In many organizations, reducing vulnerabilities is complicated by “shadow IT.” Employees who feel that IT isn’t responsive, or that too many security controls get in their way, or just don’t think about the implications may install their own computer software or hardware. This issue has become intensified with the growth of the cloud. A division that needs a new system may find it easier to purchase a cloud solution, without telling IT, rather than working with IT to develop the system. Without knowledge of the system and its data IT, the security team may never know there has been a breach.
Impact is the damage that a vulnerability combined with a threat could cause to information assets. There are numerous ways to calculate impact; unfortunately, no accepted or universal standard to evaluate impact exists. Thus, every organization should perform an impact assessment tailored to their individualized needs and unique situation.
Organizations such as Verizon, Mandiant, the Ponemon Institute, and others collect data on data breaches to evaluate impact. According to Ponemon, the average cost to an organization of each individual record in a data breach is $158. Other organizations indicate impact costs from data breaches as low as $54 per record. It is this discrepancy that makes it difficult for both the insured purchasing a cyber-insurance policy and cyber-insurance providers to determine adequate coverage and premiums.
The information security community calculates “risk” as follows:
(Vulnerability + Threat) x Impact = Risk
Of course, this calculation is almost entirely speculative. How do you measure for vulnerability or threat? Even with such limitations, this simple calculation has been the basic approach used by security professionals. They focus on the most critical vulnerability or the biggest threat. Evolving laws have added nuances to this risk calculation that security professionals must consider: what regulatory, legal, or compliance standards must be considered; and how can these risks be addressed?
Just as security professionals must address the evolution of information security, data security, or cyber security, organizations purchasing cyber insurance policies and implementing cyber security measures (along with insurers providing cyber insurance products) must also learn the language and mind of security professionals to improve understanding of information security risk.
If you ask a CEO, COO, or CFO how many customer data records constitute an “acceptable” breach, you will likely get a binary response: 0/NONE! But, if you ask the same group for an unlimited budget for security and the ability to shutdown insecure applications, systems, and internet connections, you will likely get another four letter response.
Risk profiles, also known as risk appetite, help quantify the risks an organization is willing to take in the face of threats and are crucial to developing an information security program. Assuming an organization holds sensitive information, a risk averse organization will focus more resources on reducing risk through risk management techniques (discussed further below) than a risk tolerant organization.
As with all enterprise level decisions, risk must be assessed and the appropriate risk appetite for the particular organization determined. Placing a hard decision, such as the acceptable number of breached records, in front of executives helps to establish the bounds of that decision. Understanding the risk profile of an organization leads to better understanding of the corporate culture and the types of risks executive leadership are willing to take. Various methods to assess risk include self-certifying questionnaires and third party assessments or independent security reviews.
Many auditors, whether evaluating risk for insurance or regulatory compliance use “self-certifying” questionnaires to establish risk. Interestingly, this may not be a valuable tool for a few specific reasons. First, such questionnaires are affected by the person responding; within one 2014 report, a significantly lower number of Chief Information Security Officers (CISOs) reported that they were either very or extremely confident in their cybersecurity protections than their non-CISO executive counterparts. Additionally, organizations are incentivized to project a stronger security program to reduce their overall premiums for cyber insurance policies they purchase. Third-party assessments help to eliminate both of these issues.
There are several types of independent reviews that an organization can undergo – including both technical and nontechnical reviews. On the technical side, vulnerability assessments (external or internal scans of the IT infrastructure for known vulnerabilities) or penetration testing (attempting to exploit vulnerabilities as an attacker) are common in more mature organizations. Depending on the type of data held, organizations should perform these tests at least annually. For more sensitive or classified data, these tests should be performed more frequently.
Non-technical audits or process reviews can also serve to measure the maturity of a security program. There are multiple “standards” for assessing an IT security program, such as the Statement on Standards for Attestation Engagements (SSAE) 16 or the Information Systems Assurance and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) within an organization. While the standards may not apply to all organization, they do provide a standardized method to assess IT security controls
Whether it is a technical vulnerability test or a standardized audit process, there should be an independent review of the organization’s security program. In assessing the maturity of an organization, the results of these reviews should be readily available, under a non-disclosure agreement.
One of the most difficult yet critical areas to address in many organizations’ security programs is data classification. Data classification is the process of determining the necessary controls each piece of data requires. It is clearly inefficient to protect all data to the same level (e.g., protecting public press releases with the same controls as the recipe for Coke.) Because each piece of data from annual reports to transitory emails about lunch plans must be classified, this is a resource intensive process. Outside of the Department of Defense, which has had a clear and functional classification system for decades, many organizations are unwilling to devote such substantial resources to data classification. However, data classification is the best way to measure an organization’s risk profile. An organization with trade secret or regulated data should have stronger controls in place for such data than they have for their publicly disclosed information.
