Nothing instills fear into C-level executives and boards like data breaches. Equifax is the most recent example, pointing to assorted vulnerabilities either on the “human component” or on the infrastructure side. The sobering news is, regardless of what the level of security measures a firm has in place, there will ultimately be a breach. I don’t mean to be a “Debbie Downer” here, but response is everything.
JPMorgan, Sony, Home Depot, and Target have all unfortunately been on the receiving end with real fallout. One consequence, of course, is that CIOs and CISOs lose their jobs, with the firms left hoping that the next C-level can protect it. Groundhog Day. On the surface, that at least mitigates further headline risk. However, with data security, there are too many variables, and too much can go wrong despite the best planning efforts of any CISO or CIO. Firms can be confronted with their prized data assets being breached, or worse, subtly manipulated. And the challenge is that some of these attacks lie in wait on the host for months, making those almost “undetectable” changes to the data. Try doing Machine Learning, AI, or predictive analytics when the data has been “slightly manipulated.” Finally, the resulting headlines can affect a firm’s reputation, which erodes trust, ultimately affecting share price.
There is both a dollar and concomitant reputational risk associated with data breaches. The total annual cost is roughly $80 billion to all organizations globally. And according to IDC, the worldwide spend on cybersecurity will reach $100 Billion by 2020. Organizations are trying to figure out a great way to deploy those assets, but most of the efforts are on network security, and not data security. The dollars are deployed the wrong way. This is where it is worthwhile to employ an outside security firm to:
- Assess the organization’s overall risk
- Work with an outside firm/vendor to develop a strategy for each security component
- Eventually develop a rapid response to breach
- Develop a strategy for continuous improvement
Firms are scrambling for tighter controls, better tools, and maybe some Hail Mary’s. These approaches are necessary, but not sufficient (except for the Hail Mary’s, that can sometimes work). Do firewalls save the day? Can bespoke security rules for each platform or application, with developers embedding their own security measures, keep the wolves at bay? The resounding answer is no. Firms need to be prepared with robust response plans in addition to best practices around security measures. Response readiness greatly mitigates overall risk, and can bring a firm back to operational robustness in less time. Response plans have a lot in common with BCDR plans, in that there has to be tight integration and understanding of risk with the business. In fact, the response plan should be tied into the BCDR plans if done correctly (get breached, what are your Recovery Time and Recovery Point Objectives?)
Response plans don’t work in isolation. There are other steps that are a necessary part of the process including Security Governance, Data Loss Preventions, BCDR (data backup with RTO and RPO objectives), Training the Human (big lift), Policies and Procedures that are fully vetted and understood within the organization, and Software and Hardware Hygiene (software and firmware updates as recommended).
Since breaches will happen, the response plan does indeed need to be robust with as many scenarios considered as possible. And those scenarios and responses need to be communicated and understood by the C-levels and the board. Like the Boy Scouts urge, always be prepared.