[BreachExchange] Cyber risk management -- Is your company ready for anything?

[Audrey McNeil]

http://betanews.com/2016/06/02/cyber-risk-management-is-your-company-ready-for-anything/

In late 2013, news of a massive data breach at Target surfaced. Hackers
stole personal and credit card information of nearly 70 million shoppers,
and the breach ended up costing Target $162 million and the resignation of
the CEO and CIO. While this was one of the largest and most widely
publicized data breaches, it’s by no means one of few.

Just recently, LinkedIn came clean about its 2012 data breach – a few days
after it was discovered some of the information was being sold online.
While LinkedIn originally reported the email and passwords for 6.5 million
people were compromised, it just admitted the real number is as high as 117
million accounts. Though LinkedIn advised people to change their passwords
when the attack was first made public, it wasn’t until four years later
that the company decided to cancel passwords that were affected.

What companies can take away from these examples is that a security breach
can result in not only millions paid in settlements, but also Federal Trade
Commission (FTC) fines, the resignation of high-level executives and loss
of reputation. A Deloitte report found that security is the second-leading
risk to a company’s reputation, behind ethical issues. The fallout from
these breaches can stretch out for years to come, even affecting company
shares and future sales, which is why having a cyber risk management
practice in place is absolutely essential for all companies that deal with
sensitive data.

Leveraging a Security Framework

Although a few years ago it would have been more difficult to get started
setting up a cyber risk management plan, today we have plenty of frameworks
that can help a company get started. The International Organization for
Standardization developed the ISO 27000 to address information security
management systems, and the National Institute of Standards and Technology
(NIST) developed the Risk Management Framework, which is widely used by the
U.S. government.

In 2014, NIST introduced the Cyber Security Framework (CSF) which has been
adopted by many organizations as a blueprint for recognizing and managing
day-to-day cyber risk. A key benefit of the CSF is that it provides
organizations with a baseline of risks and vocabulary that is understood
across an entire company – from junior employees to executives and even the
board of directors.

The CSF allows organizations of all types and sizes to identify and assess
cyber risks across five critical functional areas as follows:

Identify -- What data and assets do I need to protect?
Protect -- What existing methods do I have in place to protect these assets?
Detect -- What capability do I have to detect potential cyber threats?
Respond -- What ability do I have to respond to an incident?
Recover -- What capabilities do I have to recover from a breach?

After identifying risks in these functional areas, they must prioritize and
develop a risk treatment plan. As part of this plan, companies might choose
to:

Ignore the risk if consequence is believed to be low
Avoid the risk by not engaging in activity that causes the risk
Remediate the risk by investing in a new security process of technology
Transfer the risk (i.e. cyber insurance) in cases where likelihood is low,
but impact is high

Using the Right Tools

After developing a plan and path forward, a company needs to think about
how it’s going to implement these cyber risk management policies and
practices. The first step will be determining what resources are available
to implement the plan.

Cyber security professionals are in high demand and, thus, are expensive to
hire. Finding someone with the right skills can be a challenge, so many
organizations will need to contract an outside vendor or automate the
process as much as possible.

At larger companies, where the volume of risks and threat is even bigger,
manual methods of implementing cyber risk management are insufficient.
Without tools that automate and monitor risk management, companies run the
risk of not being able to scale effectively and remain consistent and
accurate in their efforts. Technologies that automate risk and compliance
allow organizations to quickly and efficiently operationalize frameworks,
even if a company doesn’t have the personnel with advanced experience.

An additional risk of not having risk management technology in place is the
potential for legal action. In the event of a breach, companies need to
prove they took steps to actively prevent such an incident.

The Wyndham hotel chain learned this the hard way after a series of data
breaches exposed information on hundreds of thousands of customers. The
company was sued by the FTC on charges that it failed to properly safeguard
customer information. Though Wyndham argued that the FTC didn't have the
authority to regulate corporate cyber security, a court ruling determined
that it did.

The importance of having a cyber risk management plan in place cannot be
over-emphasized. Taking a proactive approach to diagnosing risks enables
companies to have a better handle on their security posture and work
towards potentially preventing a disaster down the road. By developing and
implementing a comprehensive plan, companies will be prepared to safeguard
their data, protect customers and avoid costly incidents that will be
harmful for years to come.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160607/bdab6729/attachment.html>