Monitoring Cyber Risk and Developing Response Protocols in Advance
Responsibility For Cyber Readiness Goes Beyond The IT Department
MCC interviews Jerry Ravi, a partner in the Consulting Services Group of EisnerAmper LLP.
MCC: Your practice involves partnering with management, audit executives and board members to manage and monitor enterprise risks. These activities have come into sharp focus given that 2014 was a banner year for security breaches. What is the current mindset within companies regarding cybersecurity?
Ravi: Companies are struggling to address cyber risks, and really, this problem predates all the media hits this past year. In particular, smaller and even mid-sized organizations are very concerned as to whether they are doing enough, what issues merit focused attention and, of course, how to report what they’ve already done.
This all starts with the boards, and I am now fielding many more questions from board members and senior management. What should we be looking at as it relates to cyber risks? What questions should we be asking our IT people and the senior management team? In fact, should we only be asking our IT people? Should we go beyond that? Whom should we bring into the conversation from the inside and the outside?
This unsettled mindset relates to the fact that cybersecurity threats are an unknown territory. The executives and board members I deal with fear that something could happen to them. It’s a risk mindset to effectively balance risk and reward, and the big question is, what can we do about this risk with the resources we have?
MCC: Certainly, we know the risks are out there, but are people well enough informed as to the potential business impact should a breach occur? There’s plenty of coverage in the press, but is there more behind all that?
Ravi: There’s a lot more behind it, actually. The primary impact is reputational risk when an issue becomes known. If it is reported in the media, the news could reach your customers, vendors and even your employees because you have their private or personally identifiable information (“PII”) data as well.
Other aspects involve outsiders. Using cloud service providers, for example, has become quite the norm for organizations small and large to outsource the hosting and maintenance of their systems and applications. Is your service provider exposing your data, and what controls do they have to mitigate those risks? Most of the risks can be dealt with by performing a proper risk analysis. There is vendor management risk for all those service providers supporting the business. I work with management teams to ask key vendor management questions, such as, who are your strategic business partners, and will you be able to continue doing business with them if they lack critical security controls over your data? What exactly are you dealing with from a regulatory or compliance standpoint? Are there concerns about breaching laws in some way because of the requirements to maintain a minimum standard or framework to mitigate cybersecurity risks?
In fact, certain laws require companies to disclose a breach occurrence, which means that they need to figure out from their own perspective how far the breach went. That’s where digital forensics come into play and can add value to the breach notification process. Legal aspects also apply in terms of the laws and regulations by state. And now the federal government, including President Obama in his latest State of the Union address, actually has expressed the concern around our nation’s threat of cyber risk, including how we deal with it. Likely, the response will take the shape of a global or at least a national framework or standard as to what, minimally, is expected of companies – similar to government action taken in the banking industry.
One key consideration is that cybersecurity and breach response is part of a compliance function. Many companies view it as an IT or technology function, and, in most organizations, the business units own regulatory compliance requirements. The important point is that compliance is made up of a mix of members from business units, senior management and key support functions, such as legal, technology, information security and an internal audit function if it exists. I find that companies are the most effective at enterprise risk management, including dealing with cyber risks, when these teams work together to support the business units in achieving their compliance and risk mitigation objectives.
In essence, companies can work to set up key “lines of defense,” with business units providing the first line, that are responsible for identifying, managing and monitoring internal controls over key risks. The second line would include information technology and security, legal and compliance; and the third line would include internal audit.
MCC: Can you bring us into your world in terms of helping companies detect cyber-related incidents? You mentioned forensics.
Ravi: Interestingly enough, companies have gotten much better at detecting threats. Technology is now available that can help companies review data logs, and here I refer to an automated process, in order to learn about behavior over time. With this tool, a company can look at relevant data, avoid what I’ll call the “noise,” and figure out what to consider in terms of risk. In the past, data logs were too cumbersome and voluminous to review without an automated monitoring tool.
Although the number of cyber incidents keeps increasing by approximately 48 to 50 percent each year, much of that can be attributed to the fact that companies are better able to report what they know. They are using technology and, therefore, are more efficient and effective in their methods of reviewing data. The first thing a company can do is to identify and purchase managed service tools that can help detect a potential breach and enable a company to figure out what exactly it needs to respond to. For instance, using a “whitelisting” versus “blacklisting” approach is important when using these tools. Whitelisting involves configuring and setting up systems to allow only approved groups, users and systems to gain access. The reverse is true for blacklisting, which is to identify groups, users and systems that you want to deny access to. Whitelisting has been proven to be the more effective approach.
I should clarify that these tools go beyond antivirus software, firewalls and perimeter security. They work within your four walls. The other key component revolves around these questions: Are you actually looking at the proper data, have you done a proper risk assessment around that data, and are there known incidents that we need to address? Also, companies often neglect getting involved in the internal incidents (those within your four walls). They know with certainty that they have to watch over forces outside their walls that can cause external incidents, so the perimeter security locks down data stored in the cloud and on mobile devices, but companies don’t ask, what about what’s inside our four walls? How are we looking at the incidents there? What can our internal employees do?
I can tell you that IT professionals are finding it more difficult to manage the process of detecting what’s important and, again, what’s noise. Although the cost of tools has decreased over time, companies are still investing quite a bit of money in technology for detecting and responding to incidents.
MCC: Speaking of that, what first steps should a company take when, after all these efforts, a breach is detected?
