For a select group of corporates, 2018 was anything but a banner year for cybersecurity.
Indeed, one of the year’s worst data breaches shook the foundations of a brand that touts itself as a world leader in the digital field, casting doubt over its internal safeguards.
Another exposed to anyone who cared to look the personal details of what amounted to an entire continent’s population.
They are both included in these four examples of the past year’s most serious cyber lapses.
Fans of the MyFitnessPal app from footwear brand Under Armour were aghast to learn that some 150 million users’ private data had been blown in a cyberattack. Hackers made off with a bounty of account-access details, such as usernames and passwords, plus reams of personal email addresses.
In a March statement, Under Armour wrote that it had “quickly” taken steps to determine the “nature and scope of the issue”, and to “alert the MyFitnessPal community of the incident”.
With more than 2,100 bakery-café outlets in the US and Canada, St Louis-based Panera Bread is one of the US’s fastest-growing food retailers. However, in the spring, news reports revealed that the brand’s food-ordering website had been leaking account details for at least eight months, compromising around 37 million customers.
Embarrassingly, independent security researcher Dylan Houlihan had been trying to bring anomalies he had discovered with the website to the attention of the company’s senior management team – but the top brass dismissed his voluntary report as a scam.
In the view of Fortune magazine, Panera Bread’s reaction was “a masterclass in how not to behave when confronted with a cybersecurity predicament”.
Few had even heard of US marketing and data-aggregation firm Exactis until the summer of 2018, when it emerged that its database of information pertaining to some 340 million Americans had been exposed on the open internet.
Security researcher Vinny Troia, who uncovered the company’s slip, told tech journal Wired: “It seems like this is a database with pretty much every US citizen in it.”
You would think that if any company was going to be watertight on cybersecurity matters, it would be Big Tech darling Facebook. But in the early autumn, the social platform discovered that hackers had compromised 50 million accounts by launching an exploit of its ‘view as’ feature, which enables users to see how their profiles look to other people.
This came just six months after the eruption of Facebook’s Cambridge Analytica scandal, in which a media probe had uncovered not a cyber incident as such, but the steady transfer of user data to external parties on a voluntary – and permission-free – basis.
In the aftermath of the ‘view as’ hack, Facebook mogul Mark Zuckerberg said: “We’re taking it really seriously – we have a major security effort at the company that hardens all of our surfaces.” He added: “I’m glad we found this – but it definitely is an issue that this happened in the first place.”
Zuckerberg’s none-too-subtle hint at unknowns lurking in the background is emblematic of disturbing gaps within cybersecurity provisions among not just corporates, but financial institutions, too.
One month on from the Facebook hack, leading cybersecurity professionals’ trade association (ISC)² – a global body with around 138,000 members – published its Cybersecurity Workforce Study 2018 Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens: a comprehensive analysis of how effectively corporates are making use of people who are trained specifically to deal with cyber risks and vulnerabilities.
The answer? Not very.
In its report – compiled from the views of more than 1,400 participants in organisations across Europe, the Americas and Asia-Pacific – (ISC)² identified a global cybersecurity ‘workforce gap’ of more than 2.9 million unfilled posts.
Researchers attributed the lion’s share of that shortage – and its growth over the past year – to Asia-Pacific. Not only is the region home to several growing economies, making cybertheft a more lucrative prospect, many of those economies have recently passed fresh cybersecurity and data-privacy laws, requiring firms to maintain higher standards.
As such, the region is currently running on a deficit of more than 2.1 million specialists.
On a global level, 63% of respondents said that their firms are suffering from a shortage of IT staff dedicated to cybersecurity. Meanwhile, 59% said that the shortage has left their firms exposed to either a moderate, or extreme, risk of cyberattacks.
“Awareness of the cybersecurity skills shortage has been growing worldwide,” the report says. “Nevertheless, that workforce gap continues to grow, putting organisations at risk.”
It notes: “Despite increases in tech spending, this imbalance between supply and demand of skilled professionals continues to leave companies vulnerable. It’s no surprise that research shows the shortage of cybersecurity professionals is now the number one job concern among those who already work in the field.”
