Cybersecurity in a nutshell is the combination of knowledge about what information is valuable in your organization, who wants to exploit it, why they want to exploit it, what your organization is willing to do to prevent a breach of information, and how well your organization responds to a breach event.
What happens once your organization has been compromised?
After a bad actor exploits your information, it is too late. By that time, the damage is done, and your company is in damage control mode to minimize the impacts. Most people have by now heard of the Dark Web, but what most people don’t know is that there is a whole supply chain infrastructure consisting of independent individuals, organized crime syndicates, terrorist organizations, corporations, and governments. They all work together on the web to sell pieces of data they have acquired that are useful to others who will buy them for pennies and assemble all of the pieces for an attack with a big payoff. Pennies add up to dollars especially in third world countries where there are limited opportunities to make a viable living. Many of these criminals are just trying to take care of their families and since they are not involved in the ultimate attack, the ethical and legal impacts become diluted. The fact that this supply chain exists makes it possible for really creative criminals to weaponize the most innocent data for a social engineering attack.
Now you know how easy it is to profit from a security breach and why it is such a growth industry.
What can your company do to prevent a breach?
First, your company can develop a framework as previously described on page 9. Once you have your goals and requirements, you can start to lock down your resources and create hurdles that make it difficult for bad actors to compromise your organization. Can you prevent a breach? No, but you can make it very difficult and expensive and therefore unlikely for a bad actor to invest in hacking your company. The old story about running faster than your companion to avoid being eaten by the lion applies here. If your defenses are better than your competitors, the bad actors will be smart and go after your competitors first. Just because a breach may be unavoidable, it is still irresponsible and/or criminal to not take every possible action to protect your organization’s livelihood and reputation.
A tightly coordinated plan between your organization and your vendors is critical to build your defenses. Whether your CTO is in-house or outsourced as many are today, especially for smaller organizations, your company needs to identify critical data that your IT Security people will protect. You don’t really need to know too much about the technology details as what is in place is likely to change in the near future as Cyber-criminals and their tools and techniques evolve, adapt, and become more subtle and sophisticated. In addition, technology companies are always updating their software, possibly exposing some new attack surface just waiting for a zero day exploit. If there is a vulnerability, it is just a matter of time before someone exploits it. Hopefully it will be found by a user and not by a Cyber-criminal first.
Your IT Security team will take care of securing your resources and keeping your software and systems updated with the most recent security patches, but one of the most common and lucrative ways to exploit your system is through social engineering. This concept of social engineering has been previously described in the example, and some more examples will inform the vigilance required by everyone in your organization.
What else do you need to know besides having a plan, working with your IT partners, and keeping vigilant?
An essential part of your IT Controls plan should be your basic Business Continuity plan. This is more relevant now than ever. How often do we read in the news about ransom attacks? Pretty much daily. If you have a legitimate Business Continuity Plan then you have a much better chance of recovering your data after a ransom attack.
What is the difference between a Business Continuity (BC) plan and a Disaster Recovery (DR) plan? DR refers specifically to recovery from a data disaster. DR usually keeps a snapshot of the data offsite and requires time to restore the data once the primary environment is restored. Business Continuity as the name implies, uses redundant hardware and load balancing across multiple geographically-located data centers to prevent ANY disruption to operations in real time. As such, BC is much more costly than DR. The problem with DR is that no one knows if the backup has been compromised as well until they try to restore it. This is not the case with BC. All cloud environments use BC, which is why many companies have migrated to them.
Recently, some companies that have been able to recover their data from backups have still had their data released to the public if a company failed to pay the ransom. That is a decision your company may still need to make. That is why your overall IT Controls plan should also include an Incident Response Plan. For each potential breach or crisis event (incident) scenario, your company should already know who the decision makers and role players will be involved in the resolution process and there should already be a resolution decision tree or script in place. The idea here is that a breach is a stressful and impactful event, so you can lessen the stress and impact by being prepared. With all crises events, the plan should be updated with lessons learned.
Shari Diamond, CIA
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.