Speaking at the Worldwide Cybersecurity Summit on 1st June 2011, Sir Michael Rake, chairman of the BT group, expressed the view that awareness of cyber crime and the necessity of protecting corporate and personal data are not as highly prioritised at board level as they should be. In parallel, governments around the world are looking to strengthen oversight and enforcement, and business leaders are now focusing on enterprise risk management as a strategic business driver.
Compliance in silos
Governance and risk management are familiar topics in the board Rrom. It is therefore surprising that companies always feel under pressure to meet compliance deadlines of one type or another and often panic to implement solutions they believe will address the most visible, urgent or potentially costly to ignore regulation looming on the horizon, without even putting this into the context of the existing enterprise risk management framework. Many businesses are now on their second or third cycle of trying to automate processes related to compliance with specific policies, industry standards, and government regulations. With requirements evolving, companies find themselves with discrete solutions for PCI DSS, Data Protection, FSA, Sarbanes-Oxley and others. Although these businesses have achieved some successes with their initial projects, much of the success has been short lived, and costly. Suppliers of such solutions are often guilty of perpetrating this vicious circle by describing their offering as the next 'silver bullet' and such solutions became expensive to maintain and impossible to integrate or scale. More specifically, investments in information security get more and more difficult to secure as sustainability cannot be demonstrated to the board. And then you get the next high profile data breach...
Challenges of globalisation
In our increasingly globalised world economy, competition is intense and threats have a worldwide impact. Good corporate governance can make a difference to how companies are viewed.
Compliance is about providing evidence that controls are in place and is a tactical exercise to ensure business continuity. However, it is not inherently risk aware, nor is it economically sensitive. Too much emphasis on compliance can actually increase risk by giving people a false sense of security. Risk management can be defined as the identification, assessment and prioritisation of risks followed by coordinated and economical application of resources to minimise, monitor and control the probability and/or impact of unfortunate events. By connecting control – and therefore compliance - to risk, businesses can achieve major improvements in their enterprise risk management initiative.
In order to fight cyber crime, organisations therefore have to find a way of connecting risk management – already understood in the board room – with information security controls in order to improve their security posture according to their risk appetite.
Many will have realised that the recent high profile attacks were by no means sophisticated. On a wider basis, only 4 per cent of breaches assessed in the Verizon Business Data Breach Investigation Report 2011(DBIR 2011) required difficult and expensive protective measures. Indeed, I find it sad that in 2011 we are still vulnerable to SQL injections, lack of password management and less than adequate management of logs, to name but a few. Unfortunately, businesses and consumers tend to get complacent when a data breach doesn't directly impact them. The well quoted Verizon DBIR 2011 highlighted that malware - software or code developed or used for the purpose of compromising or harming information assets without the owner's informed consent - represented 80 per cent of all data lost in 2010, and within that case load, 81 per cent was performed via SQL injections. We wished them a happy 10th birthday last year, so SQL injection attacks are not new territory and prevention is well understood.
Similarly, hacking - attempts to intentionally access or harm information assets without (or in excess of) authorisation by thwarting logical security mechanisms - represented 89 per cent of records stolen and 76 per cent of these were due to lax password management and authentication procedures.
Imagine what could be achieved if everyone closed down these two basic vulnerabilities? The Verizon DBIR 2011 further claimed that 87 per cent of attacks could be prevented using simple, proactive measures.
Threat and scenario modelling
There is much to learn from companies that have already started to implement comprehensive risk management strategies. One such lesson is that substantial benefits can be derived from threat or scenario modelling. Answering a few questions and acting to reduce risk will simplify an organisation's ability to protect itself and may even save the cost of doing so. As an example, the following questions relate to information that has been classified as critical:
· Are my employees taking information outside of the organisation? How can they do this?
· Can I limit access to this information to only those who need it?
· What types of attackers would be interested in infiltrating my systems? What would they seek? Why?
· If any web server was compromised, how difficult would it be for an attacker to work its way to those systems containing information? How easy would it be to take this information out?
· How quickly would I know this has happened? How quickly can I stop it?
· How quickly do I need to respond to the market?
Unfortunately, threat/ scenario modelling is only practised by a few organisations and I hope that it will become more common in months and years to come. In addition, businesses will also find that their highest risk areas will most probably already be subject to existing rules and regulations. Invariably, compliance will become a by-product of risk management.