Ravi: A company should have an incident response plan, similar to a business continuity plan, that answers the question, what do we do? Are we on the same page in terms of analyzing the magnitude and impact of an incident? What should we do after that? How do we get the right people involved? The steps involved in a security incident response process, according to the SANS Institute, include: preparation, monitoring and detection, breach investigation, data flow containment, external communication and remediation, and lessons learned.
Frankly, the very first step is to discuss what you would do if an incident occurred, and then you can formalize the plan and procedures. Again, similar to a business continuity plan, it’s about first defining the process, classifying key systems or the most important data, and, lastly, ensuring key people are involved. Unfortunately, this process is often neglected because many companies think that IT alone handles incident response; however, many other people need to be involved, including management, legal, finance and the board. So first companies must plan.
Second to the plan is to determine whether an incident occurred and investigate the extent of the incident. The forensic work is important because you need to understand exactly how the incident happened and how you need to change the way you do things in the future. The whole incident-response process involves different pillars, from analysis to actual response and remediation. Then you circle back to determining what changes are in order for the future (i.e., lessons learned).
You can bring in outsiders or adopt tools to perform digital forensics, such as reviewing logs. Again, an internal audit function can help in this process to determine if incidents have occurred and assist in the remediation efforts, as the third line of a company’s defense model. I’m often acting in the role of “internal auditor” for our clients, and in most situations I’m given the opportunity to assist with remediation and post-incident analysis of the company’s internal control system. It’s typical for companies to look to the outside for assistance with figuring out exactly what happened and with remediation.
MCC: Do these plans require constant revision as the cyber landscape evolves?
Ravi: Yes. But from a monitoring standpoint, it’s no different from any other kind of change the organization faces. You’re looking at data from many different sources, and you need to look at the impact of change. Security should be at the forefront, and I always go back to reinforce the basics of risk management and risk analysis. Risks are constantly evolving, so the process a company has established to identify, analyze and monitor risks needs to evolve as well. Continue to ask yourself, how has our risk profile changed, and have we considered changing our decisions to monitor key risks?
Chief information security officers (CISOs) and chief technology officers (CTOs) struggle to figure out how much time and resources to put into this effort. Monitoring risk and developing an appropriate response plan are primary, and you always need perimeter security (i.e., protecting from external threats) and other basic components to protect internal threats (i.e., access controls and virus and malware protection, among others). You also need to protect the company’s most important data just as you would other assets, such as intellectual property. Beyond that, there would be different measures as to the number and extent of the controls based on the risk profile of your data. For example, you may have different or more stringent controls to protect your customer’s confidential information and fewer controls over your internal marketing or operations data, as the latter information poses less of a risk if compromised. When evaluating data components, ask what someone who wanted to do harm to your company would do with this data if he or she were able to compromise it.
MCC: What factors go to determining a risk profile?
Ravi: One aspect of a company’s risk profile is its industry segment. Certainly, banks and healthcare companies face higher risks than manufacturers, as does any company holding credit card information. We have to assume that hackers are out there attempting to get sensitive information, so taking the necessary precautions is paramount. One basic example at a personnel level is to make sure passwords are secure and to instill a fundamental understanding that data has to be protected. A risk profile can start with a data classification exercise so that you are better able to understand and secure your most important data.
Beyond industry considerations, company executives are now becoming key targets. Hackers are looking to see what they can get by watching social media activity and what the company is doing in the marketplace. When we talk about monitoring a risk profile, many companies go through the exercise of performing internal and external security vulnerability assessments. We recommend that this be performed on a continuous basis depending on your risk profile.
Companies are spending a lot of time on security awareness training within their four walls, for example, to make sure employees are not clicking on unfamiliar links, which may contain malware that could compromise systems and data. Employees in every company need to be aware of what to look for and what to stay away from, so constant training and monitoring (testing) is key when dealing with cyber risks. Imagine if your employees were all looking out for key cyber risk indicators and were all engaged in ensuring risks are properly communicated and dealt with, as though you have adopted the same campaign as the Department of Homeland Security: “If you see something, say something.” There are situations where companies are rewarding employees for speaking up about key risks impacting the business.
MCC: Are companies sharing information about best practices?
Ravi: There are forums for companies, even for those of us in the internal and technology auditing space, to share what we’ve learned. We share success stories and lessons learned as well as issues that we should be thinking about in terms of risk management and the cost of mitigation. In fact, our firm is continuously bringing clients together for that very purpose, to discuss effective risk mitigation strategies.
Benchmarking certainly will help companies assess their tools, systems, controls and frameworks. Do you actually have what’s called a written information security policy or WISP, and are you using and monitoring it for compliance? Along with a WISP, you need a formal response process, and companies have established standards and frameworks around that. It’s less about whether a company will be attacked than about knowing what to do and where to focus attention if an attack occurs.
So the answer to your question is yes. I work with many IT professionals, CFOs and CEOs who are specifically asking me what our clients are doing.
MCC: In closing, give us a broad view on what companies need to keep in mind as they face the challenges of cyber issues.
Ravi: The key is to look at your current state and perform proper risk and readiness assessments. Where are your most critical data points, and what remediation is needed? Remember, the risks we’ve been talking about run across the entire company, and reputational risk is the overarching theme and primary concern for businesses of all sizes. A well-designed and well-monitored security policy will first drive the governance structure around these issues, and everyone within the company should be aware of it. As you can tell, I’m focused on this topic, and as a firm, we are prepared to help companies manage and monitor risk while keeping our eye on adding value along the way, whether it’s value creation or value preservation.
Trends & Developments - February 2015