It's Not Just an IT Affair: Understanding the Risks of Cyber Breaches

Jason Straight, SVP & Chief Privacy Officer, UnitedLex
1055
1769
348

Most CISOs have a thorough understanding of the implica­tions an information security breach can have for IT, and many probably have detailed plans to guide IT responses in the event a breach occurs. But do they fully comprehend the se­verity and range of consequences a major security event can have on legal and business operations, and have they made adequate prepa­rations to mitigate those risks as well? Apparently not, if the cyber incidents involving Target, Home Depot, JPMorgan Chase and oth­ers are any indication. If there’s a common thread among those and other recent catastrophic security breaches, it may be that many or­ganizations haven’t yet accepted the fact that breaches are virtually inevitable. The biggest challenge isn’t preventing them, but rather anticipating the potential fallout across the entire organization and planning accordingly.

Cyber breaches are not just an IT affair. Let’s look at a few ex­amples: Target’s disorganized response to its high-profile breach landed it in front of an angry congressional committee, which is­sued sweeping document requests relating to the company’s poli­cies, guidelines and (evidently inadequate) preparations for exactly the kind of malware attack it faced. Home Depot did a better job of controlling post-breach communications and messaging, but has been scrambling to explain how it, too, fell victim to a point-of-sale attack several months after Target. Despite spending $250 million annually on cyber security, JPMorgan’s estimated 1,000 security professionals were unable to prevent a breach that exposed informa­tion for 76 million households and 7 million small businesses, which will likely impact the bank and its customers for years to come.

Encourage Enterprise-wide Collaboration

Clearly the scope of these events extends far beyond the IT depart­ment. With that in mind, any effective information security man­agement program will require close collaboration among a range of business stakeholders—including legal, compliance, management, HR and even board members. Technology alone is no longer suffi­cient to detect and deflect a major cyber attack. Instead, enterprises need to regard cyber attacks as a threat to the entire business that requires multi-disciplinary expertise and a strategic mindset. For example, even the best-trained IT professionals may not understand that even their response to failed breaches must be meticulously documented to provide legal protection in the event of future law­suits or regulatory actions.

Close collaboration is essential. Going back to Target and Home Depot, both breaches were reportedly initiated through third-party vendors that had access to the retailers’ networks. Controlling third-party access clearly falls into IT security’s wheelhouse, but how often do business stakeholders engage CISOs to thoroughly vet a third-party’s security controls, or proactive seek input from them regarding controlling, monitoring and en­forcing third-party access or “need to know” policies, before entering into a new vendor or partner relationship? The reality is that while IT or the CISO might “own” the information security puzzle, they often don’t have all the pieces needed to solve it.

“Cyber threats require multi-disciplinary expertise and a strategic mindset”

Once these stakeholders get used to talking with each other on a regular basis, they can begin to ask hard questions: Does it make sense for IT to own security or should they be separate? What are the most significant information security and data privacy risks we face? What critical data should we be most focused on protecting? Are we prepared to confidently and defensibly respond to a security incident that affects those assets? When did we conduct our most re­cent information security risk assessment, and what were the results? What vendor relationships create the highest potential risk to critical data? How are we incorporating security awareness and social engi­neering susceptibility training into our program to mitigate insider threats? The goal of asking these questions is to create a detailed cy­ber risk profile to fully understand where your exposure and vulner­abilities are prior to an attack.

PayClose Attention to New Regulatory Guidelines

As part of any risk assessment planning, you should closely examine recent actions of federal regulators like the SEC and the CFTC to understand how they may react in the event of a breach, and make sure your organization can comply. For example, this spring the SEC published a sample list of “requests for information” the agency could use to investigate cyber security issues. The list included items like the organization’s information security policy, documentation of its periodic risk assessments, an account of its efforts to meet published risk management process standards, and its vendor and partner risk assessments. In a similar vein, the CFTC has recommended best practices for establishing and maintaining an information security program, including designating a specific employee with oversight responsibilities, identifying all “reasonably foreseeable internal and external risks” to personal information, regular testing of safeguards, independent testing of safeguards by a third-party, and more.

Getting Started: Focus on a Few Best Practices

Rome wasn’t built in a day, but it’s important to implement your cyber risk initiatives as soon as possible. If a total program overhaul is not realistic, here are a few best practices to get you on the right track.

Make sure you are solid when it comes to the basics of information security such as patching and access management. Identify an ap­propriate security framework against which you can regularly assess your security controls. There are a number of models that can be effective depending on your risk profile – it’s not a one-size-fits-all proposition.

Make sure you are not over-reliant on technology solutions and have adequately invested in the equally important people and process de­velopment components of your security program. If it’s not practi­cal for you to maintain staff with the requisite skills and experience, make sure you have access to outside experts if and when you need them.

Creating a culture of security starts at the top. Make sure key execu­tives and other leaders in your company are fully engaged in your se­curity training initiatives. Consider customizing a training program for your organization that educates, inspires and empowers employ­ees to be a first-or potentially last-line of defense. This goes beyond a canned, online training. Rather, it requires effort to highlight realistic threats to your organization, and ideally brings groups of people to­gether where they can ask questions and truly engage on the topic.

Incorporate cyber risk assessment into strategic planning to gauge the risks of new business initiatives, including M&As, international expansion, deploying new technologies, signing up new vendors, and more.

Developing a comprehensive information security program that addresses the human—not just the technological—side of risk miti­gation requires persistence, commitment and focus. Above all, it requires multiple business functions to embrace a risk management phi­losophy that begins with the realization that breaches are inevitable. The critical component is getting a diverse range of executive-level stakeholders aligned and involved in the planning process before an event takes place in order to develop an effective response that will minimize the damage to your organization.

Read Also

Towards a More Powerful Legal Architecture

Towards a More Powerful Legal Architecture

Lisa Konie, Senior Director of Legal Operations, Adobe
Growth in eDiscovery Analytics Means Growth in Profits for Law Firms

Growth in eDiscovery Analytics Means Growth in Profits for Law Firms

Terry Reeves, CEO, Elite Document Technology and Elite Deposition Technologies
The Goldilocks Theory for Risk Management

The Goldilocks Theory for Risk Management

Patricia Titus, Chief Privacy & Information Security Officer, Markel Corporation [NYSE:MKL]