Cyber Security

Resilience is Answer to Major Cyber-attack

Researchers from The Ohio State University measure economic consequences of cyber attacks

In survey results released by Business Insurance last Thursday, risk management professionals believe that their bosses and boards aren’t taking cybersecurity as seriously as they did last year. The report comes just as Dr. Zhenhua Chen from The Ohio State University and Adam Rose from the University of Southern California released a preliminary report of their research examining the major economic consequences of a cyber-attack in terms of GDP and employment.

The survey, the seventh annual released by Zurich Insurance Group Ltd., shows that 62 percent of risk professionals said that their board of directors recognized cyber risk as a significant threat to the organization, down from 83 percent a year ago.

“Cyber-attacks continue to pose an extreme threat to the U.S. — major security breaches in private industry and government are on the rise,” says Dr. Zhenhua Chen, a research fellow of The Risk Institute and assistant professor at The Ohio State University. “These attacks haven’t yet caused major cross-sectorial damage, but the potential is there.”

Cyber-attacks can shut down industrial facilities, critical utilities and infrastructure systems, interfere with military operations, and compromise national security. And it isn’t just supposition, we’ve already seen it happen.

In Ukraine last December, hackers successfully blacked out a portion of the nation’s capital for about an hour. As reported by Wired, cybersecurity researchers discovered “disturbing evidence” that the Kiev attack was almost certainly a dry-run for a much larger attack using “most evolved specimen of grid-sabotaging malware ever observed” outside of a controlled setting.

Chen’s research focuses on answering three questions: 1) what are the economic consequences of cyber-attack measured in terms of GDP and employment? 2) How do the consequences vary when the attacks are targeted among different critical infrastructure sectors, such as manufacturing and cyber sectors? 3) What is the potential of various cyber-resilience tactics to reduce losses?

Chen’s overall research objective is to improve risk management for cyber-threats among both private and public sectors through better understanding of the economic consequence of cyber-attacks and the benefits of various cyber resilience tactics in reducing these consequences.

As a result of an extensive literature review, Chen and his team identified that although a plethora of studies have attempted to identify the economic impact of cyber-attacks, there is a lack of a systematic approach to evaluate economic impacts of cyber-attacks in terms of GDP and employment changes. They also realized that while several studies have addressed pre-disaster approaches to risk reduction (e.g.: mitigation), very few studies have addressed post-disaster approaches to recovering cyber capabilities (e.g.: resilience).

Chen has developed two attack scenarios to assess the direct costs and identify post-attack resiliency options. The first is a hypothetical cyber-attack scenario that assumes the supervisory control and data acquisition (SCADA) system of the auto-manufacturing sector in Michigan is disrupted by a cyber-attack for ten days. The second scenario pertains to a disruption of cyber sectors used by a broad range of industries in the event of a natural disaster such as an earthquake.

Zhenhua Chen is a research fellow at The Risk Institute. The Risk Institute at The Ohio State University’s Fisher College of Business exists to bridge the gap between academia and corporate America. By combining the latest research with the real-world expertise of America’s most forward-thinking companies, the Risk Institute isn’t just reporting risk management’s current trends — it’s creating tomorrow’s best practices.

Post Executive Education Series, “Identify, Plan, Protect: Using Cyber to Your Advantage”

On April 19,2017,  The Risk Institute at The Ohio State University, Fisher College of Business held an engaging conversation, as part of its Executive Education series, on the topic, “identify, Plan Protect: Using Cyber to your Advantage”.

As we see on an almost daily basis, Cyber Risk and Crime has become a part of our lives. During the first few weeks of 2017, we witnessed a large restaurant chain’s register payment systems impacted and a large business services firm’s marketing database with over 33 million corporate contacts shared across the web. Without much difficulty multiple other examples are found that cross any number of industries.

We were fortunate to have had Ohio Attorney General Mike DeWine introduce the topic to our audience of executives. AG DeWine is passionate about Cyber Crime and Cyber Risk and its impact upon the citizens of Ohio.

