Data breach readiness a board dialogue: “Not if but when”

Author: Puneet Kukreja

When Target was breached a little over 24 months ago, it was called the biggest data breach to date. Then there were breaches at Home Depot and JP Morgan Chase followed by Anthem and the landmark event of 2014/2015 with the Sony data breach, an event that prompted the United States to issue sanctions against North Korea. Cyber security suddenly became a topic of discussion at board level and senior executives across industries started to ask questions on whether their organisations were prepared for a cyber-incident.

In an earlier article we explored whether boards were cyber aware or were they were being coached about what it means to be cyber aware. The areas considered ranged from board expertise to media management in the event of a breach.

Considering there has been another landmark cyber breach, this time within the US Government at the Office of Personnel Management (OPM) to the tune of 21 million records stolen (a number which is still being verified and could be higher) these are interesting times for organisations from a data security and breach readiness perspective.

In a recent Senate hearing citation, OPM acknowledged that “the total number of records affected remains unknown -- and may never be known”. This probably resets the baseline, given the enormity of the volume and type of data that has been compromised. Considering this data is personal information on current and ex-government employees including spies and undercover members of the US Government, the fallout and long term implications of this breach remain to be seen.

What is fascinating about the OPM breach is that as more information becomes available, it is becoming evident that OPM has been compromised before. There was a data breach in 2013 where the intruders took enough information to determine the layout of OPM systems, network, and associated applications.

The reason I have raised this earlier breach is that OPM’s response is something that I hear most boards and senior business executives give: "…we did not have a breach in security. There was no information that was lost. We were confident as we worked through this that we would be able to protect the data."

What I find fascinating is that OPM cannot even say we had no idea such an event would occur, considering they had already been breached twice before. Common sense would suggest that the responsible officers would actually ask simple questions like, now this has happened, what are the learnings, how do we make sure it does not happen again, and what would it cost to secure our environment?

If these questions were asked, then it would be interesting to understand what management actions were taken to ensure this did not happen again. It is particularly curious considering the information at risk includes the most intimate details about US public servants, who handle the most highly classified secrets of the United States.

What the cost of the breach was pegged at and how the decision not patch or remediate was justified would be an interesting exercise.

Read more: The week in security: Hackers hack the hackers as Hacking Team falls

I narrow my discussion to a system perspective because most it’s systems that act as gateways into organisations which are compromised, and most often than not, neglected or systems considered low risk from a breach perspective. Otherwise, breaches occur through web applications that have either not been patched or securely developed.

If we look at attacks and breaches that can be attributed to lack of system patches, this is a staggering 44% according to the HP 2015 Security Research Report. In my opinion this is just unacceptable.

The justification that is often provided for the non-patching of systems for identified vulnerabilities can be summed up in the following five excuses:

  • The responsible stakeholders sign off on the risk without having an end-to-end understanding of what the real business risk of not patching their systems is.
  • Business cannot afford the downtime as that would impact either a critical production process or more, have an impact on customer services.
  • Systems are too old and cannot afford an update to required patch levels.
  • The business cannot provide confirmation or do not know how the application will respond as there is no test environment where the patches can be tested.
  • The business does not have funding to undertake security patching and associated testing of the applications.

All of these excuses demonstrate a lack of understanding of the compound risk of unpatched vulnerabilities on systems that are ripe for compromise.

Given the numbers of hacks and breaches through 2014 and now 2015 have grown rapidly, it is nothing short of criminal to leave vulnerabilities unpatched on critical internet facing systems where a patch has been available in some instances for almost five years.

The questions boards should be asking are:

Read more: Serious Business: Cyber Security and Brand Survival

  • What is the security threat posture of their organization’s internet facing systems and key internal systems, when were these systems last patched or secured and what is the state of open vulnerabilities on these systems?
  • What is the end to end controls posture of our organisation? Why is it not presented as a risk metrics report which is linked back to strategy initiatives and threat descriptors?
  • What is the risk posture of third parties such as suppliers or partners?
  • Do we understand the split between known third parties and shadow IT or cloud enabled services that have access to our network?
  • When was the last time our organisation actually ran an end-to-end mock cyber incident and/or data breach exercise to understand the response plans and operating controls that will be initiated not if, but when the data breach incident occurs?

If a board starts with the premise that the organisation will be breached and works on understanding the actions it needs to take when its breached, then the discussion across the business and technology leadership teams becomes about effective mitigation. This is a much better place to be than “…there was a breach and we do not understand the full extent of the compromise”.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Office of Personnel Managementdata breachJP MorganHome Depotnorth koreaboard dialogueCSO Australiacyber securityOPM acknowledgedUnited States“Not if but when

More about CSOEnex TestLabHome DepotHPJP MorganMorganSonyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place