Security professionals wake every day to more and increasingly savvy data perpetrators who’ve found new and uncharted means to acquiring data. Shared Assessments’ Tom Garrubba explains why anticipatory compliance is a key way to address this issue.
As sure as the sun rises in the east and sets in the west, organizations will continue to battle both new and long-standing cyber threats. Attempts to penetrate and disrupt the environment consist of phishing (including “whale-phishing” targeting executives), vishing (i.e., voice phishing) or other means – such as clickbait – to trick users into unknowingly installing malware and ransomware. And most cyber professionals will confirm that they always seem to be in reactionary mode rather than being proactive.
Too many organizations are faced with monetary losses, reputational damage and other impacts from these threats. And many more find themselves unprepared to meet the compliance requirements of legislation such as the California Consumer Privacy Act (CCPA) and the California IoT law, formally known as California Senate Bill 327, which mandates that all connected devices sold in the state include “a reasonable security feature or features” that protect consumers and their data from unauthorized access, modification or disclosure. Both the CCPA and the C-IoT law take effect January 1, 2020.
How to Shift From Reactionary to Proactive Mode
It’s important for cyber professionals to continue to sharpen their tools and to rethink “outside the box” to proactively discover the initially unseen ways for data perps to gain access to confidential data and cause havoc and to collectively document and make known the defensive strategies.
For years, I have been preaching that organizations embrace and practice what is termed anticipatory compliance – not only from the compliance lens, but also from the lenses of security, privacy and legislation. It begins with the understanding that data compliance professionals residing in such groups as IT security, privacy, compliance and legal can no longer work in silos; they must share their strategies and knowledge with other business units to help ensure protection and proper handling of data within the organization.
Former U.S. Attorney John Ashcroft championed anticipatory compliance years ago. During a conference in which Ashcroft spoke as the keynote, he focused on cyber espionage – along with terrorism and homeland security – then delivered a striking prediction: Institutions will need to prepare for “anticipatory compliance.” In other words, organizations will need to be prepared to show that they are actively anticipating, studying and acting on perceived potential threats.
Regardless of the industry and whether the organization is in possession of personally identifiable data, this approach makes sense.
Anticipatory compliance has been defined as “a proactive approach whereby risk professionals, cyber staff and other stakeholders together identify and mitigate risk within the organization and implement best practices both within the organization and among partners to anticipate and meet regulatory, security and business continuity objectives. It also requires applying best practices among partners and across the external landscape to support business continuity, compliance and security.”
With the proliferation of insider and external threats, sharing information helps all parties anticipate and prepare for threats on the horizon. Are there plans for moving support or data storage for a critical system to a location that tends to be hit by hurricanes or typhoons or perhaps to a location with a history of political instability in the region? Is there any proposed legislation or regulation working through state, federal or international agency hallways that may force us to alter the way we do business or handle data (such as GDPR or the CCPA, for example)? Are there any consolidation trends within key support verticals, and how might they affect internal and partner relationships? These examples of non-cyber threats need serious consideration along with the typical cyber threat horizon – and a formalized process established to address them. That’s the core of anticipatory compliance. Anticipating such threats and establishing resilience and contingency plans helps ensure that were they to occur, their impact wouldn’t be seismic.
To enact anticipatory compliance within an organization, the focus should be on a structured, programmatic approach, including the methodology in anticipating new threats; establishing documented policies, procedures, standards and practices on how to deal with them; and how to circulate your threat discoveries to the appropriate organizations and personnel. Additionally, note that such an evolving program demands fluidity and robustness.
The same can be said about continuous evaluation of your third parties and anticipatory compliance.
Such unexpected events can cause major disruptions not just to organizations, but also to third-party service providers – and ultimately to the consumers relying on the products and services you provide. Moreover, you should inquire with your third-party vendors on how they are anticipating the threat horizon. Are they monitoring, charting and providing analysis to risks that may be affecting their infrastructure systems along with the key systems and processes that affect your organization and your customers?
As organizations continuously move ahead at full speed to hit required service levels, they may not be taking the necessary time to gather and review information appearing on the threat horizon. When this occurs, they become locked into reactionary mode and wind up fighting fires, making it increasingly difficult to find the time to analyze the threat horizon. And when such time does become available, their resources are all too often pulled right back into the fray to fight the next blaze. In this way, perceptions of advancing threats become an afterthought, rather than part of the planning process. One can put all the tools and techniques in place, but all it takes is one email phish attempt, clicked link or download to put your entire organization in jeopardy.
It really is a joint effort between the information security team, the business units and other second-line support (such as compliance, privacy and legal), to help promulgate what they’ve learned from the threat horizon. It is also imperative that the information security team drive the required changes to protect the organization along with help to educate employees in awareness of these oncoming threats so as not be lured into the bait from a data perpetrator.
As we continue to keep our eyes and ears monitoring the known threat horizon, we must make it paramount that we also keep our minds open to the new and crafty methods data perpetrators are moving toward and experimenting with to mitigate the risk of a compromise to our own organizations.