6 minute read 7 Feb 2020
fire fighters on an aircraft

How to manage cyber risk with a Security by Design approach

By

Kris Lovejoy

EY Global Advisory Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.

6 minute read 7 Feb 2020

Security by Design is a new approach to cybersecurity that builds in risk thinking from the onset, enabling global innovation with confidence.

Most organizations today know they must embrace new technology and continually innovate in order to remain competitive and relevant. Yet in the rush to modernize their systems and operations, they introduce multiple vulnerabilities across their business, and expose themselves to a growing number of risks.

Meanwhile, there are always more would-be attackers ready to exploit these weak spots, with virtually unlimited access to a plethora of software and services just a click away. These threat actors no longer just focus on data theft in the view of monetization as they once used to. There has been a huge increase in politically motivated attacks, often even at state level. We have also witnessed the rise of ‘hacktivism’ and cyber-terrorism as major threats to cybersecurity worldwide. Anyone with a grudge, a point to make or simply a desire to cause damage can readily do so.

Fire fighters getting ready
(Chapter breaker)
1

Chapter 1

As threat levels increase, crucial bonds of trust are at stake

The consequences for organizations and institutions alike can be catastrophic and even threaten their very survival.

The most obvious outcome of cyber-attacks is financial loss, whether as a result of fraud, being forced to pay ransoms, being subject to fines or through missed revenue and opportunity costs. It is estimated that US companies lost US$654 billion to cyber-attacks in the last year alone. This year is already set to be worse.

Yet organizations aren’t the only ones at the mercy of cyber-criminals. A growing part of government-run infrastructures in modern states is now managed online, deeply interconnected, and ladened with the same vulnerabilities as businesses. Attacks on these systems have the power to disrupt entire regions and countries, cause untold chaos, and may even result in actual physical harm to individuals. In 2016, hackers were able to shut down the power grid of an entire region of Ukraine, leaving 230,000 people without electricity for hours.

Cybercrime and hacking can have material impact at societal scale, in particular through the voluntary spread of disinformation. The dissemination of fake news during crucial political events in recent history has shown that, even via unreliable, often poorly constructed channels and content, the spread of false information can yield grave consequences. These effects can stretch even further when disinformation is spread via legitimate channels. When, in 2013, the Twitter account for the Associated Press was hacked to post a breaking headline about a bomb attack at the White House injuring President Barack Obama, US$136 billion in equity market value was wiped off the Dow Jones almost instantly. 

Ultimately, the most damaging and lasting effect of these incidents, particularly when not quickly dealt with and mitigated, is the loss of trust between people and the organizations or institutions they depend on. Stakeholders, employees, third parties and consumers on one hand, taxpayers and voters on the other; all expect consistent, reliable performance as well as the safeguarding of their own safety and security, both on and off-line. When data confidentiality, integrity or availability are compromised, or products and services cease to perform as expected, trust built over years can be lost in a day.

Seamean working offshore
(Chapter breaker)
2

Chapter 2

Cybersecurity: a complex, crisis-driven market

Organizations are struggling to maintain a clear, cohesive and efficient security function.

Too many organizations today adopt a merely reactive approach to cybersecurity, taking measures only after an attack has occurred, a fault been found, fines incurred, or legislation passed. Early findings from the EY Global Information Security Survey 2020 of almost 1,300 cybersecurity leaders, reveals that 65% of businesses only consider cybersecurity after it’s already too late. There is a clear tendency to retrofit security tools around existing systems, simply ticking off items on compliance checklists, rather than building security into new products and services based on prior business risk calculations.

EY Global Information Security Survey 2020

65%

of businesses only consider cybersecurity after it’s already too late — reveal 1,300 cybersecurity leaders.

This checklist mentality is not only inefficient but also at the root of several issues hindering the role and effectiveness of cybersecurity. Firstly, there is the fact that CISOs and security teams are perceived as obstacles in businesses that must quickly innovate to survive. Secondly, this mentality has given rise to an extremely fragmented and complex security market made up of thousands of vendors competing for security spend. This context can make it incredibly hard for organizations to maintain a clear, cohesive and efficient security function.

