October is National Cyber Security Awareness month, and the timing couldn’t be better.
This summer saw a series of high profile attacks impacting the public and private sectors alike. Events like the Democratic National Committee (DNC) server hack – which exposed embarrassing private e-mails, opposition research and campaign correspondence – led to leadership changes at the highest levels of the DNC.
Likewise, many election officials were sent scrambling when, on August 18, the FBI issued a warning about malicious activity targeting state board of election systems after voter databases were breached at the Illinois State Board of Elections and the Arizona Secretary of State Elections Division.
Unfortunately, no one is immune to the risk of an information security incident. Whether it’s hackers looking to make a fast profit by stealing sensitive data, or a ransomware infection that interrupts operations and destroys files, a security breach can happen to anyone.
In fact, there have been more than 1,500 data loss events at U.S. governmental entities since 2005, compromising more than 300 million records.
But it’s not just hackers that are causing trouble. Municipalities, cities and towns lose data in a variety other “low tech” ways as well.
Indeed, for local governments, the number of data breach incidents attributable to stolen laptops, accidentally e-mailing or publishing data, and fraud and document mishandling outweighs hacking by nearly 2.5 to 1. Given the many different ways sensitive data can end up compromised, it’s not surprising to see so many breaches reported year after year.
The proliferation of security events has many asking; how do we know if we are taking the right steps to prevent a security incident?
There is no shortage of vendors offering the latest applications or selling new security appliances. Moreover, there is an assortment of federal, state and industry-related security requirements aimed at controlling cyber risk, with long lists of prescribed practices that can be costly to implement.
Sorting through all this “cyber noise” can be a daunting task.
That is why a cyber risk assessment is widely considered one of the most important actions any organization can take for effective data security risk mitigation. Laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA), as well as industry standards like the Payment Card Industry Data Security Standard (PCI-DSS) require routine risk assessments.
The Commonwealth of Virginia requires a risk assessment be performed by state agencies as well. In fact, the Commonwealth’s Information Security Policy states risk management, including risk assessments, “is a central component of an agency information security program…”
Cyber risk assessments are much like any other formal risk analysis process, focusing exclusively on the likelihood of adverse events impacting the confidentiality, integrity or availability of important information assets.The goal of a risk assessment is to identify relevant threats to data security and in turn, evaluate the degree of vulnerability to those threats.
It can be helpful to consider cyber risk assessment in a more familiar context. For example, flooding is a prevalent threat to communities around the world. Millions of dollars are spent every year on flood mitigation aimed at protecting valuable property. For obvious reasons, the same attention is not given to buildings located well outside of flood zones.
Cyber risk is similar to physical hazards. Many potential threats exist, but not all organizations are equally exposed to those threats. When it comes to systems and data, risk is very much a function of the types of data handled, specific network, applications, and service providers utilized by the organization. This means the local government that relies heavily on business partners for hosted applications, or that outsources IT operations will have a different cyber risk profile than their nearest neighbor that keeps most IT functions in-house.
This is what makes the cyber risk assessment process so valuable. By systematically identifying and evaluating relevant threats and the exposure to those threats, each organization is able to direct time and attention to controlling the cyber perils that are most likely to cause harm.
- Will it make sense to invest in a next generation firewall?
- Do we need to expand our server capacity?
- What type of employee awareness training would it make sense to offer?
The risk assessment can answer these questions and in the process – sort through much of the “cyber noise” and focus on real security needs.
VMLIP offers two tools to help get started with a risk assessment – YourCISO and the information security best practices guide.
The guide walks through the assessment process and provides pointers for gathering the information necessary for performing a thorough assessment.
YourCISO, the new information security risk management portal available to eligible members, compliments the assessment with the Security Health Check. The Health Check benchmarks current security practices against industry-recognized best practices and can help shine a light on the practices that can address the most pressing risks identified in the assessment.