It may be a tired mantra for those dealing with the prospect of data breaches – “It’s not if, it’s when” – but it’s no less true today. Breaches come fast and furiously, often without warning. But, sometimes, it’s because organizations are tempting fate by failing to protect themselves before a breach hits…and then the aftermath.
“Every industry is impacted by breaches, without exception,” says Ed Moyle (left), director of emerging business and technology at ISACA, a nonprofit, independent information security trade group. Security flaws, he says, are inevitable as a part of the push for ever-increased networking.
It takes a few generations of a technology to really ‘iron out the kinks’ from a security point of view, he says. “Eventually, these issues became less problematic – at the end of the process is a fairly robust, resilient and mature technology. But the road there is a long one for any given technology.”
Rick Betterley, president of Betterley Risk Consultants, a Sterling, Mass.-based insurance risk management consulting firm, and author of industry newsletter The Betterley Report, says that his moment of recognition occurred when he heard that Lockheed-Martin had been successfully breached.
“That was my moment of epiphany,” says Betterley. “Now I know there’s nobody out there who can’t be breached. I used to sort of accept clients telling me that they were pretty well secured. I didn’t have the ability to evaluate that. But after I saw Lockheed-Martin get breached, I couldn’t believe that anymore.”
But, if every breach is a colossal headache for the organizations that suffer them, they are also experiences fraught with lessons, most notably: Protect yourself upfront and have a way – including tools, processes and resources – to endure the aftermath.
Risk analysis has been a part of the cybersecurity universe for some time. However, previous risk-analysis approaches endeavoured to protect absolutely everything – rather than identifying and protecting what mattered most to organizations, says Eddie Schwartz (left), international vice president of ISACA and president and chief operating officer of WhiteOps, a New York-based fraud prevention firm.
Today, he says, we’re seeing the rise of targeted risk analysis where one essentially interviews people at the levels of the business and ask: What matters most to you? What would cause the most pain to the business if we lost it, or if there was a problem with data integrity, or it was unavailable to you for some period? “That change in focus is different from the idea of building a wall,” he says.
Perimeter defenses to keep all attackers out are no longer feasible, many say, so the new face of risk analysis is in the specifics: Determining which distinct parts of a business need the most protection and investing total security potential in locking those aspects down strongly, rather than spreading security across the whole organization – weakly.
“It’s unrealistic to try to build the gigantic walls of perimeter defense that we had in the past, versus developing approaches focused on the information assets that the business cares about and looking at how that information is delivered, and moves through the network,” Schwartz says. “It’s a different paradigm from the way we built security 10 or 15 years ago.”
The growth of cyberinsurance has been explosive in the last few years, and everyone working in the cybersecurity sector has noticed.
“It used to be there was no such thing as cyberinsurance,” says Betterley (left). “While cybersurance was invented in the 1990s, it’s only something that became important in the last seven or so years.”
What’s changing now, he points out, is that there’s an absolutely tremendous growth in cyberinsurance in the United States – both the premiums and number of people becoming insured have been increasing dramatically. This isn’t simply an American trend, he notes. Though the numbers are a little smaller, the growth is similar outside the US.
Schwartz adds that organizations are coming to accept that breaches are inevitable and, as a result, so are certain types of financial losses. For that reason, they’re beginning to hedge their bets by moving portions of their risk into insurance products.
“It’s much the way errors of omission and other types of liability insurance cover things you don’t expect to happen,” Schwartz says. “We’re going to see continued growth of that industry.”
Enduring the aftermath
Associated with cyberinsurance are cybersecurity companies that partner with insurance companies in order to better secure insured parties, Betterley notes. As well, he says that other products to help deal with data breaches – such as breach-notification services, legal support and forensic investigations – are frequently offered by insurance companies or by companies partnered with insurers.
These are necessarily the two sides of the same coin, says Gary Kibel, a partner with New York-based law firm Davis & Gilbert. “There is now a flourishing forensics and breach response industry,” he says. “Companies have a need for products and services that are both preventative and those that are reactive.”
Kimberly (Kim) Kiefer Peretti (left), a partner in Alston & Bird, a Washington, D.C.-based law firm, and co-chair of its Cybersecurity Preparedness & Response Team, notes that forensic investigation companies have been thriving in the current environment – and that they are a necessity in investigating data breaches, since most companies cannot perform forensics themselves. However, she says, the best among them are those which learned their skillset over years in the forensic trenches.
“Investigating cyber incidents is both an art and a science,” she explains. “The science part – e.g., imaging systems, using scanning tools to identify indicators of compromise – may be learned quickly. But the art part – e.g., analysis, understanding where to look and what to look for – can require years of training and is entirely dependent on the investigators’ knowledge and experience.”
Likewise, there’s a difference between the immediate firefighting mode of response and the long-term work of recovery, ISACA’s Schwartz says. He breaks this down into recovery planning, which can be mediated by third-party consultants who help companies plan to get their systems back online and restore operations, and those who help coach companies through improvements based on what they learn from the breach experience.