In the second part of a three part series, Paul Ferrillo and Christophe Veltsos explain how cyber risk assessments can provide value. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. The first article in their series can be found here. In a forthcoming third article, the authors will address the technical tools side of cyber assessment, as opposed to people/processes/governance. I would like to thank Paul and Chris for their willingness to allow me to publish their article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Paul and Chris’s article is set out below.
******************
In part one of our series, we established the parallels between cyber health and physical health, and highlighted the value of cyber risk assessments. Many health conditions are measurable, even before symptoms start showing up. So is it when it comes to cyber risk. Cyber risk can be evaluated, not with funky math, but with down to earth assessments that can provide real answers about just how vulnerable an organization is to attacks, be they by outside forces or malicious insiders. Physical health can be improved via both medicine and exercise (aka lifestyle changes), which would be reflected by improved health measures. Similarly, cyber risk conditions found in an assessment can be remediated (“fixed,” as some would say), thus allowing cyber risk to be managed, and sometimes transferred to a cybersecurity insurer for a reasonable premium.
In this article we will explore the case of Big Bulls-Eye National Bank, a fictitious organization that will help us explain how cyber risk assessments provide value, and the kinds of issues that can be uncovered now instead of waiting until after the breach — and after high-profile firings and lawsuits.
Can your organization really afford to wait before its next “health check-up” given the changing regulatory landscape? We have noted in our previous article that 2018 was the year of cyber regulation. The year where both federal and state regulation of cybersecurity leapt to the forefront of the business community. In 2018, New York, California, and the European Union collided together in the supercollider of corporate life, and caused many companies to assess, and reassess, cyber risk to generally improve their cyber health. In 2019, we are expecting the “Big Bang” Theory to hit businesses hard if they can be shown not to care too much about their cyber health.
The Saga of Big Bulls-Eye National Bank
The fictional Big Bulls-Eye National Bank is a federally regulated national bank. It is publicly traded on the NYSE and has a market capitalization of $6 billion. Big B.E.N. is incorporated in the state of California. It does both individual and corporate business in California and all of the Western States of the United States. Business grew quickly in the early 2000’s yet the organization managed to avoid having lots of bad mortgages on its books. So, perceptions are that Big Ben survived the financial crisis rather well due to its risk-averse approach, but appearances can be deceiving as we’ll find out next. Here’s some additional background info about Big Ben.
- Security Budget & Investments — A point of pride for the CIO has been the way the organization has managed to hold both the IT and security budgets to a minimum. The budget, especially that of the security function, has been a contentious topic between the CIO and the CISO, but since the latter reports to the former, the security budget has stayed very conservative, at just 4% of the total IT budget. But remarkably, the security function has benefited from end-of-year spending sprees — due to leftover money initially earmarked for IT projects — to acquire additional security “tools.” We call them “shiny black boxes.”
- Security Personnel — From a security personnel perspective, the security department runs lean and mean. It has a staff of 10 in a security fusion center located in Los Angeles. There is some churn, but the HR director chalks it up to the aggressive tactics used by competitors to lure talent away.
- Security Hygiene & Culture — Big Ben provides spearphishing training for employees during its “annual security awareness month” program. The CIO is often heard proudly stating how they have over 99% participation across all employees, and over 95% of the executives also ‘complete’ the program. As a response to added scrutiny by the CEO and CFO, the CIO has requested that cybersecurity be a regular topic at the monthly executive meeting, which gives the CIO a chance to brief the rest of the C-suite about both IT and cybersecurity issues regularly. With such good results on this one aspect of cybersecurity training, top leadership — at the direction of the CIO — has decided that Big Ben had a “solid security culture.”
Big Ben Suffers a (Cyber) Stroke!
The rosy picture of Big Ben’s cybersecurity was shattered when one of its lending offices were hit by a particularly nasty piece of ransomware. The resulting disruption was further amplified by the timing of the infection, happening just before a bank holiday weekend. One long-time customer — who nearly missed out on closing a commercial deal — took to social media to complain about the bank’s archaic systems and processes and the bank’s poor public-relations response. As top leadership pressed the CIO and CISO for information about the incident and the lack of preparedness, they grew increasingly uneasy with the level of finger-pointing, especially once they learned that this ransomware had impacted other peer institutions a year ago.
Big Ben Gets a Check-Up
With the loud complaints from both shareholders and customers, top leadership decides to ask for a cyber health check-up and reaches out to you, an independent cyber practitioner, to perform a risk assessment. Top leadership is now seriously worried about the state of its cybersecurity as it becomes increasingly clear that the bank’s future — and with it the large bonuses of management — could be in jeopardy. Add to that the recent enactment of new security and privacy laws in California, and the bank may be headed for some rough seas.
