Recent major data breaches at Equifax and Deloitte are reminders of the dangers of failing to practice cybersecurity fundamentals. At Equifax, more than 143 million records were exposed, including names, addresses, Social Security numbers, and credit information. The Deloitte breach compromised hundreds of global clients' information.
Cybersecurity risk is not just an IT issue — it's a business and audit issue. Collectively, the advice information security and internal audit professionals provide to business leaders has never been more important. To partner in addressing today's cybersecurity challenges, audit and security leaders must start with a little common sense.
Take, for example, a homeowner. There are valuables in the home, so it's important that only trusted people have a copy of the house key. To be prudent, the homeowner should take an inventory of the items in the home and estimate their value so he or she knows how much needs protecting and ensures items are stored securely. The homeowner also should make sure the smoke detectors are working and set up a security monitoring service with video surveillance so he or she can be alerted and react quickly to a potential fire or break-in.
Organizations need to exercise the same principles when assessing the digital risk to customer, employee, and other company information. Auditors and security professionals should prioritize three fundamentals to help make an information security program more impactful and effective.
1. Improve Visibility
How can organizations protect what they can't see? Identifying the valuables, or assets, within an organization is probably the most foundational aspect of a security program, and yet it continues to be a pain point. Technical solutions can help, with the right support and funding, but asset management is a process and a discipline, not just a tool.
Knowing the organization's assets and their value will inform what gets monitored and how. Security monitoring solutions are improving, with richer analytics and machine-learning capabilities as well as more expansive integration. Organizations should monitor their environments around the clock. For small and mid-size organizations that lack in-house resources for such monitoring, partnering with a trusted third party or managed security service provider is an option.
Another fundamental aspect of improving visibility and monitoring is to proactively look for existing weaknesses or vulnerabilities and patch them. Failure to patch systems with the Apache Struts vulnerability led to the Equifax data breach. The vulnerability allows command injection attacks to occur because of incorrect exception handling. As a result, an unauthorized user can gain privileged user access to a web server and execute remote commands against it. This vulnerability could have been addressed by standardizing and increasing the frequency of scanning and patch cycles.
Security and audit teams can work together to ensure the right risks are being mitigated and help their business partners think about risk rather than checking off a compliance requirement. They also can partner on implementing a repeatable risk assessment process. This is no longer just a best practice or standard. It is now a matter of compliance with regulations such as the European Union General Data Protection Regulation and the New York Department of Financial Services CR500.
2. Improve Resiliency
Is the organization prepared to handle the inevitable and how well can it recover? Improving visibility and being notified of threats and incidents is great, but an inappropriate or untimely response can incur a much greater cost. The organization's ability to quickly diagnose, contain, and recover from a potential or actual data breach or privacy incident directly impacts business operations and the cost to the organization. A well-planned and tested incident response plan can reduce the overall impact and cost of the incident.
Rapid response is a must with many global and U.S. state data breach notification laws having aggressive notification time lines. One of the ways in which internal audit and information security functions can increase the speed of their investigations and response times is maintaining a good asset- management process.
Maintaining a state of preparedness is more than having a document or periodically testing the plan. It's about having a good team of people from the right areas of the organization. Security and audit teams can partner to ensure that the incident response plan has all the necessary elements in place and ensure it is being followed. Responding to a crisis requires people to work together in a way that they normally do not work, which requires building and maintaining good relationships.
3. Improve Sensitivity
Do the organization's employees and associates understand what is at stake with cybersecurity? Increasing sensitivity to cyber risks needs to be tied to personal relevance, because people respond better when it impacts them directly.
Recall the homeowner analogy. For some people, it may be easy to get too comfortable within their neighborhood and become desensitized to potential risks of home thefts to the point of forgetting to lock doors and windows. Or they may become too liberal about who has a copy of their house key and what they do with it. There are lessons here for employees that should prompt their response.
Social engineering, including phishing simulations and physical security, must be a regular and primary aspect of cyber risk sensitivity training programs. Phishing attacks aimed at stealing user login credentials cause most reported data breaches. These types of attacks can be thwarted through a more expansive use of multi-factor authentication, which is a combination of something the person knows, such as a password or PIN number, along with something the person has, such as a token or smartphone. Technical controls can be effective, but they also must be accompanied by user education. As a training method, phishing simulations confirm what internal auditors and security professionals already know: There is never going to be a 0 percent click rate. However, they provide an opportunity to reiterate training content.
Practicing Security Basics
Shortly after the 2014 Sony hack, former President Barack Obama compared cybersecurity to a basketball game, "in the sense that there's no clear line between offense and defense. Things are going back and forth all the time." There is some truth to that.
In basketball, teams often lose because they overreact to a new play and forget the fundamentals. Coaches usually react by having teams practice basics such as passing, layups, and free throws. Similarly, organizations all have various priorities, and many of them are competing. Sometimes when it appears organizations are getting beaten by cyber risks, they need to revisit the fundamentals such as visibility, resiliency, and sensitivity. Auditors can partner with chief information security officers in this effort to ensure that the program is taking a balanced, risk-based, and business-oriented approach.