The session focused on raising the conversation of the obvious current situation with regard to Cyber Risk and Crime, but also considered risk mitigants that businesses can take.  The speed at which crisis communication and Public Relations plans are treated and managed are certainly at the forefront of dealing with Cyber challenges within business.  So much so, that the phrase “Fiasco Vortex” has been coined (see Glass Jaw by Eric Dezenhall). In the 21st Century, communication never sleeps. We live in a 24/7 news cycle that demands a much different treatment to Cyber Risk and Cyber business continuity planning.

An organizations business continuity plans will need to be tested to respond to geographic specific exposure that could have wider impact upon the business and it customers. Our speakers highlighted, from their diverse experiences and backgrounds, how companies can take a proactive approach to Cyber Risk and Crime.

Session leaders, Helen Patton, CISO, The Ohio State University; Jim Trainor, SVP, Aon Cyber Solutions and former FBI head of the FBI Cyber Division, Washington, DC; David White, CIO, Battelle Memorial Institute; David Lyon, Senior Manager, The Crumpton Group, LLC, collaborated to provide insight into:

  • Cyber a View from the CISO Trench
  • Cyber Threat Landscape 2017 and Beyond
  • Cyber Security’s Impact on IT Operations
  • The Role of Intelligence in Cyber Attacks: Offense vs. Defense

The session emphasized how to proactively use risk management to balance the risks related to Cyber Risk in order to meet business goals and enhance business performance.

The session did an excellent job of creating thought provoking ideas and advancing The Risk Institute’s unique role in uniting industry thought leaders, academics and highly respected practitioners. This is an ongoing dialog to advance the understanding and evolution of risk management in our world today. The Risk Institute’s conversation about risk management is open and collaborative with its relevance across all industries and its potential for competitiveness and growth.

Identify, Plan, Protect: Using Cyber to Your Advantage

On April 19,2017, The Risk Institute at The Ohio State University, Fisher School of Business will be presenting as part of its 2017 Executive Education series, the topic “identify, Plan Protect: Using Cyber to your Advantage”.

As we see, almost on a daily basis, Cyber Risk and Crime have become part of our lives. During the first few weeks of 2017, we have seen a large restaurant chain’s register payment systems impacted and a large business services firm’s marketing database with over 33 million corporate contacts shared across the web. Without difficulty, multiple other examples are found that cross any number of industries.

We are fortunate to have Ohio Attorney General Mike DeWine introduce the topic to our audience. AG DeWine is passionate about Cyber Crime and Cyber Risk and its impact on the citizens of Ohio.

The session will look to raise conversation on the obvious current situation with regard to Cyber Risk and Crime, and will consider risk mitigants that businesses can take. The speed at which crisis communication and Public Relations plans are treated and managed are certainly at the forefront of dealing with Cyber challenges within business. So much so, that the phrase “Fiasco Vortex” has been coined (see Glass Jaw by Eric Dezenhall). In the 21st Century, communication never sleeps. We live in a 24/7 news cycle that demands a much different treatment to Cyber Risk and Cyber business continuity planning.

An organization’s business continuity plans will need to be tested to respond to geographic specific exposure that could have a wider impact upon the business and it customers. Our speakers will highlight, from their diverse experience and background, how companies can take a proactive approach.

Session leaders, Helen Patton CISO, The Ohio State University; Jim Trainor SVP Aon Cyber Solutions and former FBI head of the FBI Cyber Division, Washington, DC; David White CIO Battelle Memorial Institute; and David Lyon, Senior Manager Crumpton Group, LLC will collaborate to provide insight into:

  • Cyber a View from the CISO Trench
  • Cyber Threat Landscape 2017 and Beyond
  • Cyber Security’s Impact on IT Operations
  • The Role of Intelligence in Cyber Attacks: Offense vs. Defense

The session will emphasize how to proactively use risk management to balance the risks related to Cyber Risk in order to meet business goals and enhance business performance.

The session will provide thought provoking ideas advancing The Risk Institute’s unique role in uniting industry thought leaders, academics and highly respected practitioners in an ongoing dialog to advance the understanding and evolution of risk management. The Risk Institute’s conversation about risk management is open and collaborative with its relevance across all industries and its potential for competitiveness and growth.

