Managing Cyber Threats with Confidence
The reality of risk management is that risks are impossible to eliminate, resources are finite, and risk profiles are ever-changing. This is especially true of cyber threats. That is why it is important to focus on protecting an organization’s most important information assets and systems—the “crown jewels”—by understanding the changing threat landscape and risk tolerances and preparing for inevitable incidents.
Few businesses have given focused attention to defining their information assets across the enterprise or thoroughly assessing their tolerance for cybersecurity risk. In reality, most think their risk tolerance is low, but act as though it is relatively high. As a result, they unknowingly apply the same high-risk tolerance to allsystems and information assets. In effect, few focus on the information assets and systems that really matter.
Getting close to being secure is elusive. How many organizations can manage all cybersecurity risks effectively? How many can prevent a well-orchestrated attack by an IT contractor hired to operate within perimeter defenses? There aren’t many. However, with targeted investments and tolerance for higher levels of security, organizations can get much closer to securing their crown jewels.
Everyone recognizes security risks in their homes. Most homeowners take basic measures—such as locking all entrances, leaving lights on when they’re out, or installing affordable security systems—to reduce the risk that they will become a target for criminals. But does anyone really believe any of these measures are guaranteed to prevent a determined attacker who targets a residence? Probably not.
Most households accept the risk. In addition to making their properties difficult to break into, they take out homeowners insurance on contents and valuables to cover residual risk. Many may rationalize their focus on the few things that really matter to them, such as valuable heirlooms and important documents and records, and take additional precautions. While most do not accept the idea of their homes being burglarized, they are willing to go only so far to inconvenience themselves to protect their property.
Businesses are not very good at applying this rational thought process and have a false sense about how secure they can be on an enterprise-wide basis. It is not difficult for an attacker to get past security in most organizations and security is not just about protecting against technical breaches. For example, an attacker posing as a legitimate contractor can readily penetrate a company’s perimeter defenses. Rather than attempt to cover the waterfront, the following three key points can help companies achieve an appropriate focus on IT security.
Identify the crown jewels. The IT security focus of many organizations tends to be somewhat generic rather than targeted, resulting in all-systems-are-equal protection measures, lack of sufficient attention to the most vital assets, and unnecessary costs. Identification of high-value data, information, and information systems requires the collaboration of the IT team and business leaders to agree on the organization’s tolerance for risk relative to different assets; this helps IT security management focus on protecting the most critical areas. Under the oversight of the board, they should consider questions such as:
- What are the organization’s most critical data, information assets, and information systems, i.e., the crown jewels? Why are they of highest value? What can we not afford to lose?
- Where do the crown jewels reside? Are we certain they only reside in those places?
- How are the crown jewels accessed – and through what systems?
- Who is authorized to access them? Are they accessible through IT support contractors? Who authorizes these contractors and on what basis?
These and other questions help to focus the organization’s preventive and detective security measures and incident response plans.
Understand the changing threat landscape. In a recent global survey conducted by Protiviti, cyber threats and their potential to disrupt a company’s core operations were rated as a top risk, with almost all industry groups rating them as a top five risk. In addition, privacy/identity and information security issues were a top 10 risk.
Do directors understand these risks as well as the other top risks their companies face? Not likely. That is why reports of cyberattacks of unprecedented scale across multiple industries, resulting in the loss of intellectual property, business intelligence and reputation, have sounded alarms in boardrooms. Directors are starting to recognize that cybersecurity is an enterprise security issue, not just an IT security issue.
Key security risks include potential leakage of sensitive information, unintentional upload of viruses to employee computers, and increased targeting of company employees through so-called social engineering to obtain confidential information. Many organizations lack the processes, technology, and governance to combat today’s sophisticated cyber threats effectively, including advanced persistent threats that can compromise multiple systems, collect mass data over time, and transmit such data to an adversary or attacker network.
Based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target, management should assess the organization’s cybersecurity risk and ask:
- Who are our likely adversaries?
