The reality of risk management is that risks are impossible to eliminate, resources are finite, and risk profiles are ever-changing. This is especially true of cyber threats. That is why it is important to focus on protecting an organization’s most important information assets and systems—the “crown jewels”—by understanding the changing threat landscape and risk tolerances and preparing for inevitable incidents.
Few businesses have given focused attention to defining their information assets across the enterprise or thoroughly assessing their tolerance for cybersecurity risk. In reality, most think their risk tolerance is low, but act as though it is relatively high. As a result, they unknowingly apply the same high-risk tolerance to allsystems and information assets. In effect, few focus on the information assets and systems that really matter.
Getting close to being secure is elusive. How many organizations can manage all cybersecurity risks effectively? How many can prevent a well-orchestrated attack by an IT contractor hired to operate within perimeter defenses? There aren’t many. However, with targeted investments and tolerance for higher levels of security, organizations can get much closer to securing their crown jewels.
Everyone recognizes security risks in their homes. Most homeowners take basic measures—such as locking all entrances, leaving lights on when they’re out, or installing affordable security systems—to reduce the risk that they will become a target for criminals. But does anyone really believe any of these measures are guaranteed to prevent a determined attacker who targets a residence? Probably not.
Most households accept the risk. In addition to making their properties difficult to break into, they take out homeowners insurance on contents and valuables to cover residual risk. Many may rationalize their focus on the few things that really matter to them, such as valuable heirlooms and important documents and records, and take additional precautions. While most do not accept the idea of their homes being burglarized, they are willing to go only so far to inconvenience themselves to protect their property.
Businesses are not very good at applying this rational thought process and have a false sense about how secure they can be on an enterprise-wide basis. It is not difficult for an attacker to get past security in most organizations and security is not just about protecting against technical breaches. For example, an attacker posing as a legitimate contractor can readily penetrate a company’s perimeter defenses. Rather than attempt to cover the waterfront, the following three key points can help companies achieve an appropriate focus on IT security.
Identify the crown jewels. The IT security focus of many organizations tends to be somewhat generic rather than targeted, resulting in all-systems-are-equal protection measures, lack of sufficient attention to the most vital assets, and unnecessary costs. Identification of high-value data, information, and information systems requires the collaboration of the IT team and business leaders to agree on the organization’s tolerance for risk relative to different assets; this helps IT security management focus on protecting the most critical areas. Under the oversight of the board, they should consider questions such as:
What are the organization’s most critical data, information assets, and information systems, i.e., the crown jewels? Why are they of highest value? What can we not afford to lose?
Where do the crown jewels reside? Are we certain they only reside in those places?
How are the crown jewels accessed – and through what systems?
Who is authorized to access them? Are they accessible through IT support contractors? Who authorizes these contractors and on what basis?
These and other questions help to focus the organization’s preventive and detective security measures and incident response plans.
Understand the changing threat landscape. In a recent global survey conducted by Protiviti, cyber threats and their potential to disrupt a company’s core operations were rated as a top risk, with almost all industry groups rating them as a top five risk. In addition, privacy/identity and information security issues were a top 10 risk.
Do directors understand these risks as well as the other top risks their companies face? Not likely. That is why reports of cyberattacks of unprecedented scale across multiple industries, resulting in the loss of intellectual property, business intelligence and reputation, have sounded alarms in boardrooms. Directors are starting to recognize that cybersecurity is an enterprise security issue, not just an IT security issue.
Key security risks include potential leakage of sensitive information, unintentional upload of viruses to employee computers, and increased targeting of company employees through so-called social engineering to obtain confidential information. Many organizations lack the processes, technology, and governance to combat today’s sophisticated cyber threats effectively, including advanced persistent threats that can compromise multiple systems, collect mass data over time, and transmit such data to an adversary or attacker network.
Based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target, management should assess the organization’s cybersecurity risk and ask:
Who are our likely adversaries?
How are they likely to attack us?
Where are our biggest vulnerabilities?
What is our exposure to contractors and insiders?
How effective are our current internal controls in managing these issues, and what are they costing us?
Do we conduct penetration testing? If so, what are the results?
What issues are raised by internal and external auditors?
What has been the nature and severity of prior cyberattacks? How will we know if we’ve been attacked again?
Do we have a clear understanding of the impact to the business if anything occurs?
Answers to these and other questions can help to clarify the changing threat landscape and provide direction to the implementation of security measures.
