Cybersecurity StrategyWhen whales like Target, JP Morgan, and Anthem turn up losing hands in the cybersecurity strategy game, what chance do lightweights have?

To owners and executives in small and mid-sized organizations, cybersecurity can feel like a game of chance—one where cyber thieves are holding all of the cards. On the other hand, some might mistakenly believe that their organization is too small to attract attention, or that it doesn’t possess the kind of information for which cyber criminals are looking (such as credit card numbers).

As in most things, the truth is somewhere in the middle. Many organizations are closer to being a target than they think. As larger businesses become more secure, cyber thieves are turning their attention to smaller businesses, nonprofits, and even local governments. While it might seem like the odds are stacked against them, these organizations can regain control of the game and shift the odds in their favor by understanding the organization’s true cybersecurity risks and implementing appropriate controls.

Gaining an Edge in the Cybersecurity Strategy Game

Information security professionals are aware of the stiff odds. In a 2015 survey by the information security trade group Information Systems Audit and Control Association, Inc. (ISACA), 88% of U.S. respondents said that cyber attacks are among the top three threats facing their organizations today, and 54% expected a cyber attack on their organizations in 2015. Yet, only 44% of respondents felt prepared for a sophisticated cyber attack.

That doesn’t mean they should fold and walk away from the table—but they do need a solid game plan that includes three steps.

  1. First, they need to understand what is at stake.
  2. Next, they should scan their environment to assess risks.
  3. Finally, they should use that knowledge to design reasonable controls that strike an appropriate balance between security and convenience.

Step 1: Evaluating the Stakes of the Cybersecurity Game

In most organizations, digital assets—information maintained in an electronic format—have quickly risen in value. Examples include:

  • client lists,
  • donor lists,
  • login information,
  • project plans,
  • financial and payroll records, and
  • employees’ health information.

Many of these assets contain personally identifiable information—such as names with social security numbers or bank account numbers, medical information, or even electronic signatures—from which cyber thieves can turn a profit on the black market.

Cybersecurity is about the protection of these digital assets through controls around their use, transmission, and storage—and it begins with an environmental scan to understand the risks that are unique to that business or agency.

Step 2: Scanning the Room

Every time an organization connects its information systems to the outside world (whether to the Internet or an external network), it is rolling the dice on the security of that information. However, by beginning with understanding the unique risks, they effectively load those dice in their favor.

Organizations that don’t adequately assess their risks are essentially walking into the game blind, and they might be putting their cybersecurity resources in the wrong places. For example, many organizations rely only on a firewall for the protection of their networks. This lack of strategy is like playing a losing hand and just hoping you draw something to keep you in the game.

Instead, organizations should assess their actual risks and the effectiveness of their existing cybersecurity controls. Ideally, an independent specialist with verifiable credentials—such as a Certified Information Systems Security Professional (CISSP) —should conduct this cybersecurity risk assessment. The professional should evaluate not only firewalls but also security awareness training and workstation controls (such as security patches and anti-virus updates). Smaller companies often let these controls go by the wayside thinking they are just a pair of deuces when, in fact, they may be enough to win the hand.

The assessment begins by identifying the organization’s digital assets and the “touch points” where data is in use, in transit, at rest, or in storage. These data touch points can include local workstations, portable devices, local networks, cloud services, email servers—and the list continues.

Any of these touch points could potentially represent a cybersecurity vulnerability. For example, an unencrypted email message could be intercepted at any point in the following life cycle:

Sender’s computer ⇒ sender’s email server ⇒ Internet Service Provider ⇒ Internet ⇒ recipient’s email server ⇒ recipient’s computer

But the only way to identify an organization’s actual risks and the most appropriate controls is to conduct a thorough risk assessment that answers questions such as:

  • Where and how is data received by the information system(s)?
  • How is data protected during the transmission process?
  • Where does data rest—with the business itself or with a third-party data center?
  • What are potential internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of the digital assets?
  • At what points and to whom is the data available as an unencrypted file?

Because IT risks change constantly, and new exploits are discovered daily, a risk assessment is not something that is done once and put on the shelf. It should be a dynamic process that involves at least quarterly meetings to evaluate new vulnerabilities and assess whether existing controls are still appropriate.

Step 3: Betting on Internal Controls

Based on the cybersecurity risk assessment, businesses must put in place appropriate controls that protect digital assets and detect breaches when they do occur.

Many business owners and executives believe that they can’t afford sophisticated technical tools—such as encryption and high-end intrusion prevention and detection systems (IDS/IPS). As a result, they often resign themselves to being in a losing position in the cybersecurity game.

But organizations do not have to go “all in” on the most expensive tools. Even mid-level IDS/IPS tools equipped with automatic alerting could provide the level of protection warranted by the level of risk. However, tools are only as effective as the setting up and monitoring of the tool. (After all, even the best intrusion detection system in the world is a waste of money if no one sees the alerts.)

And of course, the human factor is the most significant vulnerability in any system. Even the best technological controls are void if the person responsible for that control makes a misstep—such as clicking a phishing link or emailing sensitive information in an unencrypted file.

Therefore, training is essential to reduce the human weakness in the IT system. Users of IT systems will always look for ways to get their jobs done as quickly and efficiently as possible, and often that means sidestepping controls that they see as needlessly cumbersome.

Cybersecurity training is available from a variety of sources, such as industry groups, software user groups, and online learning modules. Some of the issues that employees and other IT users need to understand include:

  • What is the organization’s policy on appropriate Internet usage?
  • How should they use portable storage devices?
  • What should they do if an email looks legitimate and asks the reader to take some action, such as click a link, visit another website, or open a document?
  • What should they do if they think their workstation has been compromised?

Playing Smart at Cybersecurity Strategy

Gamblers are known as risk-takers. But the best ones head into the game knowing exactly how much risk they are willing to take, and they bet accordingly.

When it comes to the game of cybersecurity, players must consider the level of security warranted by their digital assets and balance that with the level of access, usability, and convenience they need to play the bigger game at hand—whether that game is operating a profitable business or delivering needed services to constituents.

By focusing controls on areas of true risk, organizations can achieve the most appropriate balance between security, convenience, and usability.

Strengthen Your Cybersecurity Strategy Game

Just like in gambling, playing in the digital arena involves inherent risk. Contact our cybersecurity specialists to discuss how your organization can uncover its true risks through a cybersecurity risk assessment.