As boards and C-suites begin to grasp the importance of the security function, they start to see the clear need for a new approach that enables them to pursue innovation with confidence while minimizing and managing the many risks posed by cyber-criminality.

Hiker with harness ready to jump
(Chapter breaker)
3

Chapter 3

Security by Design: safeguarding trust in the Transformative Age

Security as an afterthought is no longer enough to efficiently protect operations and maintain trust at every level of an organization.

EY cybersecurity teams believe it’s time for a new take on cybersecurity: a proactive, pragmatic, and strategic approach that considers risk and security from the onset of any new initiative, and nurtures trust at every stage. This is Security by Design.

Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs and data so that organizations can take on more risk, lead transformational change and innovate with confidence.

In the constantly growing field of Artificial Intelligence (AI), for example, the need for such an approach is becoming clearer every day. The two most common forms of Machine Learning (ML) that make up this field – unsupervised and supervised – are prime targets for subversion. The outcomes produced by these methods naturally depend on the algorithms that bring them to life. Yet even state-of-the-art algorithms will lead to corrupted outcomes if the data that fed into them is itself manipulated.

Today, not enough attention is paid to protecting the integrity of the data that feeds into ML systems at the heart of more and more mainstream products and services. Cyber-criminals know this and could in principle attack systems by adding, deleting or changing underlying data sets. Most digital systems in place today are already at risk of such manipulations.

However, as AI expands the scope of automated decisions the opportunities for mischief also expand. Take, for instance, flight traffic systems programmed to automatically adjust aircraft velocity or altitude based on potentially adulterated data – or ML software designed to detect medical issues, where corrupted data leads algorithms to ignore signs of cancer. Such deeply undesirable outcomes may only be avoided by implementing adequate data governance, identity and access management protocols at the core of AI systems. 

The rising ubiquity of Internet of Things (IoT) devices provides another compelling case for a Security by Design approach. Consumers increasingly rely on IoT products, which they allow into their homes and entrust with often highly sensitive and personal information. Yet there is little to warrant such trust in the way that these devices are typically manufactured.

IoT devices involve three separate steps in their assembly. This process begins with specialized computer chips built with as little engineering or overhead as possible so as not to impact already very slim margins. These chips are then passed onto original device manufacturers (ODM), hired to build on specification, made with a combination of open source and proprietary software. Once again, the aim here is to maximize margins, with little regard for security or performance beyond required functions. Lastly, the consumer-facing brand company loads their own interface and adjusts the devices just enough to ensure they work. At each stage, the focus is on maximizing profits rather than ensuring security or integrity.

This short term, profit-first approach is a sure recipe for disaster. In 2015, a leading automotive brand was forced to recall 1.4 million vehicles after security experts hacked into their car’s infotainment system and demonstrated that almost anyone could access and control key functions including breaking and steering. As car manufacturers and governments worldwide lead a concerted push toward smart cars and cities bolstered by IoT technologies, the need for greater security is evident.

What do these examples have in common? They are no longer simply niche innovations. They are the global networked systems of tomorrow which will themselves become interconnected and will increasingly form the basis of everything we do day-to-day. It is critically urgent that the organizations and institutions developing and using these technologies adopt a Security by Design perspective. Those who fail to do so run a myriad of risks, from financial ruin to structural chaos, culminating in the often-irreparable collapse of trust. A proactive, pragmatic and strategic approach that considers risk from the very onset – and not as an afterthought – can make the difference between those who fail and those who thrive in the Transformative Age. 

Summary

This article evaluates the current cybersecurity landscape and seeks to inspire organizations to adopt a new approach to managing security in the Transformative Age. Organizations today must innovate to survive, but in doing so face ever-growing threats of cyber-attacks. In light of potentially disastrous consequences, organizations need a new perspective that considers these risks from the very inception of any product or service, rather than as an afterthought.

About this article

By

Kris Lovejoy

EY Global Advisory Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.