In Part 3 of this series on the New Cyberwar, we will address the current best practices approach to preventing cyberattacks, such as ransomware and other cybercrime, and reacting to data breaches. When it comes to cybersecurity practices, is there really such a thing as “best?” How can you focus on developing the right practices for your organization? In addition, we’ll discuss the questions organizations should ask before performing a cybersecurity gap analysis project. Finally, we will dive into Data Vulnerability – what is it and where does it come into play?
In case you missed it, in Part 1 of this series we noted that criminal enterprises supported by nations have greatly increased cyberattacks on commercial companies and other non-governmental organizations. The SolarWinds hack, the Colonial Pipeline and JBS attacks, and the Microsoft Exchange hack are just the beginning. Despite stern warnings, the Chinese, Russians, Iranians, North Koreans, and others do not seem to be deterred.
In Part 2 of this series, we noted that government can play an important role in helping nudge companies to improve their security posture by providing a regulatory scheme with both sticks and carrots – such as data breach penalties and safe harbor provisions. Further, we noted that too many companies retain sensitive data that is not germane to their business or providing value. Beyond their data stores on their own networks, companies must take a more aggressive approach to reduce the amount of data held by their third-party service providers.
Cybersecurity Practices: Is There Really Such a Thing as “Best”?
Catch a security expert in a moment of honesty, and she will tell you “yes and no.” “Yes” in the sense that there are certain steps that all organizations should take to maximize data security. “No” in the sense that each organization’s blend of resources – time, talent, treasure – along with their threats, risk tolerance, and business goals are all unique. As such, Company A’s best practices will be different from Company B’s.
It may be better to speak in terms of “right practices.” The term “right practices” describes the set of information security plans, rules, protocols, and controls designed to minimize your risk of exposure within the confines of your resource constraints. This strategy allows organizations to set realistic expectations and goals and efficiently operate their business while still feeling comfortable that the organization is protected.
The term “right practices” describes the set of information security plans, rules, protocols, and controls designed to minimize your risk of exposure within the confines of your resource constraints. This strategy allows organizations to set realistic expectations and goals and efficiently operate their business while still feeling comfortable that the organization is protected.
In no way are we suggesting that being fully compliant with best practices standards, such as ISO 27001 or NIST, should not be the end goal. Instead, organizations should not let “the perfect be the enemy of the good.” Starting with the right practices, developing a culture of security, and improving security practices as resources allow is a more reasonable way to address security vulnerabilities while building institutional support and executive buy-in for full compliance or certification.
Further, the general assumptions are that we all must make trade-offs and funds are not unlimited. (If you have unlimited funds, stop reading right now and email me to get started.) An aggressive but half-finished information security project is far worse than a less ambitious but complete project focused on your unique situation.
Focusing on the Right Practices For You
Many, if not most, information security projects start with a gap analysis. A gap analysis is a logical starting point for cataloging a company’s current state, defining where it wants to be, and then creating a path to achieve these goals. In our experience, it is the second part of that formula that differs wildly from company to company. For example, some want to be ISO 27001 certified; some need SOC compliance; healthcare companies are subject to HIPAA; some just want to be secure; and so on.
A useful gap analysis relies not simply on where you want to go but on a thorough understanding of where you are in your information security journey.
Before Your Gap Analysis: Four Essential Questions
Your internal team should address several questions before taking on a gap analysis project. Further, any gap analysis engagement will include these questions as part of the initial due diligence, so answering them in advance will save time and money.
Which regulatory requirements are we subject to?
Question 1 deals with the “must-haves.” The answer to this question may be straightforward, but understanding the full scope of requirements is critical. GDPR and CCPA are similar, but there is a big difference in meeting the requirements imposed by them. HIPAA and FERPA address data privacy for healthcare and education, respectively, but in very different ways. The consequences of failing to conform to DFARS may have ripple effects far beyond your organization. Public companies have additional requirements, so understanding what regulation or regulations you need to comply with is the first step.
What data do we need to protect?
After reading the earlier posts in this series, it should be abundantly clear that organizations should take a broad view of what data should be protected. Data breach headlines often focus on personally identifiable information (PII) – and that is the first among sensitive data equals, so to speak. However, protecting data should be binary – it is considered sensitive and needs to be protected, or not. Many organizations have data classifications as part of their corporate policies, usually focusing on levels of confidentiality. The right practice approach ensures that any information considered non-public is part of your data protection scheme.
