When FedEx subsidiary TNT Express was hit by ransomware in 2017, its delivery units were crippled and much of its shipping operations ground to a halt. In addition to delaying services to customers, the attack cost FedEx approximately $300 million, according to public filings.
It's a story that is unfortunately becoming more commonplace today. Ransomware is ravaging businesses around the world, bringing manufacturing plants to a standstill, preventing hospitals from treating patients, and even keeping students from remote schooling during this pandemic. Meanwhile, attackers continue to steal data and credentials from companies of every size in every industry and leverage them for profit.
As cybercrime damages are expected to reach $6 trillion by 2021, a growing number of breach notification laws and regulations like the EU's General Data Protection Regulation are bringing transparency to the direct financial impact of a cyberattack. Corporate directors are increasingly pushing company leaders for an improved understanding of cyber-risk, as well as a mitigation strategy and plan. The potential sudden and material impact of cyberattacks have pushed cybersecurity to the top of the risk register for many enterprises. Most boards and executive teams lack familiarity with these risks, so board-level cybersecurity education is typically the first step, quickly leading to questions on how the enterprise can buy down cyber-risk.
As directors ask these questions, many boards are finding that the organization has invested in controls such as antivirus and firewalls for years. However, these tools do not address one of the largest cybersecurity blind spots today: the Enterprise of Things. Billions of devices, including security cameras, smart TVs, and manufacturing equipment, are connecting to enterprises. When you look at the risk management fabric of any company of significance, the risk posed by these resident unmanaged devices and systems is high.
In many cases, this proliferation of the Enterprise of Things devices pushes productivity and innovation forward, factors that are very important to a board of directors in its obligation to drive shareholder value and reduce their risk profile. However, a single poorly secured device connected to the corporate network could be the weak link that negates those benefits, instead causing significant financial and reputational harm. That weak link could be a single laptop, a sensor monitoring a nuclear plant, a printer, a medical device, or, in the case of a Las Vegas casino, a fish tank thermometer.
Boards need to understand the company's cyber-risk exposure, quantify the potential impact if hit by a cyberattack, and take steps to ensure that every dollar spent on cybersecurity directly buys down that enterprise risk. To do that, they need to build a defense inside of their cyber castle walls, with a real-time, continuous, and context-rich understanding of the managed and unmanaged assets. If the network were a beach composed of vast numbers of connected entities that formed the grains of sand, the company needs to have the ability to zero in on a single anomalous grain and then analyze it in granular detail.
Boards must ensure that the security function has the right skills, processes, and technologies to implement an active defense strategy that includes identifying, segmenting, and enforcing compliance of every connected thing from the time a device enters the network and throughout its life cycle. Key to an active defense is having the ability to isolate and automate control and action across any asset, anywhere, anytime to mitigate risk, contain breach impact, and operate fearlessly — without worrying about keeping critical assets online.
The ultimate goal should be the implementation of a process for formal review of cybersecurity risk and readout to the governance, risk, and compliance (GRC) and audit committee. Each of these steps must be undertaken on an ongoing basis, instead of being viewed as a point-in-time exercise. Today's cybersecurity landscape, with new technologies and evolving adversary trade craft, demands a continuous review of risk by boards, as well as the constant re-evaluation of the security budget allocation against rising risk areas. to ensure that every dollar spent on cybersecurity directly buys down those areas of greatest risk.
We are beginning to see some positive trends in this direction. Nearly every large public company board of directors today has made cyber-risk an element either of the audit committee, risk committee, or safety and security committee. The CISO is also getting visibility at the board level, in many cases presenting at least once if not multiple times a year. Meanwhile, shareholders are beginning to ask the tough questions during annual meetings about what cybersecurity measures are being implemented.
In today's landscape, each of these conversations about cyber-risk at the board level must include a discussion about the Enterprise of Things given the materiality of risk. New devices, sensors, and other connected entities are constantly entering the enterprise. Attackers have proven their efficacy at using vulnerable devices as an entry point into the broader enterprise. New vulnerabilities and misconfigurations are discovered daily and therefore securing connected devices is not a one-time event, but rather a life cycle of continuous inspection and control.
Those on the board of directors has a responsibility to ensure they have a thorough understanding of these risks on a continuous basis and that the company has the proper controls in place to address this critical area of risk. As our dependency on the Enterprise of Things grows, so does the associated risk. We have to remain diligent about executing an active defense for the Enterprise of Things.