Intellectual Property: Defense is the Best Offense

Intellectual property is worth a good strategy for risk management.Identifying a company’s intellectual property can sometimes be a fuzzy exercise, but it’s clear that failing to do so and not having a risk management strategy to safeguard a business’ “secret sauce” can lead to dire consequences. That’s especially true for startups whose only real asset may be the big idea that got them going in the first place.

Still, intellectual property and risk management consultants say companies may not be doing as much as they can to protect their IP assets, which can include everything from product formulas to customer lists.

Risk Institute Portraits Fisher Hall - Third Floor Feb-02-2016 Photo by Jay LaPrete ©2016 Jay LaPrete

Philip Renaud, executive director of the Risk Institute at Ohio State University’s Fisher College of Business

“I wonder if inside the doors people are having enough robust conversations about what their intellectual property is and what needs to happen to manage the risk,” says Steve Snethkamp, a partner in the Columbus office of EY. His consulting practice covers a variety of industries with a focus on information technology.

The stakes are high, he says, pointing to incidents in which the technology behind a new product has been stolen and implemented by overseas competitors even before the IP owners can get that product to market. And it’s not easy to manage that risk, especially with all the data that can be shared—and exposed—through the ever-increasing use of mobile technology and interconnected devices.

“There is no silver bullet,” Snethkamp says, “but the first thing (for companies) is to create a cultural awareness that security is important and IP is the lifeblood of the organization. That needs to be the mantra of every person in the company from the janitor to the CEO.”

Then businesses need to clearly define their intellectual property, identify where it is located, make an inventory of it and put in place controls, processes and procedures to protect it appropriately.

“It’s hard stuff to do,” Snethkamp says.

But it’s also essential given the findings of a 2013 study by the independent Commission on the Theft of American Intellectual Property. It estimated that international thefts of intellectual property have an impact of more than $300 billion annually on the US economy, costing the country millions of jobs and dragging down economic growth and investments in research and development.

Risk managers historically were focused on hard assets—buildings, equipment and inventory—but that has shifted to intellectual property and intangible assets such as copyrights, patents, technical processes, trade secrets, customer lists and distribution networks, says Philip Renaud, executive director of the Risk Institute at Ohio State University’s Fisher College of Business. He has worked in the risk management field since the early 1980s, including stints with L Brands, Kmart, Exel and Deutsche Post.

“It’s much more difficult to value an intangible asset and protect it,” Renaud says. “I can’t put a sprinkler system and firewall around a copyright.”

In his opinion, IP risk management in many cases becomes a defense strategy in which companies must educate team members about the importance of protecting the brand. That is particularly the case of detailing the risks when employees are working online and sharing data.

Such preventative steps are especially important, Renaud says, because of the difficulty and expense of stopping an IP infringement after the fact.

“That’s the greatest challenge,” he says. “If the company that has infringed on you is exposed, the only way to get there is through legal proceedings. That costs a lot of money.”

There is also the thorny issue of taking legal action when an IP infringement occurs overseas. “How do you get enforcement in China?” Renaud asks.

His best advice for companies is to make sure they understand their intangible assets—how they are used, their value to the business and how they are being protected.

When looking to protect intellectual property, companies should consider registering their rights with patents, trademarks and copyright, says Susan Rector, an attorney at the Columbus office of Ice Miller LLP. She represents companies in all aspects of IP ownership and information technology transactions.

“Inherently, taking the steps to register the rights to your intellectual property gives you a leg up,” Rector says. “That’s important from a defensive standpoint. It can also be used offensively against people who come too close to your (IP) rights.”

She works with a lot of startup companies that are building their business model around a proprietary product that is far and away their most valuable asset.

“Often it’s two guys, a laptop and an idea,” Rector says. “A lot of them will get big valuations (from investors), but people will only back them if no one else has done it. … They need to think about an intellectual property strategy early. If they don’t, they can lose their ability to protect that product or device.”

Intellectual property presents some specific challenges for risk managers, says Nicholas Kaufman, head risk manager at Battelle in Columbus.

