Cybersecurity events in 2015 continued to grow in size and impact. Companies like CareFirst BlueCross BlueShield, Kaspersky Lab, Premera BlueCross BlueShield, Harvard University, LastPass, Army National Guard, Anthem, Office Of Personnel Management, VTech, T-Mobile, Scotttrade, Ashley Madison, CVS & Walgreens were some of the larger breaches last year.
The cybersecurity landscape has become more developed and those involved are motivated by financial gains as well as political motives. Companies and their directors will need to put more focus and scrutiny on protection against cyber attacks.
It is critical that organizations understand the fallout of a data breach as there are significant risks to an organizations ability to survive. In addition the risk to human life and safety has grown significantly. Several deaths have been linked to the Ashley Madison hack and the discovery that hackers can take over the controls of some cars is one example of the significant concern to our safety.
Organizations small and large need to go through a regular assessment and review of their business and develop and manage an action plan for 2016 to ensure the safety and health of the organization, employees, and their customers. This year we will see a major shift into the cloud as more and more organizations migrate elements of their business to various cloud technologies. Without the proper planning and controls 2016 could continue the increase in successful cyber attacks.
Critical asset review – A critical first phase is to identify and review the critical assets across the organization from organizational IP, employee and customer personal information and other critical organizational data elements. Directors need to understand and approach cybersecurity as an enterprisewide risk management issue that spans across people, process, and technology across the organization.
It’s important to understand the legal implications of cyber risks as they relate to the company’s specific circumstances. Once there is clear understanding of the assets and its associated risks further plans can be established to help drive a cyber-security program. The output from this assessment should be utilized to help retain proper levels of cyber insurance at the right level of coverage.
New Solution Review, Planning and Assessment – When organizations reach a point of where they need to investigate and research new aspects to their business cyber-security needs to be an important part of the discussion. The purchase of new software or services, building of new applications or tools, or working with new vendors requires an assessment of the data and workflows that will be processed and its impact to the organization.
With a major shift this year to cloud based technologies the review and assessment stage is critical. We are now entering a new world of technology where knowledge and experience on how to deploy and manage are still in their infancy. Organizations have not yet developed well defined policies and procedures to support and manage cloud based solutions.
Regular Threat Assessment Meetings – Organizations need to establish weekly or monthly reporting and review meetings where the risks are discussed and the status of programs to resolve current gaps. These meetings should also span across to third-party vendors to ensure there is a clear understanding of the risks exposed between the organizations. Information from these meetings should be communicated to the staff as part of employee education.
Third-party management – Start with third-party contracts to ensure they contain proper data breach notification, audit rights, indemnification and other provisions. A full review of the connections and data being shared between the organizations is important to understand. Vendor access to system and services should be well defined, controlled, and monitored and audited frequently to ensure a third party does not become a conduit for a cyber breach.
Governance – Management must establish a cybersecurity review committee and determined clear lines of reporting and responsibility for cyber issues. Governance is not an IT only function. Today’s cybersecurity should be given dedicated line items on board of director agendas. Depending on the size and complexity of an organization it may also make sense to have dedicated teams focus on cybersecurity. With the increased workloads of IT Department and the push to new cloud solutions focus is critical.
Employee training – Employee training needs to expand beyond the basics like proper password protection and into behavioral aspects. Social engineering is a key tool used to gain information and access to systems and data. One example could be establishing a verification protocol where people can be sure the person on the other end of the phone is actually who they say they are.
And finally what I consider the most important aspect……
Incident response preparedness and testing – You can be prepared as as best as possible but there is always a chance the environment could become compromised. How an organization responds can be critial to the future stability of the company and safety of those involved. Organizations need to have a clear incident response plan that ensures forensic information can be maintained to aid in investigations and communications are established to allow those impacted the ability to rapidly respond.
For organizations who have been through the process of establishing a Discovery Recovery program, incident respond should contain policies and procedures that are similar. For many organizations it may make sense to establish contracts with outside vendors with forensic investigators in the event of a breach. These actions will help facilitate quick response and privilege protection?