"Information is a significant component of most organizations' competitive strategy either by the direct collection, management, and interpretation of business information or the retention of information for day-to-day business processing. Some of the more obvious results of IS failures include reputational damage, placing the organization at a competitive disadvantage, and contractual noncompliance. These impacts should not be underestimated." - Institute of Internal Auditors.
Cybersecurity is top of mind for a lot of people this week, not least the 143 million Americans affected by the massive Equifax breach of their personal information. As a company that sells software and services to risk managers, cybersecurity is certainly something we take very seriously. Yet the relentless, successful assault on global networks, both public and private, cannot help but cause wonder about how widely shared those concerns may be.
In many instances, managing risk—including cyber risk—is simply the discipline and process of taking action. What procedures could you implement or actions you could take to ensure your company is protected from cyber risk? There are only a few key questions you must answer:
1. Who in your organization is responsible for information security?
Many people assume information security is an IT responsibility. James Scott, Senior Fellow, Institute for Critical Infrastructure Technology said, "It's time for a cybersecurity zeitgeist in the West where cyber hygiene is a meme that is aggressively distributed by those who have mastered it and encouraged to be imitated by those who have experienced it." Good cyber security practices or "hygiene" has become everyone's responsibility as the world, our businesses and our private lives are increasingly interconnected. The inescapable fact is there is no other option.
2. Is there a process in place and is it enforced?
Consider this comparison: A company policy that requires vendors and tenants to provide evidence of insurance does no good if Risk Management, Compliance and Legal departments don't have a process in place and the discipline required to enforce the policy. It's the mandatory imposition of continuously requesting COIs and correcting deficiencies that ensures risk transfer, not the company policy itself.
Renowned and reformed hacker Kevin Mitnick said, "Enacting policies and procedures simply won't suffice. Even with oversight, the policies and procedures may not be effective - my access to Motorola, Nokia, ATT, and Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully."
Just as all it takes to suffer a significant financial loss is a an uninsured vendor sustaining an injury on your property, all it takes for a hacker to access sensitive information is for you or a colleague to engage with a phishing email or use a weak, guessable password to protect sensitive information.
3. Who has access to your company's sensitive data?
One of the key principles of cybersecurity is to keep accurate and current inventories of things like IT assets, system user rights, permissions, etc. Collectively, these items make up what is commonly referred to as the attack surface. A good cybersecurity program will first identify the entire attack surface and then shrink it as much as possible using available resources without impeding business objectives.
In our work with contractual insurance compliance we need answers to three essential questions:
If you can't answer the questions above, it's going to be difficult to answer the question of who has access to your company's sensitive data because this question must extend beyond your own employees. Consider the 2013 Target data breach that stemmed from an HVAC vendor with access to their network. Or, the more recent Red Cross data breach that exposed the records of half a million prospective blood donors; a breach that was not malicious but was caused by a vendor who managed their website.
All vendors, but especially professional service vendors, should be scrutinized frequently and carefully if they have access to your network or sensitive data. In the same way a certificate of insurance (COI) is a snapshot in time related to insurance coverage, a one-time self-attestation by a professional services vendor that they are abiding by information security best practices probably isn't enough to eliminate risk for the lifetime of the relationship.
Expiration dates for policies on a COI encourage verification of coverage at regular intervals, but what are you doing after your initial vetting process to ensure vendors with access to sensitive data practice good cyber hygiene or have an acceptable information security posture?
4. Is there a strong link between risk management and business objectives?
According to Ernst & Young, "Less than 16% of companies consider risk management objectives and business objectives to be closely linked." This seems to have a direct correlation with another EY finding that 65% of risk managers do not produce an integrated risk management report, or only prepare a report annually.
Not surprisingly, we find those who properly manage risk transfer to have a stronger alignment between their risk management practices and overall business objectives. These leaders listen to advice, stay current, and are educated by their peers about the threat of loss that can be avoided using best-practices risk control.
This same principle can apply to all risk management concerns, including cyber risk. The burden of forging a stronger link rests on Risk Management to exercise greater diligence in proactively advising company leaders against financial, reputational and legal harm.
The most valuable thing your business owns is the information it uses to compete in the marketplace, which likely includes proprietary, sensitive, public, and both siloed and distributed information. What will give you a competitive advantage in the years to come?
With the near-weekly news of another major data breach worldwide, it's hard to imagine a responsible company protecting its brand without a serious look at its current methods of managing cyber risk, questioning its own assumptions, and looking again.