First, it can be difficult to place a value on IP assets because they can be hard to measure, especially compared to property risks or auto liability. Second, Kaufman says there really is no insurance market for intellectual property because mature insurers tend to organize around areas they understand and know the likelihood of payouts on policies. That’s not the case with IP because of the difficulties in placing a value on the assets and calculating the risks to them.

Despite those issues, companies still need to have a risk management program in place for their intellectual property assets because the stakes can be so high. Kaufman says Battelle’s program takes an enterprise-wide approach in managing the IP risks for its range of products, services and research it conducts.

“We look at it holistically,” he says. “It’s not just about defending our intellectual property but making it as easy as possible for our scientists to create IP.”

Kaufman says intellectual property best practices start with an understanding of your organization and how IP brings value. Then it becomes a matter of aligning resources to protect that value.

The sooner that companies think about protecting new intellectual property the better, says Ari Zytcer, a Vorys, Sater, Seymour and Pease LLP attorney who has worked in the IP field for more than 10 years. But he also recognizes that can be easier said than done.

“In identifying intellectual property,” he says, “you’re starting in the dark. Is this going to be a commercially successful product or an intermediary that leads to something down the road that you would like to protect and stake a claim? You don’t know what aspects you’d like to protect (with a patent) … so we see broad coverage at the beginning. As development continues, you home in on what is commercially viable and blocking other companies from getting into that space.”

Zytcer also says there is no one-size-fits-all approach for IP risk management.

Small companies, for instance, have to consider whether it is best to spend limited resources on patent procurement versus funding research and development and breaking into a market. Large companies generally take a more holistic view with IP committees drawn from the business side—risk management, legal, finance and marketing for example—and R&D side of the enterprise. They track new inventions and make the call on the allocation of resources for patents, trademarks and other IP safeguards.

“Having a cohesive policy for the company is crucial,” Zytcer says. “It’s almost like a marriage. The right hand needs to know what the left hand is doing.”

Jeff Bell is a freelance writer.

This article was originally published in Columbus CEO magazine’s November 2016 edition.

Governance and culture take center stage at The Risk Institute’s Annual Conference

Conversation surrounding governance and culture recently took center stage at The Ohio State University Fisher College of Business, as The Risk Institute explored the impacts of the two key aspects of business at its Annual Conference. The two-day conference brought together Risk Institute members, business leaders, experts and faculty thought leaders from Fisher for an in-depth examination of the risk management and strategic implications of governance and culture.

Phil Renaud and Jeni Britton Bauer of Jeni's Splendid Ice Creams discuss maintaining culture through crisis.

Phil Renaud and Jeni Britton Bauer of Jeni’s Splendid Ice Creams discuss maintaining culture through crisis.

Considering the various sides of governance and culture is critical to understanding how to leverage risk management to create value for an organization. The conference featured four keynote speakers, Gordon Bethune, former CEO of Continental Airlines; Cameron Mitchell, founder and CEO of Cameron Mitchell Restaurants; Randall Kroszner, former Governor of the Federal Reserve System; and David Gebler, author of best-selling book The 3 Power Values.

Bethune opened the conference and focused on his experience turning around Continental Airlines over a decade, which is detailed in his book, From Worst to First. He emphasized the importance of building accountability between employees and the organization saying, “What gets measured and rewarded, gets done.”

Mitchell is a self-described serial entrepreneur who understands that taking risks is necessary to be successful in business saying, “I may shoot myself in the foot and walk with a limp, but I’ll never shoot myself in the head and make a fatal mistake.”

Academic Director Isil Erel speaking at Annual Conference 2016.

Academic Director Isil Erel speaking at Annual Conference 2016.

During his time with the Federal Reserve System and as a professor of economics at the University of Chicago, Kroszner never imagined he would be helping guide America’s economy through the worst financial crisis since the Great Depression. He discussed the potential ramifications of the Fed keeping interests rates at historic lows since 2008 saying, “When your short-run policy becomes a long-run policy, you will always run into unintended consequences.”

Named one of America’s top Thought Leaders in Trustworthy Business Behavior, Gebler is an innovator of new approaches that integrate culture, ethics, values and performance. His talk detailed how to know if your organization’s culture is a risk factor utilizing the three power values— integrity, transparency and commitment.

