Given the daily deluge of cyber threat reports, cybersecurity awareness continues to increase among senior executives and audit committees. As organizations implement more practical response strategies, they are becoming more focused on crisis management and response planning, security approach, and disaster recovery.
In the Ponemon Institute's 2012 report,
Aftermath of a Data Security Breach Study (PDF), 63 percent of IT professionals who responded to the global survey said their senior leadership viewed privacy and data protection as a greater priority after a breach occurred in their organizations (see "Picking Up the Pieces" below right). In respondent organizations, sensitive data was not encrypted, data breach response strategies required improvement, and privacy and data protection practices needed improvement. Since the survey was published, organizations have increased their cybersecurity posture, applying an organizationwide response to security breaches, rather than an IT response. Acting in a consulting role, internal auditors can help their organization's executives and business-unit leaders understand what is involved in developing such an organizationwide response.
Crisis Management and Response Planning
This shift to a more organizationwide response to cybersecurity incidents is reflected in a 2014 PricewaterhouseCoopers (PwC) report,
Cybersecurity Crisis Management: A Bold Approach to a Shadowy Nemesis (PDF), which suggests organizations use a new philosophy to incident response aimed at bringing order to chaos. The report notes that a fiscally viable, coordinated response could mean the difference between cyber breach and cyber peace. Moreover, a well-thought-out solution can help ensure the organization's long-term survival as it manages a data breach situation.
The PwC report discusses an eight-phase approach to a structured and orderly cyber crisis response:
- Implementing an information security program.
- Cyber event detected.
- Incident response.
- Internal investigation.
- Third-party forensic investigation.
- Contacting law endorsement.
- Customer notification.
- Containment and remediation plan.
Picking Up the Pieces
IT respondents to the Ponemon Institute's 2012 study of the aftermath of a data breach indicated:
- They have more confidence than senior leadership that they can secure customer data from future security breaches.
- Training and awareness programs and enforcing security policies should be a priority for organizations.
- Their organizations have increased IT security budgets as privacy and data protection have become a greater priority for senior leadership.
- Identity theft would result from stolen customer data.
- Their organization should limit the quantity of customers' personally identifiable data it collects and what it shares with third parties.
- Their organization should reduce the negative consequences of a data breach by hiring legal counsel, assessing the harm to victims, and employing forensic experts.
The report points out that a key element of an organization's overall cyber crisis response strategy must include a good communication plan that incorporates an integrated public relations strategy. This communication should be decisive and occur through various channels.
A new Accenture study,
The Cyber Security Leap: From Laggard to Leader (PDF), compares companies that have taken a security leap forward to companies that remain somewhat stagnant in their security practices. Researchers at Accenture interviewed senior IT leaders and tracked the security effectiveness progress of 247 companies that are benchmarked in the Ponemon Institute's database.
The study observes that a sound security strategy is a clear priority for more forward-thinking organizations — defined as having increased their security effectiveness by at least 25 percent over a two-year period. Sixty-eight percent of survey respondents have significantly changed their approach to security management in recent years. These changes include creating a chief information security officer (CISO) role, allocating a dedicated security budget, and significantly expanding the security team. Forward-thinking companies also align their security strategy with their overall business objectives to improve security across strategy, technology, and governance. The study notes that by implementing these security best practices, organizations improved their security effectiveness by 53 percent.
Accenture says organizations also can make cybersecurity a competitive advantage by:
- Eliminating security silos.
- Evolving the C-suite into security champions.
- Embracing innovative solutions.
- Streamlining their IT security infrastructure.
- Creating greater visibility into security processes.
Disaster Recovery Planning
Disaster recovery planning focuses on business impact scenarios, risk management, and response and recovery from business disruptions. For a long time, organizations' disaster recovery planning efforts focused on business impacts from natural or physical disasters. More recently, they incorporated potential terrorist activities into business impact scenarios. Now those scenarios should include cyber threats, as well.
Inherently, this is a natural progression of threats over time. Crisis management and response planning are really elements of disaster recovery planning. Because disaster recovery planning for most organizations is an enterprise-level activity, it would be more efficient to incorporate cybersecurity into this established process.
Organizations are implementing several strategies to manage cybersecurity threats. Besides the ones discussed previously, others include:
- Incorporating the cybersecurity strategy into the organization's enterprise risk management (ERM) process.
- Establishing a structured, well-thought-out, crisis management strategy.
- Regularly updating the board on the organization's information security posture and current cybersecurity landscape.
- Incorporating into the disaster recovery planning activities cybersecurity scenarios that disrupt the organization's business, including effects on reputation, loss of data, and business.
- Having the CISO report directly to the board.
- Creating standard question-and-answer documents for customer organizations that inquire about the organization's data security and privacy practices, such as data encryption, two-factor authentication, and data loss prevention processes.
As the cybersecurity threat landscape evolves and as organizations improve their approach to managing these threats, internal audit can play an active role in helping the organization address these issues. Many organizations see cybersecurity as a new threat and create new processes to mitigate the new risk. However, internal audits could suggest incorporating the new risk mitigation strategies into existing enterprisewide processes such as ERM and disaster recovery planning efforts. These long-time processes typically have well-designed methodologies that provide a cost-effective means to manage cyber threats.