James L Golden, associate partner, GBS IBM, cybersecurity and privacy, was lead author of this peer-reviewed article. Members of the (ISC)2 U.S. Government Advisory Council Executive Writers Bureau include federal IT security experts from government and industry. For a full list of bureau members, click here.
2015 has proven to be one of the most challenging in terms of the scope and severity of security breaches.
The biggest and most interesting known breaches this year affected over 150 million people, putting billions of dollars at risk and costing businesses millions of dollars. As reported in October by Nextgov’s Caitlin Fairchild, “The Biggest Cyber Breaches of 2015,” some of those include:
- Premera Blue Cross Blue Shield – Over 11 million subscribers’ information was stolen.
- Anthem – 80 million patients’ and employees’ information was stolen.
- Bank heist – Cyber-crime ring Carbanak infiltrated over 100 banks worldwide to gain access credentials and to hijack ATMs to steal more than $1 billion.
- Office of Personnel Management 1 & 2 – Over 4 million personnel files including security clearance information were stolen; an additional breach affected over 21 million federal employees and contractors. Information stolen included not just SSNs, but fingerprints and personal details that could leave federal personnel vulnerable to blackmail.
- Internal Revenue Service – Online transcripts of over 100,000 taxpayers were accessed as a result of access to previously stolen identity information. Significant personal information was stolen costing taxpayers $50 million.
- Ashley Madison (notorious “cheating” website) – 37 million customers’ information was stolen, likely for shame and blackmail rather than credit card numbers.
- Central Intelligence Agency Director John Brennan – Security clearance files from Brennan’s hacked AOL account were posted on WikiLeaks.
These breaches demonstrate the broad and deep spectrum of the security challenges and impact across the both the public and private sectors. Specifically, the breaches at OPM have taken a significant toll on the level of trust between the federal government and the public. In short, the exposure and problem is real, the impact is significant, and reputations are severely damaged.
What Went Wrong?
A review of the 2015 breach cases reveals several major findings:
- Lack of sufficient cybersecurity/information security and risk management – Enterprises failed to provide the necessary cybersecurity/information security and risk management to prevent these breaches.
- Disregarded cybersecurity/information security guidelines and standards – Despite being readily available, private sector best practices and government standards and guidelines were not being implemented or followed consistently.
- Ignored the cybersecurity/information security professionals – The “corporate information security officers” and hundreds of thousands of certified and noncertified security professionals are available to assist with implementing adequate security controls and risk management processes, but are not being properly empowered and utilized to secure the enterprise.
- Insufficient escalation of known risks – In many cases, there was an awareness of these weaknesses/vulnerabilities within the organization, yet inadequate remediation was taken.
- Ineffective governance and management structure – Each enterprise has its own character, culture, principles and way of conducting its business or fulfilling its mission. All have some form of governance and management, albeit some more effective than others. In all of these cases, both governance and management failed to provide these enterprises with sufficient cybersecurity/information security and risk management. Governance failed by not providing proper direction and oversight, while management failed by not implementing and monitoring sufficient security/risk controls despite sufficient available guidance and security professionals to prevent the majority of the breaches.
No 'Silver Bullet' Solutions
There is no “silver bullet” that can resolve such challenges, but there are a few basic steps that can be taken to significantly strengthen cybersecurity/information security and risk management across the enterprise:
- Governance bodies need to get and stay more engaged in setting cybersecurity/information security and risk management objectives and priorities. Governance must ensure fulfillment of these objectives is monitored and reported on, significant vulnerabilities/risks are identified and escalated, and a risk management decision is made and accepted.
- Management needs to ensure enterprise security objectives are defined and accomplished and follow best practices and security risk management guidelines. Management must provide the necessary resources and prioritization to properly implement agreed upon objectives, establish clear lines of authority and responsibility, and ensure all levels of the organization are held accountable. When a significant risk is identified, it must be escalated, monitored consistently and reported upon promptly.
- Enterprises must make cybersecurity/information security and risk management a top priority and a critical part of the organizational culture. Awareness training must be implemented throughout all levels of the organization, and compliance of security policies must be demonstrated.
Organizations across both the public and private sectors have suffered significantly in terms of cost, exposure and reputation. In many cases, the weaknesses and vulnerabilities were identified and risks known within the organization, yet not remediated. Security guidelines and best practices are available, security professionals are accessible, but the focus, commitment, direction and oversight at the governance level and management level remain lacking.
Cybersecurity/information security governance must be strengthened significantly to provide the needed direction and oversight to ensure the enterprise information assets and data are secure. Management must take advantage of all of the resources available and take ownership and responsibility for enterprise cybersecurity.
By implementing the recommendations in this article, enterprises can significantly improve cybersecurity/Information security posture and minimize risk exposure. There will be fewer and less significant breaches as a result of the increased enterprise focus, due diligence, and oversight. There will still be breaches, but enterprises will be more aware of the risks and potential impact and will be better prepared to respond.