In addition to the keynotes, the third-annual conference brought together business leaders and experts for a series of RISKx presentations and panel discussions on women in risk, governance and culture related to business. The culture discussion explored  employees’ attitudes toward risk, mergers and acquisitions, maintaining culture through crisis, and emerging risks in the energy industry.

The Risk Institute’s Executive Education Series will resume November 15 with a discussion on Political Risk.

 

Not If, But When – Facing Cyber Risk in the Digital Age

minton bernadette 130x195By Professor Bernadette A. Minton
Academic Director, The Risk Institute
Arthur E. Shepard Endowed Professor in Insurance
The Ohio State University Fisher College of Business 

 

When the World Wide Web was invented nearly thirty years ago, the concept of what today’s cyber landscape would look like was little more than science fiction. Rapid advances in technology coupled with the growth of the Internet have revolutionized the way businesses and individuals interact. Integrated networks are allowing organizations to access, analyze, use and share information more easily than ever before. The composition of firms in the global economy is changing from organizations producing primarily material goods to those creating intangible assets relying on technology and intellectual property.

Yet, as the global economy becomes increasingly Internet-connected,  organizations, while reaping the potential benefits, are simultaneously exposed Internet_map_1024_-_transparent,_invertedto an increasing array of known and unknown cyber threats. Not a day goes by without the news of another cyber attack taking place at another organization. The conventional wisdom is not “if a cyber breach will happen” but “when will it happen.”

In the upcoming Risk Institute Executive Education Risk Series, we kick off the 2015-16 academic year with a discussion on the evolving environment of cyber threats.  Our session leaders from Battelle, EY and Aon will collaborate to provide executives with insights into how to:

  • Embrace a systematic approach to understanding the evolving cyber landscape and assess the various cyber threats facing the organization
  • Develop an integrated and enterprise-wide approach to consistently assess the organization’s vulnerabilities to cyber threats
  • Proactively quantify their organization’s cyber exposure and apply potential risk management and insurance solutions to help insulate the exposure
  • Apply current findings of research on cyber vulnerability to the products and services

Overall, the half-day session will emphasize the importance of balancing the power of cyber ecosystems with the associated risks to create organizational value.

To learn more or to register, please visit the Risk Series page.

Cyber Security: About Whale Phishing, the Deep Web and the Dark Net

By Professor Ingrid M. Werner, Risk Institute Faculty Member, and Martin and Andrew Murrer Professor in Finance at The Ohio State University Fisher College of Business.

October 28, 2014

Ingrid-Werner

Ingrid M. Werner The Risk Institute Faculty Member Martin and Andrew Murrer Professor in Finance, The Fisher College of Business

The attendees at The Risk Institute Launch and Conference last week learned two new terms from cyber-space: Whale Phishing, and the Deep Web and Dark Net. These terms were introduced by Mr. Jeremy Kroll, CEO and co-founder of K2 Intelligence who discussed effective strategies for managing cyber security risks faced by business around the world.   

Whale Phishing

Whale phishing is a new form of cyber crime in the general family of hacker strategies known as spear phishing.  Generally, phishing scams cast a wide net and hope that a few foolish individuals that click on the attachment or link in an e-mail compromising the security of their computer or financial account.  Spear phishing instead targets specific individuals or organizations, aiming to harvest financial information or trade or military secrets that can be used for financial gain.  Whale phishing, or simply whaling, takes this practice to a new level by targeting senior executives and other key leaders in an organization.  Vircom Guest Blogger Megan Horner, Marketing Coordinator at TrainACE, lays out the strategies commonly used in whale phishing attacks, and also explains what to look out for in an article here.

A spear phishing scam targets an employee with access to sensitive information or financial accounts.  It takes the form of an email that looks as if it was sent by a person in a position of authority within the company (the boss) or from outside (a regulator).  For example, a staff member in the purchasing department may get an e-mail from IT requesting that the individual login and reset his or her password.  Malware is used by the attacker to direct the individual to a fake website which is designed for the sole purpose of capturing the username and password for use to access the organization’s network.  The access can be used to manipulate accounts, transfer funds to external accounts, or simply to download sensitive information.

