Information security is not enough. Preparation for cyber attacks is no longer a luxury, and now is the time for organizations to pivot from defense to resilience.
It is now axiomatic that questions of a data breach are a function of “when not if”. Despite countless headlines, soaring costs, a plethora of insurance products and the well-documented risks of getting it wrong, many organizations remain somewhat unfocused on the critical importance of adequate controls related to their data privacy and information security risks.
Rather than recite the many prominent breaches and the internal control failures that may have contributed to same, now is the time to encourage proactive action to minimize the impact of such events in the future. In alignment with this observation, 72 percent of legal departments define cyber threats as the top priority risk issue according to Grant Thornton’s 2017 Corporate General Counsel Survey. In a word, it’s time to encourage a pivot from defense to resilience.
To ensure that we proceed from this encouragement with a proper grounding, we should set the context of these risks appropriately. Today’s context is materially different than it was a mere three to five years ago. Specifically, while information security has been the primary control structure to combat cybercrime in decades past, information security controls alone are insufficient to address the manifold risks facing organizations today, and they are a manifestly insufficient focus for organizations seeking to recover from a data compromise.
The reason for this hinges upon two driving factors in the cybercrime “ecosystem” today: sophistication and commoditization. Like any unregulated market that operates without a referee and/or regulating authority, the cybercrime market has evolved from rather blunt, brute-force attacks to highly automated and heavily tailored attacks that seek to exploit environment-specific vulnerabilities that abound in organizations today. These vulnerabilities are not merely technological; they exist within our current policies and practices, within our trusted vendors and contractors, and even – or perhaps especially – within our employee base.
Organizations combatting this sophistication have their efforts compounded by high levels of commoditization within the cybercrime ecosystem. Bad actors come in many forms, and the level of sophistication within this eco-system has enabled market demand for highly specialized services, resulting in commoditization – i.e., in specific cybercrime services for hire. This means that a bad actor seeking to compromise an organization need not have the technological wherewithal to accomplish such a compromise; that actor merely needs to know where to shop for such capabilities within this criminal ecosystem.
A Holistic Approach
So where do these compounding phenomena (of sophistication and commoditization) leave organizations? That depends largely on whether an organization is chasing the figment of a purely defensive posture or whether it is focused on a more rational goal: resilience. Organizations seeking to maintain reasonable preventive measures but bolster their ability to recover from a cyber compromise are employing a multi-disciplinary approach that contemplates several broad risk categories.
To be sure, information security controls continue to factor prominently among these risk categories. That said, organizations that do not couple information security controls with an analysis that delineates between insurable and un-insurable risk will find that their resilience falls short of satisfactory levels.
Indeed, many organizations learn of the exclusions or limitations in their coverage only during or after their operations are hobbled by a compromise. Accordingly, organizations would do well to engage specialists to assist in navigating the panoply of new insurance products designed to address very tailored needs in very novel ways. They would likewise do well to revisit the contractual protections that they can obtain via the parties with whom they regularly contract – especially if sensitive data transfers and/or infrastructure components are involved with such parties.
Likewise, the ability to bring varied skill sets into a unified incident response team bolsters the resilience factor for organizations. We see this in situations where organizations are dealing with a rogue employee, a business email compromise, a tailored phishing attack, a malware attack or something even more sophisticated and impactful. In fact, the key to resuming normal business operations after a data incident hinges upon this ability to incorporate multiple disciplines into a cohesive incident response protocol.
This is true for a host of reasons, but primary among these is the ability to consider risk from many different perspectives. For more on this perspective, please see Grant Thornton’s white paper on Taking AIM at Cyber Risk. To illustrate, involving counsel in the planning of (and response to) an incident allows for the contemplation of the role of the attorney-client privilege throughout the investigation and – heaven forbid – any downstream legal or regulatory exposure. Counsel can also provide much-needed guidance on how (or whether) to involve law enforcement in a given incident response, including an analysis of whether (and how) the attorney-client privilege might be affected by such involvement.
Likewise, incorporating your vendor management teams in incident planning and response ensures that the organization treats third parties in a manner commensurate with these third-party risk profiles, thereby avoiding monitoring controls that are neither overbearing nor inadequate to the task. Similarly, involving crisis management specialists ensure that communications are controlled, based upon known facts, tailored to a specific purpose and transmitted via the medium that is most appropriate given the stakes.
Resilience Through Collaboration
The examples above are but a few of the benefits of a well-rounded incident response team. Once the organization assembles this multi-disciplinary group, it should work to unify this group as much as possible – ideally through the regular practice of incident-response scenarios. Indeed, the more this group collaborates, the better the results – because each discipline looks through a different risk lens at the same underlying facts presented. These differing perspectives, combined with a collaborative approach working toward a shared goal, allow the organization to resume its normal business operations in a far more efficient, defensible and sustainable fashion. Put differently, the greater the collaboration and the more multi-disciplinary the team, the stronger the resilience.