As mentioned before, existing amortization tables for security programs are not entirely useful. A better gauge may be to examine the market for identity data, which prices each record based on the type of data. A review of the market for identity data gives a glimpse into the types of data most at risk (ranging from $4-$12 for credit card data to $300 for information on bank accounts with over $70,000).
How do you manage risk? Anyone dealing with risk understands that there are multiple ways to reduce their risk to an acceptable level, including mitigation, risk avoidance, and retention of information only throughout its useful life.
In the IT security world, mitigation has been the de facto method for dealing with risk. As discussed above, the risk calculation depends on both a threat and vulnerabilities. Since it is difficult to reduce the threat, IT security professionals attempt to lower overall organizational risk by breaking the threat-vulnerability chain.
Interestingly, many in the IT security world have a poor opinion of risk avoidance. IT security professionals tend to equate risk avoidance with “security by obscurity” or the concept of hiding vulnerabilities hoping that no one will find them. Time and time again, it has been proven in the security community that all secrets will be found; thus, security by obscurity is only delaying the issue, not fixing it. There are several useful avoidance strategies, however, such as limiting internet access to sensitive systems, limiting administrative accounts, and not storing confidential information in the first place.
Systems with sensitive information should be insulated from the internet. Through the use of technology such as firewalls, data loss prevention (DLP) systems, and network segmentation, the IT team can limit the ingress and egress of sensitive information.
In many of the most recent data breaches, “phishing” has been the initial vector. Phishing is the term used to describe targeted emails sent by outside parties to an organization’s employees that trick the employee into performing an action (i.e., click on a link, install software or transfer money). One way to mitigate the effects of a phishing attack is to limit administrative accounts. Administrative accounts are used to install software on a computer system. If the employee is not an administrator—even of their assigned PC—it is more difficult for the attacker to install software on the PC.
Many organizations, especially in the era of “big data,” are collecting and storing vast amounts of data for analytics. Whether these analytics are being produced or not, many organizations are data hoarders, keeping everything in case they need it one day. Maintaining data means that the organization is responsible for protecting the data. Thus, another great way to avoid a breach of personal or confidential data (and to therefore manage risk) is simply not to collect it, store it, or hold it past its useful life.
Evaluation of Security Posture
Evaluating an enterprise’s security posture from the outside is not an easy task. There are a number of variables to consider including risk appetite, types of data collected, technical and administrative controls, and public exposure.
As a starting point for evaluating how an enterprise prepares for, defends against, and responds to security threats, there are several inquiries that should be part of any due diligence.
First and foremost, review the organization’s security policies. There are various “flags” to look for to ensure that the organization’s security policies are complete.
- Are the organization’s security policies based on a standard framework?
- Do the organization’s security policies include provisions for acquisition, provisioning, and retirement of information assets? It is surprising to see how many organizations do not have a set of procedures for disposing of retired equipment.
- Do the organization’s security policies have a revision history? Are they reviewed at least annually?
These questions are not the only ones to ask when reviewing an organization’s security policy, but any organization’s security policy that does not address these questions is worthy of a significantly deeper review.
It is also worthwhile to ask for a report on the organization’s security event history. It is often said that there are two types of companies: those that have been breached and those that don’t know they have been breached. Even if data is not exposed, a mature organization will have documentation of security incidents, successful or not.
It would be very troubling if an organization says they have had no security incidents (including ransomware, malware, or phishing attempts) in the past year. These types of events are so common that failure to detect them highlights a deficiency in the security program.
The next area of the security posture to review is compliance with the policies. This process can be simple or quite extensive, depending on the type of data involved, the organization’s breach history, and governance structure. Reviewing areas outside of the “traditional” security roles such as change management, asset inventory and management, and user account provisioning and de-provisioning can highlight the maturity of the organization. The structure of the security team is also important to review. If the organization has a Chief Information Security Officer (CISO), to whom does that person report? It is an often debated topic whether the CISO should report to the Chief Information Officer. While this seems a natural fit for a CISO, it places the CISO in a precarious position of reporting on their boss. A better location for the CISO may be a direct report to the board or leadership team, under the office of the general counsel, or within the financial team. Each of these locations gives the CISO an arms-length relationship with the IT organization.
Wherever the CISO lives within the organization chart, the CISO should report regularly to the board or leadership team. Providing direct access to senior leadership ensures that the people charged with setting, understanding, and mitigating organization risks understand the security issues facing the organization. If there is no evidence of the CISO regularly reporting to executive leadership, concern should be raised.
Finally, evidence of an employee security awareness program should be available. At onboarding and at least biannually thereafter, employees should receive training on threats such as social engineering, phishing, malicious code, and physical access protections. The organizations should be capable of producing both the training material and the artifacts of employee training.
The threat of data breaches shows no sign of lessening as the arms race between attackers and defenders continues. With the marketplace for cyber insurance ever maturing and a NAIC model law regarding insurance data security on the horizon, it is critical for FORC members to develop a strong understanding of the foundational elements of a security program and learn to differentiate strong from weak in order to best represent their clients.