Managing cyber risk: assess, monitor, respond, repeat
April 2014 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
It is difficult these days to turn on the news and not hear about a data breach. News about the Target Corp. breach just keeps getting worse and small to midsize enterprises can no longer pretend that hiding in plain sight is an adequate defence against cyber attacks.
A recent article on the Forbes website says the ‘2012 Verizon Business Data Breach Investigations Report’ identified 855 data breaches. Of those, 71 percent occurred in businesses with fewer than 100 employees. Verizon’s 2013 Report is even more dismal, noting that attacks on small business are increasing in record numbers.
According to recent reports from The New York Times and Reuters, the Target breach commenced with an attack on an SME that provides heating, ventilation and air conditioning (HVAC) services to the huge retailer. Stolen credentials from the firm allowed attackers to access Target’s internal network, allowing them eventually to reach Target’s point-of-system (POS) systems. The original breach of the HVAC vendor was accomplished through a malware-infested phishing attack.
Both Target and its service provider could have avoided this breach had they exercised appropriate caution and not assumed that their security was sufficient. A comprehensive and meticulous risk assessment could have identified multiple security vulnerabilities that led to the breach.
Target will say that it was in compliance with the Payment Card Industry Data Security Standard (PCI DSS) when it was breached. But as good of a security standard as PCI is — it is an excellent standard with prescriptive remedies — it is still just point-in-time compliance. According to the standard, once changes are made to the software or network, the company technically is no longer in compliance. That means a simple anti-virus software update or attaching a new smartphone to the network effectively makes the company non-compliant.
The bottom line is that compliance is not security and security is not compliance. No matter how well a company meets the plethora of compliance standards from governmental and industrial sources, it still might not be secure. And even if a company builds airtight security in its network, it still might not be compliant. So how does one find the balance that meets both the business needs of the company and any potential regulatory requirements?
Risk assessments are essential to ensure that companies understand potential vulnerabilities, even if these vulnerabilities do not impact the company’s compliance state. But just as a PCI DSS review is a point-in-time analysis of a company’s security, so too are risk assessments. That’s why risk assessments should be part of an ongoing program that includes assessing risk, responding to the assessment, monitoring the results of the response, and then assessing the risk again. Risk is fluid, changing every time modifications are made to the network ecosystem as well as adjusting to changing business conditions.
A cyber self-assessment starts by documenting your information and technical assets. While this might seem intuitive, many companies are not aware of where all of their confidential data lives and the abundance of devices connected to their corporate network. A comprehensive analysis of where corporate data resides, be it on a networked server, the CEO’s laptop or the CFO’s Apple iCloud account, is essential before one even begins a full risk assessment.
Next you need to document each and every network-attached device, be it the corporate laptops and desktops or an employee’s smartphone or tablet. If a company has no policies and procedures for a bring-your-own-device policy, now would be a great time to create one.
As part of this assessment the security officer needs to identify any regulatory or contractual obligations that dictate specific policies or procedures the company is required to incorporate. These would include governmental regulations, industry regulations such as PCI DSS, or contractual obligations that one might have with a business partner. Once these obligations are fully documented, then it is time to measure the organisation’s incident readiness and validate essential countermeasures.
After the assessment is completed, the company then needs to take proactive actions based on the findings of the assessment. This response can take various approaches, but ultimately the goal is to mitigate the risks identified in the assessment. Companies will make business decisions on which risks are addressed first based on the criteria they establish to protect their most valuable assets.
For example, this response activity includes identifying who will need access to private data and how much access they need. The security team will develop security and privacy policies that will protect the business in the event of an incident. And don’t fool yourself here — an incident will occur if it hasn’t already. And just because you might not know that a breach occurred, that doesn’t mean it didn’t.
Once these policies and procedures are developed, every member of the company needs to be educated as to what they need to do in case of an incident. A cyber attack might not require the maintenance or operations team to respond, but a physical attack on the company’s computer systems might well require these team members to take action. Everyone needs to know what is expected of them and the company needs to run tests to ensure that the right actions are taken at the right time.
For example, do you have privacy policies that inform your customers how you protect their data? Have your employees been trained to be able to respond to an incident such as loss or theft of a USB drive or laptop or a hack? Have you ensured that your technology environment has the basic countermeasures in place to respond to an incident such as anti-virus on all machines, including Macs, encryption and automated software updates and backups? These are examples of what needs to be done as part of the response to a risk assessment.
Now that you’ve assessed your need and responded to vulnerabilities, it is time to monitor your environment. Here you will be able to detect external or internal malicious activity, unauthorised access to confidential data by employees or business partners, or perhaps shortcomings in your technology that need to be fixed.
Once you have procedures in place you might consider monitoring technologies and processes to be able to identify unauthorised external data access and egressattempts on your network. From a security standpoint, it is best to assume that attackers already are in your network. If an attacker is in your network, that’s bad. However, if the attacker is unable to exfiltrate any of your data, then the attacker cannot benefit from the breach.
Think of your network as a retail store and the attacker as a shoplifter. It might not be possible to keep the criminal from entering the store, but it is possible to stop the attacker from leaving with your goods. That should be the goal – stop as many attackers from entering as possible but don’t let anyone get out with your proprietary data.
To that end, you will need to monitor employees, contractors and business partners to ensure they are using the technologies and data as they should be. Remember, the attack on Target’s point-of-sale system started when a business partner’s credentials were stolen.
Remember to monitor your network for potential problems before an incident occurs and assess if your cyber risk has changed. The Assess, Respond, Monitor activity is not a one-time occurrence — it is part of a continuing program to ensure the network is safe and remains so.
Cyber security is based on three tenants: (i) confidentiality – information is on a need-to-know basis; (ii) integrity – change or alteration of data must be authorised; and (iii) availability – data should be there when you need it. Cyber security professionals believe in ‘defence in depth’. This means that they never rely on a single person or system to protect your business and the information it relies on to operate.
The basics of a risk assessment are the same if the company has 10 employees, 1000 employees or 10,000 employees. The network obviously scales to meet the operational needs of the company, but confidential data is confidential data. In a smaller company, the risks are becoming even greater as cyber attackers set their sights on SMEs.
Vikas Bhatia is the founder & CEO of Kalki Consulting. He can be contacted on +1 (212) 480 4139 or by email: email@example.com.
© Financier Worldwide