I write this post from my childhood bedroom. Yesterday, life gave me an unplanned analogy for parenthood and corporate data breaches.
We lost power at 9:30 am. By 5 pm, we were still in the dark and the utility company had no timetable for restoring service. Winter is approaching, so the sun was setting and the house was starting to become chilly. We had to feed our 3 young daughters, but after morning snacks, lunch, and afternoon snacks from the pantry that didn't require a stove, oven, or microwave, we knew dinner would be an uphill battle. We don't own a generator (guess who's heading to Lowe's this week?), but we had a pre-defined plan: my folks live within a short drive and are empty-nesters with plenty of room. We sat down to dinner at 6:30 and the kids were asleep by 8 pm in a warm home.
What's the point? Life happens. Homes lose power. Organizations are victims of cybersecurity attacks. You can't prevent what you can't control, but you do need to be able to address unforeseen circumstances to keep operations running as smoothly as possible.
So what's an organization to do to protect itself from phishing, ransomware, and other types of cyber attacks?
A helpful analogy to consider is the "Swiss cheese" method. Any individual cybersecurity defense, like any individual slice of Swiss cheese, has holes. But if you stack 4, 5, or 6 slices of cheese on top of each other, it's much less likely you'll be able to see clearly through the stack. Likewise with proactive approaches to cybersecurity.
Messaging to Executives and Employees
Security professionals run the risk of being the employee who "cried wolf" if ugly examples are constantly trotted out, especially without direct connection back to reasonable steps people can take to protect themselves and the organization.
When dealing with employees, candidly, human psychology and best practices imported from sales and advertising would serve entities well. Generally speaking, humans make decisions based on experience and emotion, then look for data that supports their proclivity.
Story-telling that wakes up our reptilian brain and packs a punch, and is then supported with a few well-chosen pieces of data will be far more impactful than simply forwarding breach headlines and regurgitating bullet points about the expenses. Additionally, security professionals should work to form alliances across the business and make security a cultural part of the organization, rather than an annual "check the box" compliance exercise.
When dealing with executives, security professionals have to learn to speak the language of business, which generally measures risk vs. reward, cost vs. benefit, and ultimately, rewarding shareholders within the bounds of the law and ethics. Frank Ready recently published an interesting article that quoted Alisha Cieslak, chief legal and risk officer at Gordon Food Service. “I think businesses historically viewed cybersecurity as really an IT function, but companies like Gordon Food Service and others that we’ve [compared] with are really now looking at cybersecurity or information security as a risk function versus a purely technical IT function,” she said.
The cultural shift is happening; it's up to security professionals to capitalize.
Vendor Selection, Contracts, and Settings
To a layman, "IT professional" and "cybersecurity professional" sound synonymous. Surely the guy at the help desk who figures out why my laptop won't connect to the printer is also an expert in GDPR?
But each business must seriously examine the skill sets of its team and determine how much cybersecurity it can truly insource, vs. where it's important to find a partner. Then, it's crucial that the service agreement lays explicitly bare the responsibilities and liability. Well-versed consultants and attorneys can be worth their weight in gold during this process.
Along with vendors capabilities, it goes without saying that hardware and software must be capable of the tasks before them, so stringent vetting of technological tools is elementary. But what good is that technology if the settings are not configured correctly and enforced periodically? Are you using single-factor or multi-factor authentication? Are the security features enabled in O365? Are employees able to override defaults, or are appropriate permissions set up and audited?
Technology alone will not fix any problem - it takes deliberation, collaboration, and enforcement to protect the business.
DFIR and Cybersecurity Insurance
As the trite saying goes, "it's not if, but when." You have probably received an email in your personal inbox from a retailer you've patronized who has experienced a breach. When large, often publicly-traded, sophisticated companies who have many millions of dollars to throw at this problem fall victim, it's entirely plausible, then, that your company will, too. When that happens, you'll want to be economically protected to the greatest degree possible.
Ensure your team has a detailed digital forensics and incident response (DFIR) plan. Who gets notified, internally and externally? What steps do they take? What gets locked down? How quickly does the analysis begin to determine how the breach took place, and what was affected? Who is responsible for that analysis, a cybersecurity partner, or someone internally?
Again, here, an experienced consultant or attorney can be invaluable. Ron Pelletier, Founder of Pondurance, recently wrote an article in which he advised readers to be aware of "terminology like 'compromise,' 'intrusion' or 'incident.' The insurance domain assigns very specific meaning to works like 'theft,' versus 'loss' and 'damages.'"
When the power goes out, you'd better already have a generator in the garage or a warm place to stay for the night lined up. The time for consideration has come and gone.
An upside of increased vendor messaging and marketing and IT department training and testing is that awareness of data breach risks has never been higher. Human nature being what it is, it also means that people are beginning to tune out important messages.
Look for opportunities to engage key stakeholders in conversation and advocate measures that protect the company's reputation, clients' and employees' information, and shareholders' value. And if a breach involving PII is on your desk, let me know. We can help.