- How are they likely to attack us?
- Where are our biggest vulnerabilities?
- What is our exposure to contractors and insiders?
- How effective are our current internal controls in managing these issues, and what are they costing us?
- Do we conduct penetration testing? If so, what are the results?
- What issues are raised by internal and external auditors?
- What has been the nature and severity of prior cyberattacks? How will we know if we’ve been attacked again?
- Do we have a clear understanding of the impact to the business if anything occurs?
Answers to these and other questions can help to clarify the changing threat landscape and provide direction to the implementation of security measures.
Prepare for an incident. Despite the precautions an organization may take, cyber incidents of varying magnitudes are inevitable. That is why companies need to be proactive about developing an effective incident response plan. A response plan is more than a best practice—it is an obligation and demonstration of due diligence, especially for an organization that maintains sensitive data or personally identifiable information (PII).
In the past, many organizations conducted annual or semiannual business continuity tests. These tests were full simulations of how a business would respond to a relatively low-likelihood incident. Now that organizations face the specter of a relatively high-likelihood business continuity incident, it is ironic that very few organizations prepare properly and even fewer perform continuity tests. It is essential to apply the same logic of testing a business continuity program to an effective incident response program. Being proactive enables organizations to address the unexpected—and plan for the worst.
Effective incident response processes are critical to a company’s preparedness to reduce the impact of a cyberattack. Executive sponsorship is needed to ensure a comprehensive incident response program is funded. Traditionally, few executive stakeholders outside of the chief information officer’s organization have been engaged in the implementation of an incident response plan. However, with the emergence of the National Institute of Standards and Technology’s (NIST) cybersecurity framework, breach disclosure requirements, and industry regulations and standards dealing with PII, senior executives are now more apt to support these initiatives, particularly given recent media coverage of significant breaches. These programs should integrate and complement existing IT security; incorporate the perspective and participation of various stakeholders (e.g., compliance, IT, security operations, corporate security, corporate communications, regulatory and legal affairs); and provide clear direction and core processes that are followed in the event of an incident.
The program also should assign roles, responsibilities and accountability to groups and individuals within the organization, include escalation paths and communication procedures to ensure appropriate stakeholders are involved in key decisions pertaining to response and disclosure, and provide instructions regarding actions to take in response to specific types of incidents. For example, the method of responding to a distributed denial of service attack varies greatly from the method of managing a malware incident.
Incident response plans must be evaluated on at least an annual basis and address regulatory obligations regarding incident response or breach disclosure. It must ensure appropriate parties maintain key contacts in law enforcement and the media to expedite actions as dictated by the organization. Also, it should ensure that trusted and qualified parties are available in the event that the scope or specifics of an incident exceed the resource availability or capabilities of company personnel.
Questions for Boards
The following are suggested questions that boards may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Have we identified our most critical assets that we simply cannot afford to lose and/or systems to which unplanned outages cannot be tolerated at any cost (the so-called crown jewels)? Do we know whether and how they’re being protected? Does our security strategy differentiate our crown jewels from general cybersecurity?
- Do we periodically assess our threat landscape and tolerance for risk related to our crown jewels? Do we actually believe our most critical assets and systems are secure and/or the risk events we have identified cannot happen?
- Are our strategies for reducing the risk of security incidents to an acceptable level proportionate and targeted? Are we being proactive and periodically testing our incident response plan to determine its effectiveness?
- Do we understand which security incidents cannot, and will not, be tolerated? Are effective incident response processes in place to reduce the risk of a security breach occurring, proliferating or having a significant impact? Do key stakeholders support the development of a plan appropriate to the organization’s scale, culture, regulatory obligations and business objectives?
- Is the company’s incident response plan complemented by procedures that provide instructions regarding actions to take in response to specific types of incidents? Is the plan evaluated periodically? Is it clear which events require the board to play a key role in overseeing response efforts?
Jim DeLoach is managing director with Protiviti.