Prepare for an incident. Despite the precautions an organization may take, cyber incidents of varying magnitudes are inevitable. That is why companies need to be proactive about developing an effective incident response plan. A response plan is more than a best practice—it is an obligation and demonstration of due diligence, especially for an organization that maintains sensitive data or personally identifiable information (PII).
In the past, many organizations conducted annual or semiannual business continuity tests. These tests were full simulations of how a business would respond to a relatively low-likelihood incident. Now that organizations face the specter of a relatively high-likelihood business continuity incident, it is ironic that very few organizations prepare properly and even fewer perform continuity tests. It is essential to apply the same logic of testing a business continuity program to an effective incident response program. Being proactive enables organizations to address the unexpected—and plan for the worst.
Effective incident response processes are critical to a company’s preparedness to reduce the impact of a cyberattack. Executive sponsorship is needed to ensure a comprehensive incident response program is funded. Traditionally, few executive stakeholders outside of the chief information officer’s organization have been engaged in the implementation of an incident response plan. However, with the emergence of the National Institute of Standards and Technology’s (NIST) cybersecurity framework, breach disclosure requirements, and industry regulations and standards dealing with PII, senior executives are now more apt to support these initiatives, particularly given recent media coverage of significant breaches. These programs should integrate and complement existing IT security; incorporate the perspective and participation of various stakeholders (e.g., compliance, IT, security operations, corporate security, corporate communications, regulatory and legal affairs); and provide clear direction and core processes that are followed in the event of an incident.
The program also should assign roles, responsibilities and accountability to groups and individuals within the organization, include escalation paths and communication procedures to ensure appropriate stakeholders are involved in key decisions pertaining to response and disclosure, and provide instructions regarding actions to take in response to specific types of incidents. For example, the method of responding to a distributed denial of service attack varies greatly from the method of managing a malware incident.
Incident response plans must be evaluated on at least an annual basis and address regulatory obligations regarding incident response or breach disclosure. It must ensure appropriate parties maintain key contacts in law enforcement and the media to expedite actions as dictated by the organization. Also, it should ensure that trusted and qualified parties are available in the event that the scope or specifics of an incident exceed the resource availability or capabilities of company personnel.
Questions for Boards
The following are suggested questions that boards may consider, in the context of the nature of the entity’s risks inherent in its operations:
Have we identified our most critical assets that we simply cannot afford to lose and/or systems to which unplanned outages cannot be tolerated at any cost (the so-called crown jewels)? Do we know whether and how they’re being protected? Does our security strategy differentiate our crown jewels from general cybersecurity?
Do we periodically assess our threat landscape and tolerance for risk related to our crown jewels? Do we actually believe our most critical assets and systems are secure and/or the risk events we have identified cannot happen?
Are our strategies for reducing the risk of security incidents to an acceptable level proportionate and targeted? Are we being proactive and periodically testing our incident response plan to determine its effectiveness?
Do we understand which security incidents cannot, and will not, be tolerated? Are effective incident response processes in place to reduce the risk of a security breach occurring, proliferating or having a significant impact? Do key stakeholders support the development of a plan appropriate to the organization’s scale, culture, regulatory obligations and business objectives?
Is the company’s incident response plan complemented by procedures that provide instructions regarding actions to take in response to specific types of incidents? Is the plan evaluated periodically? Is it clear which events require the board to play a key role in overseeing response efforts?
As information security becomes increasingly visible and accepted as a core business function, senior executives need to have a thorough understanding of the organization’s overall security posture as well as a way to identify areas needing improvement.
A security assessment increases awareness and understanding of security issues, but more importantly, it helps key decision-makers make smart security investments by highlighting high-importance and high-payoff tasks to work on. Security assessments are not just hunting expeditions to find security weaknesses. A security assessment is a top-down analysis of existing security controls and processes. It provides an understanding of the status of each control, highlighting both the positive levels of maturity and areas of improvement based on the organization’s specific need as well as recognized best practices.
For some organizations, security assessments aren’t optional as they may be subject to one of the many governmental regulations—HIPAA, PCI, FISMA, Sarbanes-Oxley, Gramm-Leach Bliley, to name a few—which require deploying a set of security controls. Even for organizations who don’t have that regulatory stick, independent assessments help guide the organizations towards improving and strengthening internal security practices.
