It is hard to read any technology industry news these days without seeing an announcement of a security breach. This was most recently evidenced with the Equifax cyber attack that is estimated to have affected 143 million Americans.
The average cost per stolen record in a data breach is $141
Given that information, Equifax could be on the hook for over $20 billion. As we are all far too aware this is not the first incident of wide scale data hacking. In 2016 Yahoo announced that at least 500 million users information was stolen.
The average cost of a data breach in the U.S. is now over $7 million
According to a report by Cybersecurity Ventures and the Herjavec Group, cybercrime costs will grow to $6 trillion by 2021. Many security experts believe the number of breaches is significantly under-reported. It’s possible that as many as one of every three businesses experiences one or more security breaches every year.
Distressingly, scaled enterprises often find themselves locked into damage-and-spin control, as they seek to help their customers or clients avoid the consequences of data attacks, while trying to keep their brands and reputations intact and avoid the extreme expenses involved in breaches. Is your network at risk?
BULLET PROOF YOUR NETWORK
Bulletproofing is an ongoing practice, not “set it and forget,” according to the experts at Windstream, the first, most important thing to understand about information security is that it’s an ongoing practice that requires constant vigilance, regular activity and adherence to a set of best practices and processes to establish and maintain. The following diagram illustrates a whole methodology that, once established, can be repeated or revisited at regular intervals.
Let’s take a closer look at each step in the IT security process:
1. Recognize and value information assets
The security process begins with an inventory of what’s present, and what’s worth protecting and monitoring. At the same time, a monetary value needs to be associated with each information asset, so it can be used as a benchmark to guide efforts and expenditures related to securing and protecting that asset. Generally if the time, effort and expense required to secure and protect an asset exceeds its value, it may not be worth protecting.
2. Assess and evaluate risk
Managing risk is all about recognizing what risks apply to an organization and then deciding which risks to avoid, accept, control or transfer. Some assets are bound to be at more risk than others, often in tandem with their strategic or financial value. For each information asset identified, an assessment of its associated risk must be calculated, so as to prioritize activity, expenditures and attention. The threat landscape plays an important role here, because it provides guidance on what kinds of risks are likely to be encountered, along with associated vulnerabilities and exposures to be handled and managed.
3. Establish mitigation and avoidance strategies
Mitigation involves establishing defensive measures to protect assets, often in the form of multiple layers of security established to reduce risks. When risks cannot be completely mitigated or defended against, they must be avoided. Sometimes, this may mean abandoning an asset, such as a customer directory that reveals contact information in violation of privacy requirements. This may also involve transferring risk to a third party, possibly by purchasing one or more forms of insurance.
4. Consider cyber insurance
Numerous insurance carriers now offer various forms of cyber insurance to cover costs associated with security breaches. This mitigates the risk by offsetting costs involved with recovery and remediation after a cyber-related security breach or similar security incident has occurred. Rooted in errors and omissions insurance (E&O), cyber insurance policies have been available since 2005, with the total value of premiums forecast to hit $7.5 billion by 2020.3 This insurance covers expenses related to first parties (your organization) and claims from third parties (users, clients, or customers affected). Covered costs include those for forensics investigation, business losses, privacy and notification (data breach notification and credit monitoring for clients or customers), and lawsuits and extortion.
5. Understand compliance requirements
In addition to legal and business responsibilities to clients, customers and partners, certain data breaches carry additional legal and regulatory requirements. Some breaches—like those involved with customer account information tied to the PCI framework and/or GLBA legislation or health records tied to HIPAA legislation—even pose the possibility of civil penalties and fines. Specific compliance requirements also include regular security audits and enforced remediation when those audits turn up compliance gaps or omissions.
6. Establish security policy
Ultimately, a security policy defines what assets must be secured, and how that is to be accomplished. That’s why a security policy covers everything from technical controls over access (password policies, multi-factor authentication, job role associated access rights, and so forth) to acceptable use policies, administrative policies, and auditing, monitoring, and reporting requirements.
7. Measure and monitor security
The old saying goes “If you can’t measure it, you can’t monitor it.” Keeping up with security is how you make sure it’s working. This means keeping an eye on assets to ensure their integrity and value remain intact. It also means monitoring systems and networks to make sure no signs of a potential breach or unauthorized access are present. This is the frontline for enforcing a security policy because measurement and monitoring provide empirical evidence for user behavior, access to assets, potential vulnerabilities and possible security exploits. It also provides tangible metrics for use in dashboards and report cards.
8. Respond to detected incidents
If a security breach or exploit is discovered, an organization must have an incident response mechanism in place to deal with the situation. This means dedicating human and technical resources to documenting, containing and remediating the breach. It also means performing an after-the-event analysis to understand its cause(s), and enacting new or enhancing existing policy and controls to prevent any recurrence. An incident response team is usually designated to deal with matters, along with a response plan to guide their actions, notifications and reporting.
9. Conduct periodic security audits
Either by compliance mandate or by best practice (if not both) organizations must conduct periodic security audits to assess their current security posture, status and compliance where applicable. This effort also involves comparing security policy as documented to security; as enacted and practiced within the organization; and as dictated by the current threat landscape. To better implement or match policy, organizations need to alter or enhance their technical controls and guidance. A policy may have to change to reflect evolving circumstances and business needs. Regular auditing provides the incentive to keep things current and ensure they’re working properly, by cycling back through all the other elements of the security cycle.
Repeat. Repeat. Repeat.
ARE YOU AT RISK?
With the skyrocketing costs associated with data breaches enterprise’s need to be astute about their network security. Luckily for CU members you do not have the shoulder the burden on your own. The Voice and Network Services program will help you understand present threats to your network and how you can protect your network through optimizing your IT and telecom spend. Protect your network and profits before it is too late.
Ben Hatch: Category Manager, IT/Telecom at Corporate United
Ben is responsible for Category Management within the IT/Telecom vertical at Corporate United. In this role, he serves as the category manager for Multi-function Devices, Conferencing, IT Hardware Support, and Telecom Consulting. He works cross-functionally with stakeholders and suppliers to provide program support, provides ongoing support to Corporate United supplier relationships and ensures value is provided within the category to members and suppliers alike.