idea of the total financial damage resulting from these attacks. These clearly show that local companies lack preparation in the event of a cyber breach.

Failing to prepare exposes an organization to operational and reputational risk. A truly cyber-resilient organization is ready to deal with the disruption caused by hacking through incident response capabilities, crisis management and forensic investigation. The organization will have practiced its incident response program ahead of any event by using “war game” scenarios on a frequent basis. While many local organizations conduct attack and penetration testing activities, these are usually done on an annual basis only, with the prime objective of meeting regulatory or contractual requirements. Being prepared also means that there is a detailed communication plan covering a range of eventualities, including a security breach that can last several months before being noticed or a breach that needs to be kept confidential to give law enforcement agencies the chance to apprehend cyber criminals.

To date, organizations have correctly focused on trying to build robust, resilient “fail-safe operations” that can withstand sudden cyber attacks. Yet, the unpredictable nature and unprecedented scale of the cyber threats that companies now face means that organizations must move from the fail-safe approach toward designing a system that is “safe to fail.”

A system that is “safe to fail” has been designed to absorb an attack, reduce its velocity and impact, and allow for the possibility of a partial system failure as a way to limit damage to the organization’s systems. A centralized, cyber breach response program (CBRP) is the focal point that brings together the wide variety of stakeholders that must collaborate to resolve a breach. The team must be able to manage the day-to-day operational and tactical response, and be equipped with in-depth legal and compliance experience, as any breach may trigger complex legal and regulatory issues that may likely have financial statement impact.

In addition, CBRP oversees the process of evidence identification, collection and preservation, forensic data analysis, and impact assessment, and can also direct and modify the investigation on the basis of fact pattern. A robust CBRP, therefore, enables a cost-effective response that mitigates breach impacts by integrating the stakeholders and their knowledge, and helps the organization navigate the complexities of working with outside legal counsel, regulators and law enforcement agencies.

Key characteristics of a cyber resilient enterprise

A cyber-resilient organization in today’s world should have an investment program that balances the need to sense, resist and react to cyber threats. The outcome of this investment will be a cyber-resilient organization that:

1. Develops a “whole of organization” response to cyber threats, based on an in-depth understanding of the business and operational landscape;

2. Maps and assesses the relationships the organization has across the cyber ecosystem, identifies what risks exist, and performs a risk assessment;

3. Determines the critical assets — the crown jewels — that need to be protected;

4. Shares information about the risk and threat landscape so that the organization understands the broader risk landscape and is aware of any security gaps;

5. Boasts exceptional leaders who can communicate clearly, give direction and set the right example in the event of an attack;

6. Creates a culture of change readiness through simulation exercises and war games that challenge the existing crisis management, command and control center, manuals and plans; and

7. Conducts formal investigations and prepares for prosecution.

As with any business strategy, cybersecurity needs foresight, determination and discipline in order to succeed. Considering that cyber attacks are still relatively infrequent in the Philippines, this may be the right time for local companies to proactively invest in and develop scalable cybersecurity strategies because more hackings and cyber attacks will inevitably happen.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of EY or SGV & Co.

Warren R. Bituin is the Partner In-Charge of IT Services of SGV & Co. an is an Advisory Partner for Cyber Risk Services