Cybersecurity still isn’t getting the respect it deserves. Despite an increasing number of data breaches, including the recent Equifax breach which exposed sensitive information such as names, birth date, social security numbers, driving license information and credit card numbers of millions of consumers, many organizations have yet to embrace privacy and security as core values. Now is not the time to point fingers but rather consider it a wake-up call to take proactive action.
Even though the Equifax incident is the largest known hack this year, there have been over 1,000 reported data breaches in 2017 thus far, according to an Identity Theft Resource Center report
—a jump of 23% over 2016 levels and an increase of 29% in just the first half of the year. The 12 million records exposed in the 791 breaches that took place during the first half of the year are just the tip of the iceberg.
With the average cost of a data breach at a record high of $7.35M and an average of 55 days to contain a breach, according to the 2017 Cost of a Data Breach Report
, it’s never been more important for organizations to prioritize security over convenience and implement a proactive program to protect their data, especially the sensitive personal data of their customers and clients.
In the case of Equifax, a large part of the credit reporting bureau’s business is to maintain consumer records that businesses use to make credit decisions based on their credit and spending history. This presents a huge opportunity for financially-motivated criminal organizations to cause some serious damage, including:
- Selling consumer data
- Tampering with consumer credit reports
- Opening new accounts
- Conducting unauthorized financial transactions
In addition, state-sponsored threat actors can use this data to continue to build target profiles for espionage activities.
While only one in a series of high-profile cybersecurity breaches, this latest incident serves as a reminder of the importance of integrating cyberrisk considerations properly into an overall enterprise risk management approach. Organizations are continually concerned about their overall cyber posture as indicated in Grant Thornton’s 2017 CFO survey
in which 72% of financial institutions ranked cyber as a key area of risk for their organizations, as well as an urgent area of investment.
What caused the incident?
Information about the event itself is still in the process of being investigated, however; Equifax has disclosed
that the incident was caused by an application security vulnerability that had been previously disclosed in Apache Struts2
. Leveraging this vulnerability, attackers were able to get a trove of personal data from 143 million U.S. consumers
. The amount of personal information leaked has put virtually every organization and concerned individuals on notice to be on a heightened level of alert and awareness to fraudulent activity.
This event continues to shine a light on the importance of focusing on the protection of assets most critical to the organization. By taking an “asset-centric” approach to cyberrisk management, organizations will be better positioned to protect their most critical information and assets from nefarious exposure.
Building a resilient cyberrisk program
Organizations continually have to make decisions as to how to allocate resources and focus to protect their assets, and this holds true for managing and mitigating cyberrisk as well. Recent studies
have found that 60% of all breaches involved web applications , such as Apache Struts, while organizations take an average of over 12 weeks to apply security patches. The timeliness and completeness involved with conducting basic cyber hygiene functions such as patch management can vary greatly between organizations, however issues such as governance between patch and vulnerability management functions, lack of business involvement around vulnerability risk acceptance, and legacy technology environments with cumbersome patching processes can drivers for this risk exposure. An “asset-centric” cyberrisk management approach can provide clarity and focus in the area of basic cyber hygiene to limit the probability of similar occurrences within their organizations.
For organizations to take a more “asset-centric approach” to cyberrisk management, we recommend the following:
Understand your most critical data that needs to be protected - Map business processes, stakeholders and data systems. Organizations focused on cyberrisk need to adopt a full-stack view of assets, consisting of full mapping of business processes, the potential users and related technologies. You need to weigh your cyberrisk by conducting risk assessment against the assets that are important to your operations, customers, and workforce members. Only then is it possible to identify potential risks, consider those risks against risk appetite, and implement controls accordingly. Where risk is elevated, controls need to be higher.
Establish an agile vulnerability management program – Vulnerability management programs enable organizations to identify potential security vulnerabilities and determine proper remediation strategies based on asset criticality and potential business exposure. Vulnerability assessments should occur on a more agile basis based on changing threat landscape and take remediation actions promptly. Maintaining consistent secure configuration baselines and an accurate asset inventory will help Vulnerability management should not be an operation solely driven by Information Security. It should be embedded in day-to-day IT operations and application development.
Apply security patches in a timely manner - Ensuring that vendor security patches are applied in a timely manner can help safeguard against malicious attacks using known vulnerabilities. Equifax has disclosed that a vulnerability in Apache Struts2 (CVE-2017-9805) led to the security breach. Focusing on having well-vetted processes for patching systems that house critical information can serve as a bedrock to a sound and foundational cybersecurity program.
Have in place a fully-tested response strategy – You need to be prepared to adequately identify a potential breach, then quickly coordinate resources and invoke the necessary processes to contain and mitigate effects of the breach. A great incident response program includes the following components:
Align, integrate and measure. It is vital to bring together operational and financial leaders with risk leaders, and align and integrate their goals, objectives, compliance demands and stakeholder expectations. This will require operational processes to be meshed with cyber controls — with a special focus on where the business is most sensitive. And all this must be overlaid with a system of measurement and metrics, so that leaders always can assess the threat outlook, have options to dial up controls and further enact a digital strategy. The following figure demonstrates this approach:
Clearly defined roles and responsibilities within your team. Have all stakeholders been identified and trained on their responsibilities in the event of a cyber incident or breach?
Technology. What information security detection, alerting and mitigating technology solutions are in use?
Reporting. Has the organization identified all of its obligations related to reporting an incident? Legal? Regulatory? Contractual? To shareholders?
The key to managing threats isn’t necessarily greater investment or even manpower. Instead, it takes the imagination of a criminal — seeing your own enterprise as they would see it. Wherever you are most sensitive is the most likely target of future cyber threats. What is most valuable to you is also most valuable to someone who wants to hurt you.
For more information take a look at our AIM for cyberrisk
Principal and National Managing Partner
+1 703 847 7580
+1 703 637 4071