Protecting your customers
Increasingly, I am being asked by my customers to help with their customers' awareness of the threats that we are all trying to fight. In the UK, when card holder information is compromised, consumers are well protected by the current legislation and regulations, and they are all aware of this. However, when their identity gets stolen, it's a whole different and personal matter: they will immediately hold their service providers accountable for the personal information that has been entrusted to them and they have immediate power to communicate their views through all the social networks they belong to.
Consumers will demand that organisations protect their personal data, so businesses will more easily come to understand and appreciate the long-term business value of information protection rather than viewing it only in terms of compliance. To gain understanding and trust, businesses must move away from compliance to promote how they safeguard the personal information of their customers so investment in information security is driven by business reality. They must also help customers understand how they can help themselves in this process.
In the months and years to come, we can expect increased scrutiny of corporate risk management practices. In response to this, businesses will strive to understand their risk profiles and whether the risks taken are within the enterprise's risk appetite and tolerance thresholds. Companies must therefore attempt to quantify, control and mitigate risks that previously were not even considered.
Lesson 1. Understand your risk profile
A lot of progress has been made in mapping regulations (e.g. Data Protection) to risk management standards, e.g. ISO 27001, and data security controls, e.g. PCI DSS, to establish standards and best practices for mapping regulations to standard controls. Threat scenario modelling and information asset risk categorisation are good tools to use in this space. IT and operational controls based on compliance requirements alone are no longer sufficient and businesses must look at their people, their processes as well as the technologies that can help them.
Lesson 2. Make risk management your objective, compliance will come naturally
I have always believed that PCI DSS represents a good set of basic information security controls that can be used in the wider information security space (i.e. not just card holder information). I also believe that PCI DSS brings a quantitative dimension to qualitative frameworks such as ISO 27001. If businesses limit their focus to compliance alone instead of the broader risk management picture, they are likely to make the same (expensive) mistakes time and time again and, as a result, find themselves reacting to crises.
Lesson 3. Avoid quick fixes and silos
Companies that have successful risk management strategies have replaced quick fix discrete compliance initiatives with solutions that facilitates the handling of short-term needs while providing a foundation for an integrated long-term solution that is flexible enough to support multiple regulations and new functionalities. I firmly believe that this can only be successful with 1) taking it one step at a time and 2) automation using solutions that are able to support the predefined mapping of multiple regulations. I classify such solutions in the broad category of Governance, Risk and Compliance (GRC) tools.
Lesson 4. Automate
The major source of failure of information security initiatives is the inability for organisations to move activities to a business-as-usual operational framework. Businesses should look for GRC solutions that are easy to deploy, requires no customisation and are simple to upgrade. By taking such an approach, organisations will be able to extend the same automated, risk-based approach beyond PCI DSS to other regulations, including the Data Protection Act or Sarbanes-Oxley and other privacy requirements. The new GRC solutions can help businesses move from reactive to proactive compliance that is based on real, as opposed to theoretical threats. A beneficial side effect is that compliance will be achieved in a much more cost-effective and efficient way, giving a much more effective competitive position in our increasingly regulated environment.
Lesson 5. Educate
I have always been an advocate of education and awareness in this field, and organisations will have to ensure that training and education of their own staff and customers should be firmly on the agenda as well as the implementation of sound security policies and practices. As we have seen earlier in this article, a lot could be achieved by using simple proactive measures. However, it is true that more collaboration in the industry and government as a whole is needed in this space.
From compliance to risk management
I believe that good governance benefits small and large companies alike as the principles of effective governance remain the same as companies get bigger. It is true, however, that smaller organisations may have difficulties implementing some of the practices presented earlier because of their size and economic status. For these reasons, smaller companies may need more time and additional resources, including education and training, to make meaningful advances in effective corporate governance. It is, however, in their self-interest to begin to do so and we at Barclaycard are committed to providing help and advice.
Finally, the 2011 Verizon DBIR concluded that being prepared remains the best defence against security breaches. For the most part, as we have seen, organisations still remain slow in detecting and responding to incidents. Nearly two-thirds of breaches continue to be uncovered by external parties and then only after a considerable amount of time. As an example, we know that most organisations that have suffered a breach will have evidence of it in their security logs, but these often get overlooked due to a lack of staff, tools or processes.
My final advice: don't spend £100 protecting a £1 asset, know your risk, fix the basics first, and be prepared!