An assessment starts before the team arrives on-site. It should begin with a kick-off call to handle logistics, introduce the primary point of contact and members of the team, and to discuss the scope of the assessment. Agreeing on the scope and timeline of the assessment beforehand makes sure everyone’s expectations are met by the end of the process. Depending on the size of the organization under review, an assessment should take a few weeks to a few months.
In this phase, the organization pulls together all the documentation referencing their processes, security policies, guidelines, and standards. These documents—which include network architecture diagrams, process diagrams, and workflows for specialized teams such as incident response—should be delivered to the assessment team beforehand so that the team has the opportunity to review them and identify any gaps that need to be addressed in the form of additional documentation or formal interviews. These documents help the assessor to understand the organization before scheduling the actual visit.
Having this information available to study ahead of time saves the assessment team time because the on-site time is spent on face-to-face interviews. It’s not a problem if the documents are rough and only informal materials are available, as the assessment is not evaluating how well the processes are documented.
Focus the Conversation
Having the information in advance means the team can identify the right people to set up meetings with and target the discussions specific to the organization’s environment. For example, if there are 20 areas under review, but only five of them have in-depth technical documents, the assessment team can then set up meetings to review the controls in place for those five areas, and focus the bulk of the time in conversations over the remaining 15 areas. There is no need to waste time digging into what’s already known and well-understood.
Understanding the Roadmap
When undergoing a security assessment, the organization typically is looking at the controls from a top-down perspective. The assessor is not there to perform a technical hands-on test or find out which vulnerabilities need to be patched.
After the assessment is complete, the organization will be able to identify areas needing immediate attention and will have the direction for evolving its security strategy over the next three to five years.
Security Assessment in a Nutshell
Information security is a dynamic field with rapidly changing technology and evolving threats. The number of threats is growing every day and attackers rapidly adopt new techniques. Attackers have different goals, whether they are after financial gain, espionage, blackmail, or just plain publicity. Nearly every organization—independent of size—is a target, especially as attackers piggy-back on smaller companies to reach larger ones.
Board members and executives need to become more involved in ensuring their organizations are making the right investments in people, processes, and technology to provide adequate security for the risks and threats they face. A security assessment is one of the best ways to ensure you are on the right path and give you the visibility you need.
How to Select the Right Team for Your Security Assessment
A security assessment is a critical part of understanding the organization’s security maturity and the security strategy, so selecting a trusted assessor is critical. Here are some of the things to keep in mind when interviewing a security assessment team.
Look for a team comprised of individuals with a broader understanding of information security processes. These are people that understand security operations, enterprise networking, and architecture. Look for experience dealing with security applications, including security information and event (SIEM)/log management, governance risk compliance (GRC), identity access management, IDS/IPS, advanced persistent threats, antivirus, vulnerability management, and business intelligence.
It’s important the assessor understands the industry, but make sure the assessor is also familiar with security topics outside the industry vertical. Not specializing in one specific sector will ensure the broadest level of knowledge.
Ask to see samples of deliverables. Ensure the assessment will end with deliverables outlining a roadmap and a detailed picture of what the security controls look like. The report needs to have information that will be used at both operational and management levels. It should include action items that define relevant steps on what to do next. The final deliverable must have specific recommendations for addressing gaps or issues identified, a list of steps that need to be taken, and a timetable of when they need to be performed. Also, ask what kind of executive-facing deliverables will be available, with detailed executive summaries about the issues identified and strategic recommendations on closing the gaps.
Will the team perform the assessment on-site, or remotely? There is a value to performing an assessment on-site, but there may be circumstances preventing the team from being able to conduct face-to-face conversations. Ask what the remote assessment will entail. On the other hand, be wary if the assessor insists on a large on-site team for an extended period of time. Many firms use assessments as training ground for junior staff members. This will result in a team of, for example, six assessors with an effective throughput of two or three. At the same time, you’ll be paying a premium for senior members of their team to train junior staff on your dime.
Rapid7 cybersecurity analytics software and services reduce threat exposure and detect compromise for 3,500 organizations, including 30 percent of the Fortune 1000. From the endpoint to cloud, they provide comprehensive real-time data collection, advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs. For more information, call 866-7-Rapid7or visit their website.
