[BreachExchange] Data breach: Why it’s time to adopt a risk-based approach to cybersecurity
Destry Winant
destry at riskbasedsecurity.com
Fri Feb 7 10:12:28 EST 2020
https://www.helpnetsecurity.com/2020/01/28/risk-based-approach-to-cybersecurity/
The recent high-profile ransomware attack on foreign currency
exchange specialist Travelex highlights the devastating results of a
targeted cyber-attack. In the weeks following the initial attack,
Travelex struggled to bring its customer-facing systems back online.
Worse still, despite Travelex’s assurances that no customer data had
been compromised, hackers were demanding $6 million for 5GB of
sensitive customer information they claim to have downloaded.
Providing services to some of the world’s largest banking corporations
including HSBC, Lloyds, Barclays and RBS, the attack will clearly have
a significant long-term impact on Travelex’s reputation and revenues.
The company also potentially faces a catastrophic fine if customer
data is found to have been accessed illegally.
The escalating costs and consequences of data breach
In the EU, the financial repercussions of a data breach can be
significant. Falling foul of GDPR gives supervisory authorities the
power to issue fines of up to €20 million or 4% of an organization’s
annual global turnover, whichever is the higher. Meanwhile, from a
reputational standpoint, a data breach has major ramifications for
customer confidence and loyalty.
With cybercriminals representing a persistent risk to enterprise
wellbeing, it’s little wonder that CEOs, CFOs, CISOs and CIOs now view
cybersecurity as a top priority.
>From lost business and falling share prices to regulatory fines and
remediation costs, data breaches can have far-reaching and devastating
financial consequences. According to the 2019 Cost of a Data Breach
study conducted by the Ponemon Institute, the average cost of a data
breach in the UK was $4.88 million – up 10.5% on the previous year.
The same report also found that UK companies took an average of 171
days to identify a breach and an average of 72 days to contain them,
and highlighted that the accumulated costs in the second and third
years post breach were highest for organizations operating in highly
regulated environments such as healthcare, financial services and
pharmaceuticals.
Building a cybersafe business requires enterprise-wide leadership collaboration
Research confirms that organizations with a well informed and involved
CEO and board of directors are most likely to be successful at
creating a strong security posture. Compliance with external and
internal regulations and governance programs that are cascaded from
above, together with effective oversight and management from
leadership helps the entire organization view data security as a
strategic rather than tactical activity.
Similarly, closely aligning the priorities of the IT operations and IT
security functions will help ensure that the resolution and
remediation of security problems can be completed successfully and
that a strong security posture can be accomplished without impacting
on enterprise productivity.
Strong accountability models, in which decision-making on risk rests
with those that have the authority and overview to address these
issues, can go a long way to ensuring that systemic security problems
are not ignored or brushed under the carpet. At the end of the day,
data security should not be viewed as simply a technical problem
that’s handled by technical personnel working in IT.
Best practices for minimizing cyber risk
Knowing there’s a need to address cybersecurity and making the right
decisions about how much money to invest and on what is one of the top
challenges today’s enterprise leaders face. With the threat landscape
constantly evolving, the following practices can help organizations
make the shift to a more proactive risk-based approach.
1. Understand your organization’s threat profile – Undertaking a
detailed risk evaluation adapted to your business activities and
infrastructure is the starting point. Profiling and scoring typical
attacker types and the likely sophistication of their endeavors will
help inform the strategies of your security analysts and provide
insight into what cybersecurity products should top the investment
list.
Unfortunately, research shows that all too often organizations throw
money at the latest and most highly publicized security exploits
rather than the most persistent and likely vectors for attack. For
example, web application vulnerabilities have been the top
cybersecurity risk for several years, yet only 3% of IT spend is
currently directed at web application security.
2. Get outside help – Bringing in external expertise to evaluate and
benchmark the organization’s security posture against similar
organizations operating in the same market will help verify if
information security policies and plans are appropriate to the
identified enterprise risk profile. Utilize independent consultants to
undertake security and risk management reviews to boost security
resilience and help leaders to define an appropriate investment
strategy for cyber security tools.
3. Consider cyber liability insurance – Utilizing experts to conduct a
detailed evaluation of the organization’s cyber liability insurance
cover to ensure it is adequate will also help to highlight ways in
which doing security better could deliver additional commercial
benefits – like a lower premium. Gaining full visibility into the
cyber health of the company and documenting the security measures and
controls in place can help organizations identify where they need
additional coverage for crucial areas. Armed with a digital resilience
score, organizations will be well placed to cover more risks for less.
4. Get CISOs talking – CISOs need to capitalize on every opportunity
to talk to business leaders and communicate the importance of
prioritizing cyber risk and building robust internal controls. Rather
than being viewed as a roadblock to potential innovation, closer
collaboration with executive teams and peers across the business will
foster open dialogue and problem solving that acts as a business
catalyst for the enterprise.
5. Evaluate, check and review – Undertake regular risk audits to
reassess the current state of play, evaluating the impact of any
changes such as the implementation of new technologies, the
introduction of new revenue lines or the incorporation of new units or
company takeovers. This activity should be complemented by periodic
testing of disaster recovery and business continuity plans to ensure
everything is in place and works as expected, to mitigate the
potential damage resulting from a cyber breach.
6. Take steps to protect against insider threats – Malicious insiders
are the leading cause of data breaches, so putting in place programs
to monitor users’ behavior is vital. Instituting good information
management practices that include mobile device management, network
monitoring and access control management will help eliminate the
potential risk of negligence by naïve employees and contractors.
With business leaders focused on forging ahead with their digital
business initiatives that enable new customer interactions and service
delivery, getting everyone on board with managing security and risk
exposure will be key to protecting the enterprise against malicious
attack.
To succeed, organizations will need to take a proactive stance that
incorporates risk-based decision making that ultimately improves
business agility.
More information about the BreachExchange
mailing list