Government leaders spend a great deal of their time pondering this question: How can we prevent the thousands of data breaches that happen every year from happening to me?
But what they should ask themselves is this: Can we develop a cyber risk strategy that will defend us against present and future threats – while supporting our agency/operational needs?
Why should they take this route? Because if the modern age has taught us anything, it’s that cybersecurity alone can no longer safeguard organizations. Cybersecurity is focused principally on the use of protection mechanisms to shield systems from threats or damage. It is about acquiring anti-virus, firewalls, intrusion prevention and other solutions designed to stop attacks known at the moment. Unfortunately, the threat landscape is constantly and unpredictably shifting, rendering traditional defensive products/tactics as insufficient, pretty much by the time they’re out of the box.
A cyber risk strategy, however, takes organizations to a far more mature, holistic level. It recognizes that data protection extends to every single facet of an agency – public affairs, finance, HR, legal, engineering, recruiting and, ultimately, its culture. It assesses a comprehensive breakdown of everything your agency does – how it operates, who “touches” sensitive data, what third-party vendors are “allowed in,” etc. – to gain a full view of your risk posture throughout all operational functions.
In other words, a cyber risk strategy drives toward a single, invaluable quality: trust
With this in mind, here is how an agency-wide cyber risk strategy can help you address four key components of today’s threat environment:
The invisible threat
As indicated, cybersecurity-based methods can only counter what’s “known.” But the 21st Century digital enemy thrives upon the polymorphic nature of his schemes, making himself “invisible” through a wide range of evolving ploys and disguises. This is why, in the legal world, something as time-honored as attorney–client privilege does not apply here. If the protected communications between an attorney and client is violated, then the attorney sues the violator, right? But, in the aftermath of a network incident in which proprietary information is breached, you can’t prosecute an adversary you can’t see.
Given the invisibility cloak, you have to examine your current blacklisting and whitelisting policies and processes, and transition to a model that permits access on a “default deny” basis. Why? Because the invisible adversary is growing increasingly skilled at searching for – and operating in – spaces that are available to them, coming up with methods that organizations aren’t aware of yet. When “deny” rules the day, you make it that much more difficult for adversaries to slip through the cracks.
The third-party risk factor
The Target and Home Depot incidents famously shined the spotlight on third-party risk in the corporate world. But the lesson applies to government as well. After all, you are only as strong as the weakest link among your suppliers, service providers and partners. But, again, cybersecurity methodologies consider the protections which come into play within these relationships. (Such as vendors’ encryption practices, or if they’ve plugged an infected USB drive into one of your computers.)
A cyber risk strategy scrutinizes these areas. But it also looks at the entire trust profile of third parties, going well beyond cybersecurity efforts. It asks “Does the vendor conduct effective background checks on employees?” and “Does our contractor provide strong awareness training to employees about recommended network/device usage?” These are the kinds of questions that will enable you to effectively evaluate third-party trust.
The human element
Cybersecurity tools are not designed to account for the “people factor.” But this can’t be ignored, not when human error has emerged as the top cause of data incidents. Meanwhile, nine of ten organizations are vulnerable to an insider attack. Whether we’re talking about malicious employees or simply undertrained and/or gullible staffers, a cyber risk strategy determines trust levels within the agency to assess how gaps could lead to exposure. The social dynamics of establishing trust with people means government leaders are asking themselves, “will my employees, vendors and partners do the right thing even when no one is looking?”
The crown jewels
Clearly, this is what every “bad guy” seeks – the “keys” to the crown jewels, i.e., your confidential, proprietary and sensitive data, whether it’s Social Security numbers, classified materials, agency credit cards, tax returns, etc. Again, cybersecurity merely covers the protection mechanisms, like encryption and authentication. What is often lacking when implementing data protection controls is a business understanding of valuable data access, movement and change. A cyber risk strategy evaluates where every valuable data asset is traversing – where has it been and where is it heading? Who “touches” it, and what do they do with it? How trustworthy are they?
We know there are risks, for instance, associated with the migration of data to a cloud provider. Yet, competitive realities dictate that we can’t “lock it all down.” Some assets have to exist in the Internet. So you must measure the how much you trust your cloud service providers versus the agency need?
For decades, cybersecurity defenses performed a noble purpose by attempting to protect largely non-technical users from technical threats, and avoid making mistakes in handling data. While falling short of “catching everything,” they did stop a lot of “bad things” from happening. But today’s invisible digital adversaries are proficient in exposing and exploiting the non-tech savvy audience that aren’t aware that an unencrypted stolen laptop can burn you worse than a spilt cup of coffee … until after it’s happened.
This is why a cyber risk strategy remains a vital part of a healthy agency diet. You’re not just buying another firewall. You’re building a culture of awareness which impacts the whole organization. With awareness, of course, comes trust. And that will do far more to thwart the intentions of attackers than any haphazard assemblage of security products.
Yong-Gon Chon has more than 20 years of experience building and leading global security teams. As Cyber Risk Management’s (CRM) CEO, he is responsible for all aspects of business rhythm at Focal Point.
A version of this article was also published in The Federal Times.