8 Simple Steps to Avoid the Breach-a-Week Syndrome

Many studies have demonstrated there are no tried and true information security practices within specific industry groups or company size. Not all large companies and organizations approach cybersecurity from a big-tech view and not all small to medium sized businesses ignore the threats and pretend they won’t be breached because they have no useful assets.

We have seen small companies adopt completely rational security practices, adhering to fundamental tools, processes and controls and we have seen large retail chains ignore the findings of even limited penetration tests that proved the existence of extensive network vulnerabilities and severe threats to customer data privacy.

All organizations have different and varying needs for cybersecurity defense strategies and we have seen the adoption of many different approaches to identifying and fulfilling their information security control objectives. Companies in the FinTech and FinServe space tend to focus their security efforts on meeting compliance obligations, while unregulated industries often begin a renewed security effort in the wake of a breach or following the imposition of punitive damage liabilities at the board and senior management level.

Companies outside of the financial services and technology space are driven by other regulatory or contractual requirements found within the Payment Card Industry Data Security Standard in hospitality and retail, the Health Insurance Portability and Accountability Act for hospitals, healthcare, and insurance or by other regulations that force organizations to implement security controls in “check-the-box” mode, but rarely result in the improvement of their overall security posture.

While compliance may lead to improved security of certain assets, it does not force organizations to assess their operational vulnerabilities from an over-arching risk management view. All of these regulatory bodies have by definition, narrow scopes of interest, and craft their regulations specifically to protect the confidentiality of certain categories of regulated information. While compliance with these regulations may be mandatory, it is never sufficient to protect an organization against broad cybersecurity risk.

Risk occurs at the intersection of vulnerability and threat. Unless and until an organization can classify all of its information assets and identify their locations and the storage and systems upon which they reside and are processed, it is impossible to begin assessing risk from a cybersecurity point of view. Most companies have not gone through this exercise, yet many have spent significant amounts of money on process and technologies to protect assets that may or may not have value and may or may not be at risk.

Most have not assessed the extent of their vulnerabilities, estimated the probabilities or impact of potential threats nor tried to evaluate their appetite for risk. These are the first steps in a cybersecurity risk management campaign and should be conducted prior to making a determination about the extent to which specific cybersecurity processes, policies, controls and technologies should be put in place to accommodate the resulting risk tolerance. Most companies we have audited and assisted have never conducted a security risk assessment, yet every one of them have implemented some form of cybersecurity “protection” and program.

When companies or organizations adopt a risk-based approach, they find that most risks don’t fit neatly into categories of low, medium and high but instead range across a broad spectrum of risk from very acceptable to devastating. The whole purpose of the process is to identify and prioritize each risk so that they can be individually mitigated at a level of acceptable tolerance, either through insurance, appropriate protection or willful assimilation.

One of the main reasons a risk-based approach to cybersecurity has not been popularized is because it requires a top-down determination from the CXO and Board levels as it must involve every department and function within an organization. IT is not the place where a risk-assessment gets done, but it is frequently and improperly assigned to IT to shepherd.

Unfortunately, technology risk is just one and often small component of the risk-puzzle. Operational, reputational, financial and strategic risks represent by far the largest and most complex components within the organization that need to be assessed, and IT lacks the context, subject-matter expertise and most importantly, the authority to lead a campaign across the organization as a whole.

It is up to the executive leaders of the company to accept the necessity of treating cybersecurity risk as a tangible business threat and to sponsor expedient and prioritized programs to address their exposures with no less urgency as they would for market, economic, competitive, liability, property or environmental threats. I don’t think anyone can argue any longer that cybersecurity breaches are not a real threat, nor that a breach or a cyber-attack can’t happen to their business.

So, here’s the 8-step formula that will enable your company or organization to stay out of the breach-a-week parade:

1.      Organize a formal executive level committee whose singular role will be to assess risk across the whole organization and to oversee a continual risk-assessment and management program Make sure it addresses all classes of risk from reputational to strategic to financial and from operational to technology.

2.      Identify and categorize all information assists and the computer assets that store and process all of those information assets.

3.      Implement a risk-framework of some kind. There are many available and the differences are largely philosophical, so any one will do as a starter. This will enable you to have a standardized baseline and scoring model for conducting risk-assessments.

4.      Conduct regular risk assessments with the intent of determining which assets require critical controls and which assets represent acceptable risk levels and may be dealt with through the purchase of additional insurance or lesser levels of protection and higher exposures.

5.      Implement the appropriate technologies, business processes, policies and controls to achieve acceptable levels of risk for each asset. Emphasize Identity and Access Management (IAM) and Data Loss Prevention (DLP) and make sure you have program hygiene controls in place.

6.      Organize your information security process around the NIST Cybersecurity Framework and let it guide your policy decisions. Anything more complicated than this framework is over-thinking and will lead to complicated outcomes that will result in increased threat exposures.

7.      Implement a high-functioning SIEM/SOC service that includes continuous vulnerability assessment and management so that you can monitor your environment and identify and control threats as they emerge. You might also look for technologies that can map your information assets to threats and produce a risk-score them in real-time, so you can be sure your highest value assets are being provided with the most protection at all times.

8.      Institute a broad employee education and cybersecurity awareness training program so that the gates to your network are optimally managed by the most vulnerable of your non-information assets, your employees. The program you choose must be continual and the process must be conducted frequently throughout the year. It is the least expensive yet most effective threat prevention measure you can take.

That’s it. Those 8 simple steps will keep you out of the news, out of the target range of your shareholders, out of the regulatory audit and compliance fines and penalties and may even also keep you out of jail.

Let’s make 2019 the year we did instead of just another year we didn’t.