As 2015 comes to an end, we look back on how the cybersecurity landscape has changed over the past year. If these were some of the biggest events in 2015, what can we expect in 2016 …
In February, the US experienced its biggest health care hack against Anthem Inc. Around 80 million customer and their records containing social security numbers and other sensitive data was exfiltrated from the health care company. More health care hacks were reported in May affecting Premera and Carefirst Blue Cross.
But in June, even Anthem was overshadowed by an even bigger compromise, affecting the federal government’s Office of Personnel Management. 21 million federal employees had their information compromised including mental health and criminal records. Even more impactful was the 5.6 million fingerprints stolen. Unlike a social security number, new ones cannot be reissued and they will remain valid for a person’s entire lifetime.
Throughout the year, more attention has been brought to the weakness and vulnerabilities found in our US water, waste, nuclear and critical infrastructure SCADA (Supervisory Control And Data Acquisition) computer networks. Any person with a computer and Internet connectivity can google “Shodan ICS Radar”, Shodan is a Web engine similar to Google but instead focuses on Internet connected devices, and view a world map displaying different ICS and SCADA systems currently connected to the Internet. During Def Con, a convention for security analysts and grey hat hackers, controversy occurred when one security analyst showed how to hack into a SCADA system with little skill and money.
Now fast forward to this past month. Moody’s Corp., a major credit rating agency, has stated that breach management, incident response and cybersecurity preparedness will begin to impact creditworthiness for companies. With this change, the US is finally making a shift towards a nation of cyber responsibility, which would be great if it had not come in on the heels of some of the US biggest data breaches.
So whose responsibility is it to create Cybersecurity preparedness, instill awareness and follow due care and diligence towards these matters? The executives, board members, city/federal administrations and councils of our private, local, state and federal entities. Long gone are the days of just firing the Directors of IT or Cybersecurity, or their staff as the Target hack of 2014 showed us. The customers, employees and outside world hold the highest ranks of these organizations and entities responsible, regardless if they are aware are or not.
So if this top 10% is you, what can you do to prepare and be diligent for your entity and those it serves? Start with education, but not just for your employees, but for the decision makers. Hold an annual training for your board or council, even go as far as making it a requirement of holding that position. Progress requires genuine endorsement, and by committing to 100% of Cybersecurity training for your board or council, you help to create a cultural shift as well an important example for your employees and the entity.
Another step is every year undergo a security assessment. If you have dedicated IT and Cybersecurity personnel, then you should do a security assessment, external penetration testing and white box testing coupled with your own monthly vulnerability and patch management program. Security Assessments, external pen testing and white box testing should be tasked to an outside Cybersecurity consultant or company, to ensure unbiased results, and you should change these company’s every two years to offer a different perspective as well as different companies may have different strengths e.g. one is better at personally identifiable information mapping and discovery where another is stronger at testing and hardening SCADA systems.
Once you have gotten the results from the assessment and testing, create an action plan to address them quickly. If there is no budget or monies to address all of the risks, prioritize the most costly (usually these are the most critical) and fix those immediately, then vote to accept the remaining risks till the end of the fiscal year. If that is not an option, use a higher Cyber insurance coverage *this is a must* to balance the cost should the most critical risks be too costly and without funding. If the last two are not options, then you will either need to transfer the risk or avoid the risk (avoiding the risk usually entails not using a service or function at all). Transferring a risk to another company or service is acceptable e.g. HR management or customer information stored in a website, as long as there is no indemnification stating that the Company providing the service is not responsible for a cyber act against them and that the contract legal language on how data is encrypted in transit or at rest (personally identifiable information/banking/credit card). Above all else, create or adjust your IT/Cybersecurity budget an allot .20 cents to every dollar you spend in your organization (prior years spending on average was around .8 cents per dollar), anything less will set you down a path of failure mitigate your Company’s risks.
Finally, draft and establish your organization breach management and incident response plans. Remember every state has different requirements on what constitutes a data breach that must be disclosed, how to disclose and the obligations of the entity that was breached. However, by building your own plans, you can show your organizations due diligence and provide a way to manage a breach in a manner helpful to your customers, employees and your entity. Try to have an outside legal counsel review your plans, within the same state, to ensure compliance with your state’s guidelines. Also, you must assign ownership to these plans, either to the CEO/president/mayor or the board/council. Their responsibility is to ensure the the plan is reviewed, updated and mock exercises completed with lower management and their designated employees once a year to ensure compliance and visibility within the organization.
With that said, we are not fighting a losing war as long as we take Cybersecurity as a cultural shift, not just a check box to show completeness. We are all the front lines, and together we can turn the tide for the 2016 year.
Stay tuned for more insight and tips.