When It Comes to Cyber Risks, 2018 Is No Time to Play Games

While some organizations have spent decades fine-tuning their ability to respond to and manage cyber risks, far too many are still playing games with their security strategy.

From a cybersecurity perspective, 2017 will go down as a record year for data breaches. The Identity Theft Resource Center (ITRC) reported 1,579 breaches, up 45 percent from 2016. By itself, 2017 accounted for over 22 percent of all the data breaches tracked by the ITRC between 2005 and 2017. Over 50 percent of those breaches exposed Social Security numbers, and nearly 20 percent leaked credit and debit card numbers. Hacking accounted for 940 breaches, or 60 percent of successful compromises. While the ITRC only tracked five industry categories, over 55 percent of breaches targeted the business sector, followed by the medical/healthcare industry at over 23 percent.

So is there any glimmer of hope for security teams? The Ponemon Institute’s “2017 Cost of Data Breach” study found that the global average cost per breached record went down from $158 in 2016 to $141 in 2017. Similarly, the global average cost per incident now stands at $3.62 million, down from $4 million in 2016. Companies that experienced a data breach reported that the biggest fallout is lost business (42 percent), which includes “abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.” That was followed by the cost of dealing with detection and escalation (27 percent), response costs (26 percent) and notification costs (5 percent).

Managing Cyber Risks Is Not All Fun and Games

Despite these costs, many organizations have been slow to improve their cybersecurity preparedness. A recent CyberArk survey found that 46 percent of organizations are unable to stop attackers from breaking into internal networks. The same percentage of companies “rarely make substantial changes to security strategy,” even in the wake of a cyberattack.

So just what kind of games are organizations playing, and what should they do instead?

Playing Pinball to Deflect Risk Management Responsibility

One of the most perilous ways in which organizations commonly manage cyber risks is by playing the equivalent of pinball with those risks. Much like the ball bounces around the glass-covered machine, many organizations bounce cyber risks from department to department, all the while hoping that the ball doesn’t fall through the drain. Business leaders try to keep cyber risks in play while bouncing them around the organization, hitting various bumpers, switches and gates along the way. But no matter how long the ball is in the air, it will eventually fall into the drain.

The same goes for an organization’s chance to properly handle its cyber risks. Instead of bouncing the responsibility of risk management from department to department, the C-suite and board directors should establish clear ownership before threats emerge. For companies that point to the chief information security officer (CISO) or chief information officer (CIO) in these situations, decision-makers should chat with legal counsel before playing another round of pinball.

A Blind Game of Dodgeball

If pinball isn’t your game, perhaps dodgeball is more your speed. While this is normally a court-based game with just two opposing teams, in cyberspace, organizations find themselves dodging many adversaries.

Players on a dodgeball court can see what’s being thrown at them, but security professionals might miss clues indicating that an attacker is preparing to make a move. These security teams often end up focusing on indicators of compromise (IoCs) instead of honing their ability to detect indicators of attack (IoAs) and improving their reflexes.

While IoCs have their place, they are akin to realizing that one of your teammates has been hit and will need to be benched. IoAs give players a heads-up that a threat is coming their way so they can be more alert and react appropriately.

Bowling Over Business Functions

Like a bowler rolling a strike, a well-placed threat can knock down multiple business functions at once, especially for organizations with immature or untested incident response or fledgling cyber resilience capabilities.

Without the muscle memory of regular practice tests and lessons from after-action reports (AARs), the organization’s response to a breach can trigger a domino effect, taking out a big chunk of the profits or, worse, a large portion of the business itself. Critical infrastructure comes to mind: There are documented example of cascading failures that amplified small incidents into full-scale disasters.

As organizations have shifted their mindset about cyberattacks from a matter of if to a matter of when, it is critical to ensure that the response to an incident doesn’t cause further damage. Don’t let your adversaries take you down with a single strike.

Gamifying Incident Response

Of course, not all games are bad in cybersecurity. In fact, game-like activities can help organizations improve their cybersecurity posture and their ability to handle cyber risks.

Finding Waldo in a Sea of Threat Data

The classic game of “Where’s Waldo?” applies to cybersecurity in two ways. In the first scenario, Waldo is a piece of sensitive data hidden in a vast sea of information. Does the organization know where it keeps its crown jewels? If not, how can the security team be sure that it’s protecting the right things?

The other approach is to consider Waldo as a potential attacker or threat. Can the security team spot this malicious Waldo in the large volume of data flowing in and out of the organization’s servers and networks?

Tabletop Games

Security teams can also hone their incident response skills by playing tabletop games. While the first few rounds might be canned and simplistic, organizations can make future iterations of the game more complex and thus more valuable by assigning a gamification engineer. The output of each round should include a chance to debrief the participants, including business leaders, and document the lessons in AARs. These reports should then be used to review incident response playbooks to ensure that they are useful in times of crisis.

Practice Makes Perfect

Games can be both fun and productive, but it’s important to remember that improving your cybersecurity posture and incident response strategy is not a one-shot activity. The more you practice, the better you become — as long as the practice includes appropriate feedback to help you figure out what worked and what didn’t. While organizations today engage in many security activities and projects, some of those initiatives may be less fruitful than initially believed.

Accenture’s “2017 Cost of Cyber Crime Study” ranked nine security technologies by their value in relation to their cost and found that “many organizations may be spending too much on the wrong technologies.” The three technologies that had a positive value gap — i.e., brought more security improvements for the money spent — were security intelligence systems, automation, orchestration and machine learning, and the extensive use of cyber analytics and user behavior analytics (UBA).

Organizations should regularly test their security controls and responses and review their security investments with an eye toward mitigating today’s threats and minimizing the impact of a breach. The Ponemon “2017 Cost of Data Breach” study asserted that the best way to reduce the cost of a data breach is to establish an incident response team, use encryption extensively and train employees to follow security best practices.

Before the year is up, organizations should focus on improving their game. That means figuring out which activities yield the most positive results — or best help reduce negative outcomes. With the cybercrime landscape evolving at breakneck speed, security teams had best bring their A-game to compete with ever-more sophisticated threat actors in 2018.

Download the IBM research report: Using gamification to enhance security skills

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.