You guessed it, a whale phishing scam follows the same strategy but targets senior management.   The emails used are personalized and often extremely well-crafted, using corporate logos and html templates to convey a sense of authenticity.  The sender’s address looks like it comes from a known person or organization, and often alludes to a sensitive and urgent business matter.  Finally, the matter raised is one that requires the intervention of senior management.  For example, it may be a subpoena and the official-looking email instructs the CEO to click an link to download special software so they can view the subpoena.  According to Megan Horner, a scam like this targeted an estimated 20,000 recipients.  Shockingly, about 10 percent responded and thus downloaded the malicious software, so called malware.  In addition to being used to display the fake subpoena, the malware was actually a key logger that captured anything the CEO typed, including network access credentials and other sensitive information.  Using the opened door, the phishers then launched attacks against the corporations to harvest information, manipulate accounts, and transfer funds external accounts controlled by the phishers.

How does senior management avoid being caught in a whale phishing scam?  Megan Horner lists the following red flags for managers who receive emails with urgent calls to action involving confidential data.

·  The email requires a download or website visit in order to view an official document.
·  The sender’s address is similar but not identical to a familiar one.
·  The email refers to an urgent matter, such as a legal proceeding, that the executive has never heard of.
·  A website requesting personal data does not use encryption. Although a site’s appearance is no guide to its authenticity, lack of encryption is a danger sign.
·  The communication contains supposedly confidential information that in reality is publicly available

She also suggests that if you cannot quickly verify an email’s authenticity you should immediately call IT Security.  This is good advice for employees and senior managers alike!

The Deep Web and the Dark Net

We have just gotten used to the word cyber-space, and now people start talking about the “Deep Web” or the “Dark Net.”  This is not some imaginary part of the universe, but rather a part of the web that is not accessible to the general public. It is a place where cyber criminals roam and is used for trafficking in drugs, guns, pornography, and credit card information but also in state and military secrets.  According to Amy Wilson, a blogger at K2 Intelligence, an estimated 80% of all online activity takes place in the deep web.

Amy Wilson also explains that world-wide web is tiered.  The top layer is the surface web which is indexed by our popular search engines such as Google, Yahoo, and Bing and is the place where most of us get news, engage in  e-commerce, and share information about organizations and individuals.  The next level is the deep web, which is not accessible using popular search engines as users need passwords or other credentials to get through the doof.  The closed access is often used by hackers in for example the Whale Phishing attacks to set up temporary web sites where stolen information can be sold to the highest bidder.  The third level is the dark net that in addition to requiring passwords or other credentials requires the user to surf anonymously by using applications such as Tor, I2P and Freenet. 

The deep web recently gained publicity through the 2013 shutdown by the FBI of the Silk Road, a site for mail-order drugs run by “Dread Pirate Roberts” and operating on the dark net.   The FBI arrested Ross William Ulrich, who they claim was the Dread Pirate Roberts running Silk Road.  While Ulrich is awaiting trial, and his site is closed down, law enforcement is not necessarily more on top of the mail-order drug business than before.  The reason is that when the monopolist Silk Road closed down, it opened up the market for a slew of tiny drug trafficking bazaars that  cropped up on the dark net, leaving law enforcement with an even bigger problem.

While the most highly-prized targets for cyber criminals are financial institutions, Amy Wilson points out that there are plenty of examples of less obvious victims. These include Sony’s networks of Playstation users that was hacked in 2011, leaking almost 80 million accounts with personal information that was subsequently published online.  Similarly, Goodwill had a credit card breach recently where malware was installed on a third-party system used to process credit card payments, compromising almost 900,000 credit cards.  More information on the Goodwill breach can be found here.

Amy Wilson also provides advice for companies on how to protect themselves against cyber-crime.  The first line of defense is to have a comprehensive cyber security strategy in place.  The second line of defense is to have a constant flow of intelligence scanning the deep web on your behalf.  The number of reported cyber security incidents increased 48% to 42.8 million in 2014 compared to 2013 according to PwC (http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf ), so companies clearly need to heed her advice!