It seems that not a week goes by
without an unplanned data access,
unapproved data exfiltration or
unauthorized system access hitting
the headlines. Most recently,
the U.S. Government’s Office of
Personnel Management made the
news, disclosing the unauthorized
access to the personally identifiable information of over 21 million
government employees, applicants,
and non-applicant individuals,
including more than 5. 6 million
Insurers are familiar with risk management and the cost of
a known risk being exercised. When that exposure occurs, the
financial payouts can be staggering. Equal risks come from the
possibility of an information systems’ breach and data exposure.
Many companies struggle with limited budgets and resources. It inevitably becomes an exercise in balancing risk and cost.
I like to use the following analogy: You don’t put a $1,000 fence
around a $100 horse. You take reasonable care to make sure the
horse stays within the appropriate boundaries, but if that horse
gets loose and causes damage in significant excess of the $1,000
fence, you might rethink that decision.
It’s a risk-based decision that can come back and haunt you.
So, with solutions ranging from free to millions of dollars, how
do you prepare a plan without breaking the bank?
The first step is to understand your risk and your vulnerabilities. What assets do we have in our infrastructure? What personally identifiable and/or sensitive data do we have to protect?
What vulnerabilities do we have that need to be mitigated?
In order to understand your information technology assets,
an assessment of the infrastructure should be undertaken. Asset
Management Discovery via a network scan will highlight the
connected and active assets and what those devices are connecting to. The output of this assessment gives a baseline of the
infrastructure upon which to base your vulnerability analyses.
Infrastructure-specific risk areas can be identified by conducting vulnerability assessments and penetration tests. These
typically are performed by ethical hackers simulating how
someone would attack your network and systems. They give
data on where your immediate infrastructure vulnerabilities are.
As this first step is critical in crafting your program, it is a
good place to invest budget dollars. Many companies offer the
assessment services listed above for reasonable costs. If you
must choose only one, it is crucial to have independent vulnera-
bility assessment/penetration testing.
Next, you have to decide what your risk tolerance is. How
much risk do we want to retain? How much do we want to
spend on technical prevention versus mitigation and response?
When answering these questions, you should keep in mind
that it’s not a question of ‘if’ you will have an incident; it’s ‘when
and how bad.’ While you can certainly seek the advice of a cyber
professional, ultimately these are questions that only you can
answer and the answers will be different for every company.
You are now equipped with the information you need to
build a balanced, comprehensive program that is unique to your
organization. While your needs and their related costs will vary,
here are some effective and inexpensive ways to help strengthen
the overall security posture of your organization.
K Create a culture of security awareness. It’s important to
educate and enlist all members of your team in protecting
company assets. Securing the organization begins at the
executive level. An educated employee/user is a valuable
security warrior in the fight against cyber threats. The
SANS publication “Securing the Human” is a good resource
to review and validate your company’s security awareness
K Hit the low hanging fruit. The SANS Top 20 Controls is a
list of critical items the security community has identified as
having significant value in reducing an organization’s security gaps and controls. Adopting these controls can reduce an
organizations exposure and potential liability by showing
due diligence to addressing security issues.
Whether we are prepared for it or not, cyber intrusions are
now a fact of life for businesses of all sizes. We need to recognize that fact and take the appropriate steps to protect our data
and our customers’ data to the best extent possible within the
reasonable limits of our financial and technical resources.
The basic cyber protections outlined herein are a quick and
inexpensive place to begin your efforts. We can’t build a Berlin
Wall to keep the horse in the field, but we can build and maintain a strong, wood-rail fence that contains and protects our
data appropriately for our industry’s well-being. ITA
Chuck McGann is chief cyber strategist for Salient Commercial
Cybersecurity: Balancing Risk and Cost
There are ways to secure your data that don’t cost more than what you are trying to protect.
By Chuck McGann