It's Not Just an IT Affair: Understanding the Risks of Cyber Breaches

Jason Straight, SVP & Chief Privacy Officer, UnitedLex

Jason Straight, SVP and Chief Privacy Officer, UnitedLex, Jason Straight is the Senior Vice President and Chief Privacy Officer of Cyber Risk Solutions at UnitedLex. He has been helping clients manage informa... More >>

Most CISOs have a thorough understanding of the implications an information security breach can have for IT, and many probably have detailed plans to guide IT responses in the event a breach occurs. But do they fully comprehend the severity and range of consequences a major security event can have on legal and business operations, and have they made adequate preparations to mitigate those risks as well? Apparently not, if the cyber incidents involving Target, Home Depot, JPMorgan Chase and others are any indication. If there’s a common thread among those and other recent catastrophic security breaches, it may be that many organizations haven’t yet accepted the fact that breaches are virtually inevitable. The biggest challenge isn’t preventing them, but rather anticipating the potential fallout across the entire organization and planning accordingly.

Cyber breaches are not just an IT affair. Let’s look at a few examples: Target’s disorganized response to its high-profile breach landed it in front of an angry congressional committee, which issued sweeping document requests relating to the company’s policies, guidelines and (evidently inadequate) preparations for exactly the kind of malware attack it faced. Home Depot did a better job of controlling post-breach communications and messaging, but has been scrambling to explain how it, too, fell victim to a point-of-sale attack several months after Target. Despite spending $250 million annually on cyber security, JPMorgan’s estimated 1,000 security professionals were unable to prevent a breach that exposed information for 76 million households and 7 million small businesses, which will likely impact the bank and its customers for years to come.

Encourage Enterprise-wide Collaboration

Clearly the scope of these events extends far beyond the IT department. With that in mind, any effective information security management program will require close collaboration among a range of business stakeholders—including legal, compliance, management, HR and even board members. Technology alone is no longer sufficient to detect and deflect a major cyber attack. Instead, enterprises need to regard cyber attacks as a threat to the entire business that requires multi-disciplinary expertise and a strategic mindset. For example, even the best-trained IT professionals may not understand that even their response to failed breaches must be meticulously documented to provide legal protection in the event of future lawsuits or regulatory actions.

Close collaboration is essential. Going back to Target and Home Depot, both breaches were reportedly initiated through third-party vendors that had access to the retailers’ networks. Controlling third-party access clearly falls into IT security’s wheelhouse, but how often do business stakeholders engage CISOs to thoroughly vet a third-party’s security controls, or proactive seek input from them regarding controlling, monitoring and enforcing third-party access or “need to know” policies, before entering into a new vendor or partner relationship? The reality is that while IT or the CISO might “own” the information security puzzle, they often don’t have all the pieces needed to solve it.

“Cyber threats require multi-disciplinary expertise and a strategic mindset”

Once these stakeholders get used to talking with each other on a regular basis, they can begin to ask hard questions: Does it make sense for IT to own security or should they be separate? What are the most significant information security and data privacy risks we face? What critical data should we be most focused on protecting? Are we prepared to confidently and defensibly respond to a security incident that affects those assets? When did we conduct our most recent information security risk assessment, and what were the results? What vendor relationships create the highest potential risk to critical data? How are we incorporating security awareness and social engineering susceptibility training into our program to mitigate insider threats? The goal of asking these questions is to create a detailed cyber risk profile to fully understand where your exposure and vulnerabilities are prior to an attack.

PayClose Attention to New Regulatory Guidelines

As part of any risk assessment planning, you should closely examine recent actions of federal regulators like the SEC and the CFTC to understand how they may react in the event of a breach, and make sure your organization can comply. For example, this spring the SEC published a sample list of “requests for information” the agency could use to investigate cyber security issues. The list included items like the organization’s information security policy, documentation of its periodic risk assessments, an account of its efforts to meet published risk management process standards, and its vendor and partner risk assessments. In a similar vein, the CFTC has recommended best practices for establishing and maintaining an information security program, including designating a specific employee with oversight responsibilities, identifying all “reasonably foreseeable internal and external risks” to personal information, regular testing of safeguards, independent testing of safeguards by a third-party, and more.

Getting Started: Focus on a Few Best Practices

Rome wasn’t built in a day, but it’s important to implement your cyber risk initiatives as soon as possible. If a total program overhaul is not realistic, here are a few best practices to get you on the right track.

• Make sure you are solid when it comes to the basics of information security such as patching and access management. Identify an appropriate security framework against which you can regularly assess your security controls. There are a number of models that can be effective depending on your risk profile – it’s not a one-size-fits-all proposition.

• Make sure you are not over-reliant on technology solutions and have adequately invested in the equally important people and process development components of your security program. If it’s not practical for you to maintain staff with the requisite skills and experience, make sure you have access to outside experts if and when you need them.

• Creating a culture of security starts at the top. Make sure key executives and other leaders in your company are fully engaged in your security training initiatives. Consider customizing a training program for your organization that educates, inspires and empowers employees to be a first-or potentially last-line of defense. This goes beyond a canned, online training. Rather, it requires effort to highlight realistic threats to your organization, and ideally brings groups of people together where they can ask questions and truly engage on the topic.

• Incorporate cyber risk assessment into strategic planning to gauge the risks of new business initiatives, including M&As, international expansion, deploying new technologies, signing up new vendors, and more.

Developing a comprehensive information security program that addresses the human—not just the technological—side of risk mitigation requires persistence, commitment and focus. Above all, it requires multiple business functions to embrace a risk management philosophy that begins with the realization that breaches are inevitable. The critical component is getting a diverse range of executive-level stakeholders aligned and involved in the planning process before an event takes place in order to develop an effective response that will minimize the damage to your organization.