After a series of interviews with top leadership, including individual and joint meetings with both the CIO and the CISO, you use the Cyber Risk Health Factors to evaluate the non-technical aspects of its cybersecurity health. Out of a potential maximum score of 55, Big Ben’s cyber health score — 18 — is rather humbling:
| Security Awareness, Social Engineering, Phishing | |
| 2 | How much do you train your employees on Security Awareness, Social Engineering, Phishing? Full: 8+ hrs per year; Partial 4-8 hrs per year |
| 0 | Do you conduct regular phishing tests of your staff? Full: yearly and it includes executives |
| 2 | Do you have an incident response and crisis communications plan? Full: yes and it is reviewed after major incidents |
| 0 | Do you practice your incident response and crisis plan with top leadership and the board? Full: yes, yearly or more frequently |
| Policies, Security Management and Oversight | |
| 2 | Do you have tested backup policies and procedures? Full: tested yearly or more frequently |
| 2 | Do you have a policy for passwords — for staff, IoT devices, and other devices? Full: default passwords are changed quickly & bad passwords are rejected |
| 2 | Do you have a third-party vendor due diligence program for those with access to your network? Full: yes and it is audited yearly |
| 2 | Is there someone assigned oversight responsibility for cybersecurity? Full: person is provided proper support (visibility, authority) and budget |
| 2 | Do you practice your incident response and crisis plan with top leadership and the board? Full: yes, yearly or more frequently |
| 2 | Are cyber risks reviewed by top leadership and the board? Full: yes, yearly or more frequently |
| 2 | Do you review your cyber risk insurance policy regularly to ensure adequate coverage? Full: reviewed yearly or more frequently such as after an incident |
The Reality Check
Seeing the CEO’s grim reaction at the sight of the cyber health score, you share the following details stemming from your interviews with all of the bank’s major players:
Security Budget
While the bank has been able to “get by” with a rather small cybersecurity budget of 4% of the total IT budget, this is well below the mean cyber budget recently reported by financial institutions. And while the CIO regularly pointed out that some smaller competitors run with security budgets around 3%, it has left the organization with a severely underfunded cybersecurity function. The impact of this lack of budget can be seen and felt in terms of the hodge-podge of legacy systems, the prioritization of investments in the “protect” category — with hardly any capabilities in the detect, respond, and recover areas.
The Shiny Black Boxes
As noted above, the security function has been able to take advantage of year-end “shopping sprees” to acquire additional security tools. The downside — those monies having to be spent in somewhat of a rush — are often spent on yet another new security tool to add to the toolbelt, a concept that the CIO is very fond of. However, as you share with the CEO, the bank now has an array of disparate tools — as they now have 32 disparate, yet sometimes overlapping cybersecurity tools — but not enough personnel and training to properly configure and operate them to their full potential.
Security Personnel
The CISO has repeatedly — yet unsuccessfully — argued that the fusion center is understaffed, which puts the organization at risk of failing to identify the next serious security incident. The fusion center has a high churn rate, high compared to the rest of the organization and also just compared to the rest of the IT function. But HR refuses to consider more creative options — for example internships or hiring recent grads — choosing instead to source security personnel via pricey placement firms. The CEO is not happy to hear that the cybersecurity function is chronically understaffed, with some positions having remained unfilled for over a year.
Security Hygiene
Though it provides security awareness for its employees, the bank chose to approach it as a once-a-year effort via a web-based program. While the CIO is delighted with the participation rates (99% of employees and over 95% of the executives), these numbers fail to provide any meaningful measure of retention of the information nor any measure of long-term impact on susceptibility. Top leadership’s reluctance to phish its own employees and executives has created a culture of complacency. And while on average the organization only suffers a phishing incident only about 12 times a year, the resulting stern talking to from HR and the CIO have pushed many employees to avoid reporting strange emails or attachments.
More To Come
Much like Big Ben’s CEO, sooner or later, we find ourselves having to confront the harsh reality of our own cyber health situation. And sometimes taking “your medicine” is unpleasant yet necessary. Our initial prescription (with a spoon full of sugar) is as follows:
- Long term, the IT department of Big Ben is going to need a two week “spa vacation” to rejuvenate itself. Conditions are worsening in the cyber ecosystem. Conditions have worsened in the regulatory space. Monies will need to be spent especially to properly staff the fusion center. It will not be a good excuse to regulators if the company relies upon the “staffing shortage” excuse post breach.
- Shiny black boxes supplying intrusion detection solutions are great IF they are configured well to detect user or network anomalies well before materials are exfiltrated. The bank does not need 32 “toys.” More in the next article on this point.
- Finally, the backbone of cybersecurity is “people.” People are the primary resource; and people are the primary incident response detector who primary responsibility is to not “click on the unknown link or attachment.” Spearphishing training can and should be automated. It should be done at least once a quarter. Social media training should be done once a quarter as well. It should vary from department to department to be realistic and catch the latest potential “threats.” The security culture of Big BEN is not “solid.” Presently, it’s a “light-weight” at best.
In this article, we took a look at the non-technical side of things — away from technical controls — focusing instead on security culture, hygiene, awareness, and the management/oversight of security activities. Our third and last article in the series will go over the technical controls and their weaknesses, and provide a follow up cyber health prescription of sorts to put the organization on a path to “recovery.’