Imagine you are the IT systems administrator of a large corporation. Coffee in hand, you sit down one morning and log in. You receive a message that there has been an intrusion into the corporate database, a large amount of sensitive data has been stolen, and your backup in the cloud has been compromised. BUT “U R Datta WilL B REstoReD” once you pay “BiTCoiNS U.S.$50,000” to the anonymous cyber-extortionists. If you refuse, your data will be sold or publicly released. You are instructed not to involve police. The amount demanded is short money, you notice. Better to pay and move forward than risk the potentially catastrophic consequences.
The value of the kidnapped data is immeasurable: trade secrets, client and customer information, personal financial information, compromising emails between top executives. The list goes on. You owe a duty to all of these stakeholders to protect the company’s most sensitive information and to resolve this crisis with the least damage possible. Should you quietly pay the ransom and hope the extortionists return the company’s crown jewels? Or should you take a hard line, call the authorities, and refuse to submit to cyber terrorist threats that may or may not be real, lest you become a compliant target for future extortions?
Those at Banque Cantonale de Geneve likely considered these gut-wrenching questions when they were victimized by hacking group Rex Mundi. On January 9, 2015, Rex Mundi demanded 10,000 euros in exchange for hijacked emails. The bank refused, and Rex Mundi subsequently released the data to the public. Fortunately, it turned out that the leaked data (the hackers were semi-bluffing) consisted only of clients’ inquiries, not accounts. However, the damage to the bank’s reputationwas immeasurable. It had a “reputation for helping clients conceal information from tax authorities” and had just struck a deal with Swiss authorities to pay fines for helping wealthy Americans avoid taxes. The extortionists struck when the bank’s reputation was already on the line and the resulting reputational damage arguably may have been worse than had truly sensitive information been released.
So how can companies protect themselves from cyber extortion and how should they respond to such threats?
Companies should start by assembling a data breach response team consisting of the relevant personnel, starting with IT/technical, legal, forensic, and PR professionals. This group must convene, anticipate, and prepare responses to potential data breach, cyber extortion, hacktivist and other nightmare scenarios. There are two critical steps companies can take to embark on this process.
Identify and protect the company’s crown jewels—the most sensitive data—and ensure that information is safeguarded to the maximum extent possible. This means developing a comprehensive risk management plan that includes robust border control as to all points of entry, including within your own company as well as third party vendors and business partners with network access. There also must be active network monitoring for external intrusions but also unusual activity within the network. More and more, hackers are lying in wait within the system, plotting their attack and exit, deviating from the traditional “smash and grab” route of simply stealing personally identifiable information and then receding into the nether regions of the dark web. Password protection is no longer enough, meaning that companies need to employ multi-factor identification with constantly changing access codes. There also needs to be fortress-like back-up and tested disaster recovery systems, regular penetration testing and all attendant good cyber hygiene practices.
The sad truth is that you need to assume that whatever you do to protect the crown jewels is not going to work. Your defenses, no matter how robust or state of the art, will eventually be compromised. Begin to plan accordingly. For the cyber extortion exercise, just like every other significant risk, company management needs a well thought-out plan. The dilemma of “pay or don’t pay” needs to be debated internally in advance, and the response options need to be clearly laid out. Decisions, tradeoffs, and pros and cons cannot be discussed for the first time when there’s a gun pressed to the company’s head.
You will quickly find that there is no win/win answer. The best option is to choose the least damaging of the bad options based on all the facts and circumstances. Policies like “Never negotiate with terrorists” and “Never trade arms for hostages” all sound good on paper until the terrorists kill the hostages, or in this case, destroy—or, perhaps worse, publicly release—the kidnapped data.
Unfortunately, cyber extortion happens all the time and frequently goes unreported. If you cave and pay, you may become easy prey. If you don’t pay the ransom and instead go to the authorities, you may suffer economic consequences far greater than the often short money demanded in the first place. These evolving forms of cyberattack are threats that can never be eliminated. The best defense is proactive, thoughtful and intelligent preparation on all fronts.
Mark E. Robinson serves as co-chair of the Mintz Levin’s national white collar defense and investigations practice and is a nationally recognized authority in government investigations and enforcement and cybersecurity defense. Mark represents, advises, and defends public and private sector clients in connection with internal investigations, regulatory enforcement actions, commercial litigation, and large-scale data breaches. Cynthia J. Larose is chair of the Mintz Levin’s Privacy & Security Practice and has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions. The authors acknowledge the work of Mintz Levin litigation associate Jane Haviland in researching and helping to develop the content of this article.