Cyber risk management -- Is your company ready for anything?
In late 2013, news of a massive data breach at Target surfaced. Hackers stole personal and credit card information of nearly 70 million shoppers, and the breach ended up costing Target $162 million and the resignation of the CEO and CIO. While this was one of the largest and most widely publicized data breaches, it’s by no means one of few.
Just recently, LinkedIn came clean about its 2012 data breach – a few days after it was discovered some of the information was being sold online. While LinkedIn originally reported the email and passwords for 6.5 million people were compromised, it just admitted the real number is as high as 117 million accounts. Though LinkedIn advised people to change their passwords when the attack was first made public, it wasn’t until four years later that the company decided to cancel passwords that were affected.
What companies can take away from these examples is that a security breach can result in not only millions paid in settlements, but also Federal Trade Commission (FTC) fines, the resignation of high-level executives and loss of reputation. A Deloitte report found that security is the second-leading risk to a company’s reputation, behind ethical issues. The fallout from these breaches can stretch out for years to come, even affecting company shares and future sales, which is why having a cyber risk management practice in place is absolutely essential for all companies that deal with sensitive data.
Leveraging a Security Framework
Although a few years ago it would have been more difficult to get started setting up a cyber risk management plan, today we have plenty of frameworks that can help a company get started. The International Organization for Standardization developed the ISO 27000 to address information security management systems, and the National Institute of Standards and Technology (NIST) developed the Risk Management Framework, which is widely used by the U.S. government.
In 2014, NIST introduced the Cyber Security Framework (CSF) which has been adopted by many organizations as a blueprint for recognizing and managing day-to-day cyber risk. A key benefit of the CSF is that it provides organizations with a baseline of risks and vocabulary that is understood across an entire company – from junior employees to executives and even the board of directors.
The CSF allows organizations of all types and sizes to identify and assess cyber risks across five critical functional areas as follows:
- Identify -- What data and assets do I need to protect?
- Protect -- What existing methods do I have in place to protect these assets?
- Detect -- What capability do I have to detect potential cyber threats?
- Respond -- What ability do I have to respond to an incident?
- Recover -- What capabilities do I have to recover from a breach?
After identifying risks in these functional areas, they must prioritize and develop a risk treatment plan. As part of this plan, companies might choose to:
- Ignore the risk if consequence is believed to be low
- Avoid the risk by not engaging in activity that causes the risk
- Remediate the risk by investing in a new security process of technology
- Transfer the risk (i.e. cyber insurance) in cases where likelihood is low, but impact is high
Using the Right Tools
After developing a plan and path forward, a company needs to think about how it’s going to implement these cyber risk management policies and practices. The first step will be determining what resources are available to implement the plan.
Cyber security professionals are in high demand and, thus, are expensive to hire. Finding someone with the right skills can be a challenge, so many organizations will need to contract an outside vendor or automate the process as much as possible.
At larger companies, where the volume of risks and threat is even bigger, manual methods of implementing cyber risk management are insufficient. Without tools that automate and monitor risk management, companies run the risk of not being able to scale effectively and remain consistent and accurate in their efforts. Technologies that automate risk and compliance allow organizations to quickly and efficiently operationalize frameworks, even if a company doesn’t have the personnel with advanced experience.
An additional risk of not having risk management technology in place is the potential for legal action. In the event of a breach, companies need to prove they took steps to actively prevent such an incident.
The Wyndham hotel chain learned this the hard way after a series of data breaches exposed information on hundreds of thousands of customers. The company was sued by the FTC on charges that it failed to properly safeguard customer information. Though Wyndham argued that the FTC didn't have the authority to regulate corporate cyber security, a court ruling determined that it did.
The importance of having a cyber risk management plan in place cannot be over-emphasized. Taking a proactive approach to diagnosing risks enables companies to have a better handle on their security posture and work towards potentially preventing a disaster down the road. By developing and implementing a comprehensive plan, companies will be prepared to safeguard their data, protect customers and avoid costly incidents that will be harmful for years to come.
Rick Tracy is Chief Security Officer at Telos. He joined the Company in October 1986 and has held a number of management positions within the Company’s New Jersey operation. He has pioneered the development of innovative and highly scalable enterprise risk management technologies that have become industry-leading solutions within the federal government and the financial services verticals. He is the co-inventor of Xacta IA Manager and is the principal inventor listed on five patents in the areas of automated risk and compliance management and continuous monitoring. Mr. Tracy assumed the role of chief security officer in 2004.