This is Part Five of a Six-Part blog series on Cyber Risk Management from guest blogger Simon Goldstein.
Too often cyber security, and related risk management, is viewed as a purely technological matter pertaining only to the processes and practices reliant upon IT assets, systems, partners and services. Reality is quite different. Cyber Security is in many aspects a HUMAN concern. And so, Cyber Risk is largely about HUMAN risk. How well people follow security guidelines, policies, and procedures is important. How your partners and 3rd party suppliers do the same also impacts your risk. Do you have training for all staff? How often? How effective? How do you measure that? Do you have the right cyber security staff/talent on board to effectively measure and manage risk? What about detection of malicious insiders? Are you certain about the management of your ever-expanding use of mobile and remote devices, services, and staff? What rules would your associates recognize and accept as important? What assets beyond the physical ones? When? You get the idea.
Much of the infrastructure set in place to mitigate or counter cyber threats presumes timely, consistent, informed, and accountable human interaction and execution. If people are deeply vulnerable to compromise, the foundation of your program rapidly deteriorates. It’s a big, but often unattended or poorly resourced part of the cyber risk management equation. And no amount of technology expense can overcome or counter these failings. They impact the effectiveness and strength of many otherwise useful controls to address cyber risk. For this reason, some practices, like staff awareness education, and periodic random behavior tests of compliance to cyber security policies are controls and best practices unto themselves. Let’s look at some of the key scenarios in more detail.
Staff Education: Staff needs to know what cyber security related policies and practices are in place. How is awareness promoted and compliance monitored? How often must passwords be changed? What are their minimal requirements? What are the categories of data and when must I encrypt transmissions and their contents? How do I use available encryption tools? These are just a few examples for attention. Staff needs to understand that information assets are as valuable to the company as its physical ones. This includes data, systems, intellectual property, customer information, data governed by regulations, and the systems which store, process, or transmit it. Rules for mobile devices, and personal equipment some may use for business purposes must be understood and followed. Understanding and collaboration are more powerful that consequential threats. Generally, people want to do the right thing, and if they are educated about the value, the methods, and the importance of cyber security, heightened compliance and cooperation (and lower risk) generally follow. Educational materials need to be well developed, timely, frequently updated, and designed to leverage examples of relevance rather than endless lists of “musts” and “should nots”. Scenarios that resemble familiar experiences or situations are most likely to impress and illustrate important points in ways fostering identification and adoption. Relevance is always key.
Social Engineering: Far and away this is a favorite means of compromising cyber security controls. Simply put, bad actors use social skills and false credentials, media, communications and other digital artifacts to lure staff into sharing credentials, access, or information in apparently trustworthy circumstances. Educating all staff, even partners on techniques, situations, and “gamesmanship strategies” is vital to managing cyber risk and assuring information security. Has awareness training and education been effective? Are “fake” phishing emails distributed at large identified and reported to the right authorities in a timely manner? Or do recipients click on included links to unknown locations out of ignorance, indifference, or curiosity? Are random “found” USB drives plugged into company machines to “see what’s there”? Are the findings and alerts from data loss prevention (DLP) software trending favorably? Do people let unidentified visitors “tailgate” into restricted areas without escorting them to holding locations for identification and retrieval? These are just a sampling of indicator sources for measuring how well staff and extended partner or 3rd party associates may be following the tenants of your education and awareness program. They, and others like them, may offer the opportunity for focused remediation and additional effort to address organization or content areas where understanding or cooperation seem lacking in effect.
Staffing: The increased awareness and attention to cyber security and cyber risk management has created a dramatic increase in demand for highly qualified and trained staff. Marketplace supply currently struggles to meet demand. How your organization has managed its own demand for and acquisition of cyber risk and security talent is an important risk consideration for your program. Do you have adequately trained staff on hand? Have you outsourced some functions to vetted high-quality 3rd parties? If so, how is their interaction secured and maintained on your behalf? Are you recruiting? If so, is your process designed to assure acquisition of truly qualified talent? How are you managing talent retention in a marketplace where demand is far greater than quality supply? A strategic approach to cyber security and risk management staffing is essential to the execution and continuity of your cyber risk management program.
HR Management: This may be less than obvious. How are your human resources policies and practices, including hiring, integrated into your cyber risk and security management programs? There are countless documents and studies noting the behavior attributes that may help identify potential “malicious insider” kinds of behavioral traits. While the concept of “insider” may be somewhat dynamic and fluid in today’s extended company boundaries and cloud-integrated, multi-partner perimeters it’s still important to be wary of those who seem at the outset to “have an agenda, or a resistance to operating in a governance environment”. Also, separation processes need to be designed to assure that voluntary, as well as involuntary separations, are handled to protect departing staff from inadvertent policy violation as well as intentional asset compromise. Access controls must allow comprehensive understanding, tracking, and termination of access to all systems throughout the enterprise, upon separation in a prompt and reliable, auditable manner. This is critical to many potential compliance obligations, and represents one example of the integration of the cyber risk, compliance, and audit programs.
3rd Parties: Many companies today outsource non-core functions to other firms. This may be a useful economic and resource strategy for sustaining focus and quality while promoting growth. It also represents an opportunity with regard to cyber risk and extended associate access to critical company information and operating assets. Extending cyber risk management practices to 3rd party suppliers is often a challenge. Some are quite small and may not have much in the way of IT or cyber resources to apply or even try to comply with the controls of a larger client. Some may have their own well-established cyber controls and practices in place. And, still others may supply support services unrelated to client core operations and not recognize a need for cyber security participation. We have seen examples of infrastructure repair services who have inadvertently enabled backdoor access by malicious actors into large corporate environments. If 3rd party associates will have direct access to your information assets, though work on-site at your facilities, or even remotely through VPN or other secure internet interfaces, these are significant concerns. Rules for access with 3rd party or personal equipment are also a consideration, if allowed at all. So, cyber security and risk managers must partner with business contract negotiators and perhaps include internal audit to craft agreements that balance the nature and substance of 3rd party services with the information security requirements and capabilities of their company and yours.
Integrating Risk Management: Giving full consideration to the human aspects of cyber security risk offers an excellent example of integrated risk management (IRM). Data from 3rd parties, training records, results of targeted tests, network and device compliance scans, and more all would be useful inputs to analysis. So too, would audit results, incident records, and compliance reviews. Utilizing a comprehensive software platform with capabilities to gather, store, organize, align, and represent such a diverse data set is a clear advantage. So too are capabilities to track remediation projects intended to improve the strength of relevant operating controls or processes in all these related areas. Staff behavior permeates the impact and effectiveness of much of what a company does to manage cyber security and risk. Finding the right questions and current states to explore and evaluate helps assure a comprehensive and accurate evaluation of cyber security risk throughout an organization.