Last month's disclosure of Heartbleed, a major internet security vulnerability affecting companies from enterprise storage vendor Box to the Royal Opera House, is stark reminder of the regularity with which wide spread security problems are uncovered.
Once publicly revealed, a race begins between companies to patch their systems, and hackers who seek to exploit any unpatched networks. To keep up in this race, organisations must respond to such announcements and ensure they do not become the slow footed animal that makes easy prey for attackers.
For this reason, preparation for incident response is a key factor in minimising risk. Nevertheless, many organisations are still not taking appropriate steps to counter such threats. Companies must regularly review their risk profile and keep current a plan for how to respond to such incidents. One part of this preparation is a programme of regular cyber security audits, sometimes referred to as a cyber health check. In common with a financial audit but not necessarily as all-encompassing, the security audit should be supported by external experts with the appropriate level of knowledge and insight, alongside key individuals from within the organisation. The audit will allow a risk-based review of the effectiveness of information systems and suggest remedial steps to improve overall security against a backdrop of rapidly-changing cyber threats.
The review must be tailored to the organisation and its risk landscape, with the first step of an audit focusing on reviewing existing controls and procedures. Most organisations already have firewalls, password policies, encrypted data protocols and restricted access controls in place to counter potential cyber threats, alongside policies governing mobile devices, cloud storage and data sharing. But when were these last reviewed, let alone put to the test? Similarly, most organisations aim to be current with security patrols and responses to newly discovered vulnerabilities, but in practice many IT departments are understaffed and unable to keep up with the constantly changing threat and scope.
The use of bring-your-own-device (BYOD) and personal online accounts have become increasingly prevalent. This creates additional opportunities for hackers and given the variety of devices on offer, makes the IT department's security mission that much harder to accomplish. Any internal review should, therefore, establish everyday working practices, including the use of personal smartphones and data storage for work-related tasks.
When assessing such risks, it is important to also review the use of other portable devices, as the accidental loss of an unencrypted laptop or disk drive could have serious financial and reputational impact. The security audit must, therefore, include a focus on the human element. From staff inadvertently activating viruses or malware by clicking on links in emails, to malicious insiders, perhaps motivated by the prospect of financial gain or revenge, firms need a thorough understanding of all such threats and a plan to combat them. As an example, staff must recognise the risk posed by phishing emails and know how to report such incidents.
While the vast majority may hit the Delete button upon receiving a suspicious email, only one unwitting member of staff needs to fall for a scam before security has been breached. Such attempts at obtaining information are commonplace and may introduce a virus, activate malware to log keystrokes, copy emails, or even record phone conversations. Processes to report all cyber security incidents to a designated team must be implemented to allow threats to be dealt with immediately.
In addition to taking steps to avoid a breach, companies must also prepare a response plan in case a breach happens. The plan should include a clear chain of command, a process of escalating news of a potential breach or new vulnerability, and a team including inside and outside experts to respond rapidly in case of an incident. Companies that lack a plan for response waste valuable time figuring out how to respond to vulnerability or a breach – allowing them to become or remain easy prey for the hackers.
The nature of corporate risks are changing, with recent cyber incidents reinforcing the heightened financial and reputational costs facing organisations targeted by cyber criminals. Stakeholders are increasingly looking to senior executives for reassurance that such threats have been assessed and that appropriate plans have been put in place in the event of an incident.
Seth Berman is executive managing director and UK head of Stroz Friedberg, an investigations, intelligence and risk management company