Many organisations take months, if not years, to spot the leakage of confidential information from their computer systems. Cybercriminals and their opponents like to refer to this as 'exfiltration'.
Deployers of 'advanced persistent threats' (APTs) choose their target organisations carefully, according to the market value of the information they hold. These criminals can spend months planning their attacks to find an undetectable way in, a safe route to the valuable information, and a hard-to-detect method of sending it to the outside world.
How badly would such an attack harm your organisation? Your answer needs to incorporate financial penalties resulting from breaching data privacy regulations or from lawsuits, compensation costs, the costs of repairing your broken applications, the cost of new preventative measures and any financial consequences resulting from damage to your reputation.
Some organisations wouldn't have a clue how to answer such a question. They don't know enough about the value of the different kinds of information they hold and they don't understand the risks they face. Sometimes, the lines of communication are poor between the CIO (or CISO) and the rest of the executive management team with the result that the threats and potential consequences are poorly understood and security funding gets withheld.
Enlightened organisations share all the information they can with those responsible for security so that proper assessments can be made and the necessary tough decisions made, based on a realistic balancing of risks and costs. All departments are involved, including HR and legal, and organisational security is supported (or maybe even led) by the CEO.
Assessing information asset values
Assuming all the executive management team is willing to collaborate on a security review, they first need to assess the value of the various types of information they hold. Different departments may hold different views. The Open Web Application Security Project (OWASP), a handy source of security information, suggests that you consider personal information, for example, from four value perspectives:
• The organisation: as an operational asset
• The individual: to whom it relates
• Other parties: for legitimate or improper use
• Society: as determined by regulators and other groups
In the case of an APT, the value of most information as an operational asset would be less important, because it remains in place, uncorrupted, during its exfiltration. However, if the leak is of, say, user login details then this could have a serious impact on the organisation.
The value to an individual will vary according to what sort of information is leaked about them. They are likely to be less concerned about a leak of their purchase history than their credit card credentials, medical history or legal case matter, for example.
The value to other parties is similar. It is also the value that will help determine your level of risk.
The societal value is more to do with what the regulators determine is worth protecting and what fines and compensations they will demand in the event of a breach.
The most important thing is that the executive team assesses all the different kinds of sensitive information stored – intellectual property and other confidential information on products, partners, customers, employees and so on – and considers its value from all affected perspectives. Only then are they in a position to weigh up which security measures to fund and which to deliberately ignore. You might be interested to note that PWC's Global State of Information Security Survey 2015 report notes that, at most, 42% of directorship boards involve themselves in security matters. Without such involvement, it's impossible for the CISO or CIO to do an effective job.
The cost of a breach doesn't simply relate to the inherent value of the information being stolen. It is magnified by other considerations such as loss of reputation and trust, lawsuits and regulatory fines.
The publicity surrounding a breach could result in a loss of business and share value, although customers seem to have fairly short memories when it comes to this sort of thing. Has your attitude to dealing with T.J.Maxx, Adobe, eBay and Staples changed since their well-publicised hacks?
Target Corporation in the USA is a well-documented example of how a company could be affected by a serious information leak. It was hit during the run up to Christmas in 2013. 40 million credit card details were exfiltrated plus 70 million personal information records, probably with some overlap.
Preliminary approval has just been given by the court for a compensation fund of $10m with a final ruling due in November. Victims have to prove they've suffered financial loss and they will be able to claim up to $10,000. Once all the proven claims have been paid out, the remaining fund will be split evenly among the remaining claimants.
This is small beer compared to what the breach has cost the company so far. Its SEC 10K filing says, "As of January 31, 2015 we have incurred $252 million of cumulative Data Breach-related expenses, partially offset by $90 million of expected insurance recoveries, for net cumulative expenses of $162 million." But let's put this in perspective. Last year's turnover for the company was $72,618m, so the $252m hit to date represents 0.33 percent of revenue. The company is still working on settlements with credit card companies and will, presumably, be fined by the regulators as well.
Both share prices and revenue were affected by the breach, but the company appears to be trading healthily with no serious long-term effects. It was a different story for the CEO and the CIO; they both lost their jobs.
What drives your security choices?
Perhaps this is a trick question, but it's worth asking. Is your approach to security proactive, reactive, compliance-driven or asset-driven? Proactive security is about doing as much as is reasonable to prevent a breach. Reactive is to deal with a breach when it happens. Compliance-driven is to meet regulatory and standards requirements. And asset-driven refers to the system assets – applications, networks, servers and so on. It's likely that you will need a blend of these approaches but too much emphasis on one would threaten your overall security posture. For the APT, then proactive measures are essential, probably in combination with an asset-driven approach. A reactive approach would be too little and too late. With the compliance approach, you need only ask, "How leading edge are the regulatory and standards proclamations by the time they become public?" Responsibility for protecting the business lies with you and your executive management team.
What is your level of risk?
One way to find out is to seek cyber-security insurance. If their premiums are astronomical, then you're at risk. A more sensible approach is to read some of the business sector security reports. But, at heart, the important thing is to consider the value of your sensitive information to outsiders and balance that against the risk of attack. In fact, your risk of an APT attack (because it is hard to set up) almost certainly equates to the value of your information.
The online version of the PWC report mentioned earlier allows you to analyse your risk by organisation type, geographical location and turnover. For example, in Europe, among industrial manufacturing companies of all sizes, employees are the most likely source of a security incident, closely followed by hackers. http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml You might find that a useful tool for assessing risk.
Bear in mind that, even if your own staff are fully trained and utterly resistant to plugging in thumbdrives of unknown provenance or clicking links in emails, you can't be sure that your business chain partners are similarly wise. It takes only one click to start the ball rolling and the cybercriminal will certainly know where to find that weak link. An air conditioning, heating and refrigeration supplier was the primary source of the Target Corporation attack mentioned earlier. A secondary source was its point-of-sale system software, which had been modified without full consideration of possible security risks.
It should be very clear by now that risk assessment requires teamwork and leadership at a high level.
A business opportunity?
Instead of looking at security as an unwelcome expense, can you see it as a business opportunity? Leaving the recent Hatton Garden raid to one side, you would entrust your valuables to a safety deposit box company because you know that their protections are far greater than anything you could manage yourself. They don't see the cost of locks and alarms as an unwelcome expense. They are at the heart of their business.
Could you use your own security posture to reassure customers and business partners that you can be trusted? If you can reasonably claim to be secure and not jeopardise your prospects, then they may be more inclined to become customers. You might also lower customer churn.
If the proposed 'breach notification' provisions of the proposed EU General Data Protection Regulation are adopted then, by 2017, all organisations will be obliged to report security breaches involving EU citizens' personal information – ideally within 24 hours, but this may change. It provides another good motive for the executive suite to take security seriously.
The bottom line
Boards need to understand that security is not just about preventing intrusion – the clever people will still find a way in. It's also about monitoring systems, detecting anomalies and doing something about them. It's also about working with partners in the supply chain to maximise security for all.
You know masses about the specific security measures – human (especially) as well as software. The most important thing is to make sure that your company executives understand the issues and are willing to become active accomplices in setting your security priorities.