Organizations can learn a plethora from recent election security snafus. Sure there has (and will remain) an aura of speculation and conjecture as to why Hillary Clinton lost. However; that’s not the point to debate in this blog, but rather what can we glean from the egregious mistakes so that cyber security isn’t compromised under our watch. We are all responsible for corporate data in one form or another and this rises to a pinnacle when a vulnerability is exploited and the number one and two questions are “Who is responsible for protecting the data?” and “Did we follow prescribed corporate policies to enforce security?”
Now let’s dissect the lessons from the election scandal. Speculators believe one of the major reasons was Clinton’s use of an unauthorized personal email server and the WikiLeaks email hacks that didn’t paint her or her campaign in a very positive light. It’s clear that cyber incidents like this prove that when policies aren’t followed (unauthorized personal server) and, worse yet, they go undetected for months, we have a perfect storm for a successful hack to compromise the integrity of the election. In corporate speak, this is a public relations nightmare that will result in far reaching implications to both revenue and reputation.
The stark reality is that since 2005, corporate systems have been hacked more than 5,100 times, disrupting corporations, financial institutions, government agencies and more. And with the trend of data volumes doubling in size every year, the business necessity to continuously slice and dice to draw powerful conclusions can be easily undermined by either hackers corrupting the data or, worse yet, stealing an organizations intellectual property.
For years, security experts have been pontificating the same sage advice in regards to keeping our accounts safe with mediocre results:
Yet none of these overly simplistic best practices listed above sufficiently prevent corporate hacks, but rather, at best, provide a false sense of security due to systematic non-conformance. Inevitably this best practices reduce the number of compromised users but it only takes one hack to create irreparable damage.
By examining the root cause of cyber incidents, you quickly ascertain that keeping your password as complex as “U&@#_2w456_gjKKL” or as simple as “password” would not have altered the outcomes. As an example, the well-publicized Target hack relied on malware that recorded customer credit card swipes via the point of sale system. In this incident, no stringent adherence to a complex password policy would have had any bearing on preventing this hack. Same applies to the DNC, that was compromised by a phishing scheme that targeted a DNC staffer which deceived them to a fake authentication site where they inadvertently gave the hacker the password by typing it in. This was the smoking gun that provided the hacker with the password that opened the door for them to gain access to the email accounts.
Whether we like it or not, email was never designed to be a secure communication medium. Most messages are sent in plain text and more often than not, the content is unencrypted text data transmitted from your device- (e.g. smartphone, computer, etc.) to email servers (e.g. Gmail, Yahoo, corporate servers, etc.). Yes, there are ways to create “un-hackable” email communication using tools like Posteo or Tutano, but there is a cost to use them and both parties need to be using the same encryption program to achieve secure communication.
When prevention is not an option, as with the case above, you must examine ways to mitigate risk. If you are not a political figure or a celebrity, your greatest source of mitigation is your obscurity. But if you are a corporate entity, you likely need to consider cyber security liability insurance to cover the probability of a cyber incident that may lead to irreparable damage to, and/or destruction of, valuable information assets. Ideally, you’d need comprehensive insurance protection for a data breach that pays for expenses and legal liability resulting from defense costs, settlements and judgements, regulatory investigations, fines and penalties, as well as supports the cost of business interruption resulting from an attack. Business disruptions and threats can in sue when the hack escalates to unsubstantiated future losses arising from an extortion threat against a company’s network, etc.
It’s time to acknowledge that data breaches are not a shocking aberration anymore; sadly they are the norm. As security sophistication grows, so do hackers ability to breach systems. One can assume that email or web applications will never be completely secure and the danger of a breach requires constant vigilance.
As of April 2016, the US cyber security and identity theft market totaled $1.2 billion, per a NAIC report. Today, cyber insurance is sold as either stand-alone coverage or packaged policies, with a 41% and a 59% market share, respectively. As the amount of data collected by corporations continues to increase, and vulnerability and regulation of personnel data privacy grows, coupled with the mounting cost of security breach mitigation, the cyber security insurance market is expected to see a large increase in cyber security underwriting in next couple of years.
Appropriately underwriting corporate cyber security policies, will require details such as your organization’s ability to effectively prevent certain cyber incidents, your organization’s process and procedures to stop unwanted cyber intrusions, and the amount of proprietary and sensitive data stored within your organization. However, this information is rarely available through regular audit processes due to a lack of cyber security and data awareness with audit teams. It’s estimated that 47% of internal audit teams believe they lack proper understanding of data and cyber security related information collection.
Data controls are one of the leading ways to capture and inventory corporate data points that are key to cybersecurity underwriting. And better yet, data controls are relatively quick wins that can be easily deployed. However; many organizations don’t have these controls in place, putting the onus on insurance underwriters to access these details for the purpose of providing cyber insurance. The more elusive these details are the higher the underwriting risk rating.
While identifying your corporate data points is a noble first step, it’s just as critical to measure and benchmark your data vulnerabilities toward cyber hacks. Organizations that have more proprietary data, personally identifiable information, financial information, etc. are more prone to cyberattacks than organizations that have archival sales orders. Conducting a data inventory is crucial in order to define data vulnerability ratings based on the below 0-3 scale of data protection levels which assist underwriters in properly identifying the amount of risk that they undertake.
It’s critical to have a tool-based approach that not only collects your data inventory, but also classifies your data based on vulnerabilities as identified by pre-defined rules. It’s critical to institute data controls that connect to any data source (without introducing complexity by transforming data) with executive dashboard reporting capabilities which aid users in understanding the risk associated with the data. Data controls not only have the ability to collect data inventory, but they can also provide users with ability to write custom business rules that can be enforced on the data metrics to provide further data insight.
All of this leads to two important subjects – Data Governance and Data Quality. Explore more about a 5-step approach in this white paper:
For a deeper dive into this topic, visit our resource center, where you will find a broad selection of content that represents the compiled wisdom, experience, and advice of our seasoned data experts and thought leaders.