With cyberattacks and hacks like the ones that have befallen Target, Sony, Anthem and others, it's impossible for companies not to wonder and worry if they're next. Just as understandable is the tendency among companies to focus on what caused the most recent attack as their best defense against becoming the next headline news.
However, this approach -- dubbed the "squirrel effect" in a session at a recent closed CIO conference in San Francisco put on by Global Business Events -- can make companies more vulnerable to attack and actually weaken their ability to recover quickly from a security breach. Chasing the latest security concern -- whether it's point-of-sale security weaknesses that hackers used to install malware, in the case of Target, or an insufficiently protected database that hackers breached to steal millions of customer's health insurance records, in the case of Anthem -- distracts companies from what they should be doing, according to the session's experts, who oversee security for a large Los Angeles-based entertainment company.
They advised that as soon as security professionals sense their company is diverging from its security plan, they should steer it back on course and double down on mastering the basics:
- Where is your most sensitive data located?
- How many applications/servers/endpoint devices do you have to patch and protect?
- Do you have a security awareness program for all your employees?
- Are your office locations and facilities protected from unauthorized access?
- Who do employees call when there's a security incident?
- Is your network being monitored for malicious traffic?
- Are you collecting logs for your most critical systems?
With a strong foundation in place, then a company can look into different methods of protection and try to learn from other companies' mistakes. But the experts emphasized that without a strong foundation, simply learning from others' mistakes is not enough.
Focus on the basics but test, test, test
Edward Kiledjian, CISO at Bombardier Aerospace and a panel moderator at the annual CIO Event conference put on by Global Business Events, agrees that companies should avoid the squirrel effect -- provided they have a solid security strategy in place. For the five years he has worked for the aviation designer and manufacturing company (and through the Target, Sony, and Anthem hacks), he said his company has never deviated from its security roadmap. He added that a well-planned and well-thought-out security roadmap should last five to seven years.
However, Kiledjian firmly believes that every time a major hack happens, IT organizations should build out a test case -- and may have no choice in the matter.
"Company boards now want to know: 'What would have happened if we had been targeted with those attacks?'" he said.
Indeed, Kiledjian takes these opportunities to figure out what the results would have been had Bombardier been targeted with the same techniques and tools. "And we create for ourselves a report card. So at least at an executive level, they're comforted in knowing that the team is on top of it, they're aware of it, and they're making right decisions," he said.
This exercise doesn't mean a company should deviate from its security roadmap -- if that roadmap is good. A security roadmap that was hastily put together and isn't strong and well thought out, however, needs immediate attention.
"The most important things that we try to protect in security are confidentiality, integrity and availability," Kiledjian said.
He explained that confidentiality means only the people who need the information can access it; integrity means a company can trust that the information hasn't been modified; and availability means that when a company needs information, it is available.
"And so those are really the pillars against which we try to build a roadmap," Kiledjian said.
Bombardier's three pillars of security
1. Confidentiality: Only the people that need the information can access it.
2. Integrity: A company can trust that the information hasn't been modified.
3. Accessibility: When a company needs information, it's accessible.
An appetite for risk
Another important aspect of security to consider, Kiledjian said, is a company's risk appetite, and how much the business is willing to pay in order to ensure security.
In 2007, then Sony vice president of information and security, Jason Spaltro, told CIO Magazine he was not willing to spend $10 million in order to avoid what he estimated would be a $1 million loss because then the company would "go broke." In the wake of the Sony attack, that statement of course has become notorious but in its day and in the security attack environment of 2007, it was construed by many -- not just Spaltro -- to be a rational calculation, Kiledjian said.
"And that's really the value judgment organizations try to make day in and day out," Kiledjian said. Companies have to ask themselves: What's the real risk? What's it going to cost to secure it? Would it be cheaper to handle the incident when it happens? Or is it cheaper to take preventative measures?
"This is the discussion we have a lot with executives -- how do you estimate the likelihood and the impact of a breach?" he said.
In the case of Sony and Spaltro, the 2007 calculation proved wrong. Seven years later, the Sony breach cost hundreds of millions or even billions of dollars, and movies, pay package information, contracts and emails between employees were all stolen.
One of the CISO's primary responsibilities is to help the company responsibly define its appetite for risk. Kiledjian said it's important for CISOs to conduct workshops, if need be, to identify threats, and then figure out not only what to do about them, but to also calculate how much the company ideally needs to spend in order to try to mitigate the risk.
Taking all these precautions and thoroughly planning will help ensure a company's security, Kiledjian said, but unfortunately, "the reality is no company can be 100% secure. It does not exist."
Rich Mogull's take on data breach prevention.
Mitigate financial risk and chance of data breach.
Implement a breach response plan.