Interestingly, of the professionals who are gainfully employed at the cyber coalface, many of them think that they are spending too much time on routine or firefighting tasks, such as security administration, endpoint security management and incident response.
“They’re time-consuming activities that cybersecurity pros would like to do less of,” the report stresses. “They’d rather be spending time on more high-value cybersecurity tasks, such as threat intelligence analysis, penetration testing and forensics.”
In other words, professionals want to spend more time focusing on preventative measures, rather than merely trimming administrative verges, or scooping up messes that will keep on occurring if they don’t get time to set up the appropriate safeguards.
Just over one fifth of the respondents cited a lack of awareness among senior managers about the overall urgency of cybersecurity measures. That theme resurfaced even more vividly in research published the following month…
From October 2017 to September 2018, the UK Financial Conduct Authority (FCA) examined cybersecurity within almost 300 finance firms under its jurisdiction. In late November, the regulator published its findings in the report Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018.
Its key message? Senior figures in the finance sector could do a much better job of engaging with their organisations’ cybersecurity strategies.
Across the FCA’s sample, 90% of firms rated their own cyber governance procedures highly. Institutions subject to the Senior Managers Regime reported particularly strong chains of accountability, with clearly structured roles and remits – together with genuine strategic ownership at the top.
However, those glowing self-appraisals look rather too optimistic – for technology outages in the sector have grown by 138% year-on-year, and among firms of all sizes, cyber resilience is the top operational concern.
Smaller firms – or those with large presences in other jurisdictions – attested to challenges with how their cybersecurity strategies are established, and subsequent board ownership of those strategies.
“For example,” says the report, “more complex or geographically diverse firms were more likely to rely on committees and other parts of their groups, with decreasing ownership at board level. Smaller firms often described their cyber strategy as incomplete, or as not having been implemented.”
It warns: “Firms also reported a lack of board understanding of cyber risks… Some boards struggle to understand that cyber is a global risk, not just the responsibility of the IT department. To mitigate this risk, some firms use training and simulation exercises to strengthen their capabilities and others have hired third-party firms or advisers.”
In the FCA’s view, hiring external support is certainly one avenue that firms could explore as they attempt to resolve the challenge. “However,” the report notes, “this can lead to over-reliance – which in turn could impact the development of their own in-house capabilities.”
This lack of board engagement could prove particularly risky at a time when, according to the report: “Nearly 80% of respondents struggle to maintain a view of what information they hold, and of [that held by] their third parties.”
In addition, firms “identified challenges in identifying and managing their high-risk staff and then educating those employees with access to critical systems or sensitive data, who are more likely to be targeted by cybercriminals.”
In a 27 November speech at the London headquarters of Bloomberg, FCA executive director of supervision Megan Butler reflected upon the findings, and stressed to senior industry figures that the culture that boards create around cyber issues is “fundamental”.
“Are you establishing appropriate tolerances for operational disruption?” she asked. “Are back-up plans in place? Are there response and recovery options? And do you have appropriate staff training?”
Butler noted: “By creating a positive security culture, you can build a truly resilient business. You can use the eyes and ears of your firm to react and respond to threats quickly (and accurately) and hopefully deal with issues before they ever become an incident.
“Recognising this success then helps to build and reinforce that secure culture.”
It has been noted elsewhere that corporate treasurers are keenly alert to the risks of cybercrime.
For example, in a recent survey, consultancy Strategic Treasurer found that 84% of treasury groups believe that from 2017 to last year, the threat of cyber fraud against their departments grew.
Now, taken together, the (ISC)² and FCA reports present treasurers with a challenge.
As the treasury function works within the interface between corporates and financial firms, and is becoming a steadily more strategic asset, treasurers are well placed to advise their wider businesses on how to ensure cybersecurity measures are properly resourced.
They are also within their rights to push for the highest standards within the provisions of their financial services providers.
Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens, by (ISC)².
Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018, by the FCA.
Matt Packer is a freelance business, finance and leadership journalist