Where is our data?
Securing your data means far more than having a good firewall. Data and information storage come in three forms:
- Digital – the form we are (mostly) talking about when we discuss information security;
- Physical – lest we forget that information on paper is still a thing; and
- Human – we walk around with loads of data inside our heads.
We should note that some information security frameworks, such as NIST CSF, focus only on digital data and information, while others, such as ISO 27001, look to secure data in all forms. This focus may be important to you, depending on where your information resides.
How does this data move through the organization, and who touches it?
Data is not static; it is created and moves throughout the organization, making stops along the way. It changes and gets revised, leaving prior versions in places that may or may not be known. Reports are distributed and printed. Meetings are held, and information is passed to fellow employees. So, while data mapping your network may reveal the current location, it does not necessarily show where copies and iterations are physically located or which people have had access to the information.
Further, businesses should perform this kind of data exploration for their own data and clients’ data. With more skin in the security game than ever before, clients are taking the time to verify that their vendors are properly securing the data they share. As a result, organizations must thoroughly understand the what, where, how, and who of that data.
Data Vulnerability is Often a Result of Process Vulnerability
Admittedly, developing the customized practices takes a bit more work than focusing on “best” practices. As noted above, right practices require you and your information security team to have deep knowledge of the location, custody, flow, and stasis of your data and information.
Most organizations have a good idea of where data is stored, but the variety and number of data and information flows can be surprisingly challenging to identify. It may be even harder to pinpoint the stops data makes along the way as it rounds in the organization. But the importance of understanding your data paths and waypoints cannot be stressed enough: data is most vulnerable in transit.
Most organizations have a good idea of where data is stored, but the variety and number of data and information flows can be surprisingly challenging to identify. It may be even harder to pinpoint the stops data makes along the way as it rounds in the organization. But the importance of understanding your data paths and waypoints cannot be stressed enough: data is most vulnerable in transit.
Answering the questions posed above will highlight another common vulnerability: existing processes that may obstruct proper information security. For example, HR may use its system to generate a file with employee information, send it to Finance, and then the Payroll team manually keys in the data. You do not have to be a security expert to recognize the vulnerabilities in that workflow. Yet, unless there is a way to integrate your HR system with your finance system, that flawed process MUST continue.
A “right practices” analysis is not meant to shut down the business processes but merely to expose weak points and allow corporate staff to triage these weaknesses when establishing their information security priorities.
Use Technology to Manage Your Cybersecurity Practices Approach
Spreadsheets, email, and memory are no way to run any critical process for a company of any size or ambition. Further, the expectation of external parties – customers, vendors, the government – is that you maintain your information security program with a high level of care and professionalism.
Using an Information Security Management System platform (or making sure your outsourced managed security team uses an ISMS) allows you to align your information security program with a standard or framework. In addition, these tools enable you to track and report progress, manage vendor risks, and manage your risk treatment plan.
The right platform will allow the information security team to streamline day-to-day tasks and keep up with requirements, so they may focus on strategic initiatives. If you do not have an IS team, an ISMS platform can enable experienced IT personnel to manage the information security function under the direction of a chief information security officer (CISO).
The return on investment for ISMS platforms to companies that develop a robust information security program is significant. For less than half the cost of a minimum wage employee, the proper software platform will enable you to perform the function of several security analysts, a data privacy lawyer, an information security training management, reporting analyst, and so on. (Full disclosure: we use a variety of industry-leading compliance management platforms for engagements ranging from law firms to biotech companies.) Your company would never expect your finance department to operate without an accounting system. Similarly, a credible, effective information security program should employ ISMS software.
Looking Ahead: Part Four
In the next part of this series, we will discuss what those foundational right practices may look like and how SMBs and middle-market companies can ensure they are doing all they can to prevent breaches without breaking their budgets.
Criminal enterprises supported by nations have multiplied cyberwar attacks on commercial companies and other non-governmental organizations. How will the private sector react and respond to growing ransomware and resulting data breaches? Read part one of our multi-part series on The New Cyberwar.
EXTEND Resources helps organizations like yours secure their assets, create a robust security program, become certified for information security compliance, and continually improve their program to protect against evolving threats — including law firm and vendor risk. Contact us to learn more.
Steve Henn
shenn@extendresources.com
203.803.2127
