Cybersecurity is a Real Risk, So Become “Compromise Ready”

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/cybersecurity-is-a-real-risk-so-become-94828/

Many have heard that “it is not a matter of if a company will be attacked,
but when.” Statements like this used to be met with skepticism – companies
would say we do not have information hackers want, we outsource our
security so we have no risk, or the IT department said it will never happen
to us. Over the last few years and the litany of high profile incidents,
however, there has been a noticeable shift in how companies assess their
cybersecurity risks the steps taken to lessen the likelihood of an incident
and to be better prepared to respond if one occurs. There is no room for
doubt–cybersecurity is an issue that the executive leadership teams and
Boards of Directors must address.

After working with companies to respond to over 750 potential incidents,
our advice to companies is to become and stay “compromise ready.” This is
easier said than done and involves finding the right mixture of the
following elements based on the company’s risk profile and appetite.
Companies should also consider how these activities can be conducted so
they are subject to the attorney-client privilege and work product
protection.

Risk & Security Assessments – If you do not know what sensitive personal
information and business data you have, where it resides, and who has
access, you cannot implement appropriate safeguards to protect it. When
facing a potential security incident, the inability to provide an accurate
network diagram and describe the company’s sensitive data flow will
complicate the forensic investigation. We often see companies (even large
companies with sophisticated IT/IS departments) not able to provide these
at the outset of an investigation.

Another good starting point is a security or compromise assessment. Unlike
a penetration test that looks for vulnerabilities that could be exploited,
in a compromise assessment a forensic investigation firm looks for
indicators of compromise to see if an attacker has already broken in. This
kind of assessment can provide a baseline level of confidence going forward
and identify gaps where companies can improve their security measures.

Some companies choose to start with fixing the biggest potential problem
areas first. Examples might include unencrypted portable devices, website
privacy policies, text messages sent for marketing purposes, call
recording, and data collection at the point-of-sale.

Technology – There are two important areas to focus on here—building
defense in depth to keep attackers out and detection capabilities to find
them quickly when they break in. Knowing where sensitive data resides and
confining it to a segmented environment makes it easier and less expensive
to deploy advanced security measures. But companies cannot rely on
technology to keep attackers out forever, so they have to get better at
detection. Mandiant’s annual security trends report has identified a median
time from break in until detection of over 200 days. Improvement here can
make a big difference.

Incident Response Planning – A company cannot undo the fact that an
incident occurred, but it can be viewed as responding well by focusing
quickly on identifying what occurred, stopping it, communicating with
affected individuals and providing tailored mitigation services (i.e.,
credit monitoring is not always the right solution), and remediating to
prevent a reoccurrence. An incident response plan serves as the flexible
playbook to guide the incident response team when performing these tasks.
Part of building the plan should be identifying the law firm, forensic
firm, crisis communications firm, and other service providers the company
will work with. The plan should be practiced with the involvement of
external services providers through tabletop exercises using mock-breach
scenarios. Practice helps identify gaps and build the right instincts.

Personnel – Computer networks are set-up, used, maintained, and monitored
by people. People make mistakes. Training and awareness will never
eradicate all risks, but it can limit preventable issues, identify
incidents sooner, and put the company in a better posture with regulators.

Third Party Service Providers – Companies should conduct due diligence
before engaging, negotiate for appropriate contractual protections (e.g.,
obligating the vendor to use appropriate safeguards, give notice of an
incident, and indemnify the company if an incident occurs), and exercise
oversight during the work. Regulators are looking closely at this area.

Threat Information Gathering – As companies implement defenses, attackers
change tactics. One of the most prevalent attack vectors now is phishing
and spear-phishing, which is why companies are starting to provide more
training to employees on phishing. Companies are also joining threat
sharing organizations.

Cyberliability Insurance – Talk to your broker to evaluate adding this
insurance or make sure your limits and coverage are appropriate.

Ongoing Diligence – Companies cannot do this all at once. The goal should
be to continuously get incrementally better. Having resources dedicated to
these efforts (e.g., CISO, CPO) and the right “tone from the top” are
important.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!