In the wake of the Yahoo data breach – the biggest single-site breach in history – information security is top of mind for many companies. While the announcement is recent, the actual breach occurred in 2014, so any plans for corrective actions now are years too late. The damage is done.
But how can we stop it from happening again?
Even if the stolen information had been identified right after the breach, affected users may have felt equally as helpless. After the fact, a thorough and quickly executed remediation plan only serves to mitigate the risk of future similar threats – the optimal set of reactive measures does nothing to undo the damage. The landscape of information security risks and threats is continually changing. Likewise, information security best practices advance to counter the latest exploits and novel hacking techniques. How can an organization effectively safeguard non-public electronic and hardcopy information? The answer is a holistic, ongoing approach to information security program management. Without proper planning, monitoring and measurement even robust information security programs will develop exploitable weaknesses. Without constant vigilance the vulnerability to data breach and other malicious wrongdoing will exponentially increase.
The key to addressing ongoing information security issues effectively lies in prevention through proactive identification and timely mitigation of new and emerging risks and threats. Companies need to identify vulnerabilities and realign available resources on an ongoing basis to ensure timely application of the approved mitigation strategies involving the highest priority and most critical risks.
Understanding Your Risk
Common approaches to risk management are largely tactical and reactive, but that does little to diminish user and customer concerns after a breach. Playing whack-a-mole with security threats can also create a messy system of quick fixes that mask the true, “root cause,” exploitable weaknesses, rather than driving the advancement of an overall information security strategy comprised of a multi-layered approach to defense.
Keeping pace with the ever-changing landscape requires a well-documented and continually maturing approach to identifying and prioritizing risks. Companies should perform weekly, monthly and annual reviews, assessments, audits, and testing activities to identify vulnerabilities from new threats or gaps in existing defenses. Collectively, all such risk identification activities will support a proactive approach to mitigating the following common risk scenarios:
While the Sarbanes-Oxley (SOX) Act of 2002 helped to increase the control and accountability for corporations with computer-based systems that support financial reporting, the scope and requirements of SOX regulations are limited to specific types of financial data, systems and processes. Beyond financial reporting, companies store, process and transmit other types of electronic and hardcopy information. Hundreds, or even tens of thousands of endpoints, in addition to servers and network components, must all be appropriately safeguarded with a robust set of information security controls. Special legislation and industry requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Payment Card Industry (PCI) Security Standards and other state and federal legislation regarding the use, storage or transmission of sensitive information have raised the level of information security expectations and requirements for service providers, customers and clients. When the European Union’s Global Data Protection Regulation (GDPR) goes into effect in May 2018, non-compliant entities may face fines up to 4% of global revenue. For failures to appropriately safeguard PCI data, fines can be in the hundreds of thousands of dollars. For HIPAA, multiple violations in a calendar year can result in up to $1.5 million in financial penalties.
Maintaining a clear picture of the regulatory, legal and contractual requirements, as well as the supporting technology, is essential to drive the advancement your organization’s information security program. A forward-thinking approach can also help organizations gain a significant competitive advantage in industries that are anticipating big regulatory changes. In some cases, failure to comply with information security regulations may lead to loss of business in addition to substantial fines, fees and sanctions.
Organizations that are struggling to achieve or maintain compliance with government or other requirements may have a deeper issue: inadequate funds and resources allocated to information security. The good news is that using risk assessments, audits, scanning and testing to identify and report on compliance issues can help management understand the urgency of allocating budget and resources specifically for information security technologies, personnel resources, third-party services, and the supporting infrastructure for these initiatives.
Supporting Long-term Solutions
Information security budgets can be overlooked or inadequately funded because many think that just buying hardware or software will be the “silver bullet” to solve the problem of information security. Rather, a clear picture of the currently identified information security risks and threats must be an essential input to the information security, IT and enterprise-wide strategic planning and budgeting process. Budget decision-makers need to be fully aware that risks must be mitigated or accepted. Denial is not an information security strategy. Budgets need to be matched against identified risks that are prioritized for implementing comprehensive solutions over multiple years. Once-a-year annual planning simply doesn’t cut it; companies need to have mid-range and long-term roadmaps that they review and update regularly.
For example, a company may secure budget approval and purchase software licenses for a needed information security system, but fail to implement the software completely. Hardware is acquired and remains in unopened shipping boxes for multiple years. Often, the reason is lack of priority among competing projects, or because the vision and full capability of the software is not understood by the implementers. Another common issue is failure to account for personnel resources necessary for initial implementation and ongoing operation of the technologies. This results in six-figure licensing fees being charged year-over-year for hardware or software that is not being utilized.
Instead of getting caught in this cycle of operational inefficiency, organizations must take a strategic approach to designing and advancing their information security strategy. It is not uncommon for companies to accumulate a substantial “security debt” that can only be overcome with a hefty increase to information security budgets. While working in a coordinated manner to clear the backlog of accumulated risks, findings, weaknesses and gaps, the organization must also take a forward-looking approach, considering how to implement a strategy for a steady yet agile rollout of information security components.
Providing Effective Leadership and Training
Information technology staff alone can’t bear the burden of maintaining entire companies’ information security programs in addition to their normal day-to-day operational responsibilities. In fact, evolving the organizational structure to include a team of personnel solely focused on information security separate from the IT team is the optimal approach. To ensure proper segregation of duties, CISO or ISO should have direct reporting to executive leadership or the board without being embedded in the IT chain of command. Planning, oversight, governance, and monitoring must start at the executive level so that organizations can provide adequate support and resources for critical issues.
Training is a vital component of any information security program, and the human element is invariably the weakest link. Many data breaches are actually executed not through sophisticated hacking (or password cracking), but by social engineering, such as convincing individuals to freely disclose their login credentials, for example. To bolster overall information security posture, companies must provide interactive, in-person information security awareness training classes for employees, contractors, and consultants to show how their actions – intentional or not – can create or exploit vulnerabilities. Annual training can touch on subjects like recent social engineering trends, such as phishing and spear phishing, which use seemingly trustworthy sources to con information or money out of employees.
Companies can formalize and communicate protocols for communication of any suspected information security incident. When tracked over time via a help desk ticketing systems, metrics are established to measure the effectiveness of the training efforts. Training classes can also cover company policies on how to access specific data and best practices for keeping information secure.
Another way to get the executive level involved in information security is to create a new executive leadership role focused on information security. CISOs are popping up in C-suites throughout the country to provide additional leadership for the rising, consistently evolving threats to confidential information.
Working with Patina Information Security Solutions
Worried about your information security program? Patina professionals bring a wealth of knowledge that has been honed from years of experience in leadership positions. Patina can assist you with risk assessment, information security program assessment, implementing prevention and response strategies, and creating a road map and budget for long-term success.
Patina can help communicate the importance of information security to executive leadership through objective review and recommendation, and build a thorough business case for allocating resources to identify and mitigate risks. Patina also can provide guidance on filling part-time, interim or permanent CISO positions for your executive leadership team.
CONTACT US about how Patina professionals can support your next project.