Nov 28 2014

The Case for a Global Cybersecurity Strategy

The World Economic Forum looks to raise awareness and improve cybersecurity, one organization at a time.

There’s little question that top management at leading business and government organizations now understand the need to invest in IT security.

Whether it’s the noted credit card breaches at retailers such as Home Depot and Target, or the malware attack on 30,000 computers in 2012 at the Saudi oil giant Aramco, most everyone in business and government recognizes the threat landscape today is much more dangerous.

With something close to 100,000 strains of malware introduced every day, it’s also clear that business and government can’t solve the cybersecurity threat alone. That’s why the World Economic Forum developed a project in conjunction with more than 100 business and government organizations to identify and address the risks that have emerged as organizations grow more dependent on data networks and Internet connectivity.

200 million+

The malware sample count observed by McAfee Labs in Q1 of 2014.

SOURCE: McAfee, “McAfee Labs Threat Report,” June 2014

Some Guiding Principles

As part of its published report, “Partnership for Cyber Resilience,” the World Economic Forum identifies four guiding principles for how business and government organizations can respond to the emerging threat and build cybersecurity awareness into the very fabric of their organizations.

  1. Recognize the interdependent nature of the hyperconnected world and the organization’s role in contributing to a safe, shared digital environment.

    Organizations are only as strong as the weakest link in the chains on which everyone depends. To that end, all organizations must contribute to the safety of the hyperconnected world. The public derives significant benefits from an open, secure and resilient online environment, so all parties share responsibility for creating and supporting global networks.

  2. The executive management team sets the tone and structure for cybersecurity awareness.

    Along with fiduciary and other leadership duties, top management also must recognize the important nature of mitigating cyber-related risks as an essential element to the ongoing viability and success of their organization. Only through aggressive cybersecurity can an organization safeguard its intellectual property and protect its sensitive information so it can freely deliver products or services to its customers or constituent bases.

  3. Recognize the importance of integrating cyber risk management within broader risk practices.

    Consistent with best practices in the field it operates, an organization should develop a specific program geared towards managing cybersecurity risks on a continuous basis. In doing so, the organization reduces the risk of harm to itself and contributes positively to the connected information environment and demonstrates good corporate citizenship.

  4. Encourage suppliers to adopt these principles and guidelines.

    In recognizing that the widespread adoption of these principles contributes to the enhanced opportunity for all stakeholders to benefit from high levels of online connectivity, an organization should encourage others to adopt these principles. Broader adoption by third parties more effectively secures the supply chain and benefits everyone involved.

An Executive Checklist

The World Economic Forum’s report includes a checklist for executives to evaluate their organizations in the areas of governance, deployment program and network preparedness. Here’s the list for the deployment program on the types of tasks organization should be focused on. Rate your organization from 1 to 5, with 5 being the number that most accurately reflects your organization.

  1. Conduct comprehensive assessments of vulnerabilities to internal and external cyber risks appropriate to its industry and sector.
  2. Monitor the effectiveness of its risk management strategy.
  3. Verify compliance with rules and regulations on a periodic basis.
  4. Adopt a commitment to cybersecurity based on its policies and practices.
  5. Conduct specific training on the cybersecurity program to managers, employees and agents.
  6. Identify its data and information as vital assets and organize its program around the recognition that data and information have value that can be separately recognized and protected.
  7. Include all third-party relationships and information flows in the risk management program.
  8. Conduct comprehensive internal short- and long-term cyber risk impact assessments.

aaa 1