Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Under Attack: Shifting Audit and Compliance Perspectives on Cyber-Security

Jose Tabuena | September 23, 2014

If it seems like every company is under attack from hackers and cyber-thieves these days, it’s because most of them are.

Cyber-security is a hot topic because of the rash of data breaches that have hit big retailers such as Home Depot and Target, affecting millions of their customers. But those are just the latest in a long string of companies that have been hacked. It’s become apparent that boards of directors and executives needed to reexamine how they protect (and respond to the successful hacking of) their most critical intellectual property and sensitive customer information.

Adversaries continue to grow more sophisticated and can precisely target specific systems and individual users while concealing their activities from detection. The situation is such that for many breaches the organizations did not realize they had been compromised for weeks or longer, and they usually only found out after an external third party alerted them. Such delays hamper the forensic analysis needed to determine what data was stolen, how it occurred, and whether or not the incident is really over—vital questions that need answers by IT auditors and privacy officers who are obligated to respond.

In this new age, traditional security controls are not enough to protect an organization against emerging cyber-threats, whether external, internal, or even from business partners. IT experts increasingly believe that basic strategies are disproportionately technical in nature and do not adequately address the evolving and dynamic threat environment.

In response to these developments, the National Institute of Standards and Technology launched its Framework for Improving Critical Infrastructure Cyber-Security this year. The framework is intended to provide a structure that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cyber-security programs. All signs out of Washington, D.C. pointed toward increasing federal regulation and oversight of cyber-security.

They’re Already Inside

To put it bluntly, most organizations will experience a breach at some point and should plan for this inevitability. Many companies focus on perimeter control, much like a draw­bridge or moat around the castle, which is necessary but not sufficient. As Cris Ewell, chief information security officer at Seattle Children’s Hospital, told Healthcare IT News: “You can’t put up larger walls, you can’t post more guards, you can’t do those things to keep people out,” which is the approach if you’re just focused on the perimeter.

Experienced security practitioners understand that there is no way to engineer 100 percent of risk out of a system. So you need to continuously identify the greatest threats and take steps to prevent breaches in those areas.

So Ewell and other security experts say companies must shift their philosophy and assume that the perpetrators are already inside. In that case, what do you do to protect the information? This shift in perspective of assuming that a breach will happen can lead organizations to develop new practices that are nimble enough to stay ahead of rapidly emerging threats.

At its core what Ewell and others are advocating is the implementation of a risk-management process. Experienced security practitioners understand that there is no way to engineer 100 percent of risk out of a system. So you need to continuously identify the greatest threats and take steps to prevent breaches in those areas. If your controls are purely based on compliance criteria, you will usually be a step behind and can also run the additional risk of overspending and putting too much security in the wrong area.

Don’t Just Check the Box

Such an approach is not really earth shattering, as risk management is actually inherent as a traditional safeguard contained within well-known security frameworks such as existing NIST standards (that predate the proposed cyber-security framework), the payment card industry data security standard (PCI DSS), and the Health Information Portability and Accountability Act (HIPAA). Security experts acknowledge that these frameworks provide good guidelines but readily caution that you are not doing enough if your controls are based solely on compliance.

It is believed, for example, that one of the issues in the retail sector is that too many organizations view the payment card industry data security standard (PCI DSS) as a tick-the-box exercise. Security professionals have commented that the standard is aimed at little more than helping retailers establish a security baseline, and that merely achieving compliance is no guarantee of security. Retailers could and should be going well beyond the requirements of PCI DSS to reduce the risk of exposing payment card data.

PCI DSS has come under criticism because major companies (like retailer Target and payment processing firm Heartland) experienced breaches while being nominally PCI DSS compliant. Defenders of the standard argue that since much of the information from PCI DSS control assessments are interview-based, if retailers are not answering assessment questions truthfully and not following a security assessor’s advice derived from the guidelines, they will of course not be secure.

Implementing a Risk-Management Process

Recent enforcement actions by the government, especially in healthcare, have emphasized the importance of addressing security threats starting with a comprehensive risk analy­sis, which is a requirement under regulations that protect sensitive information, such as HIPAA. Organizations need to critically develop tailored, detailed el­ements of risk analysis rather than a checklist of controls. They must holistically examine their organization and determine the biggest risks, including those that are unique to the company.

When determining information security risks, knowledgeable security professionals working with business owners should be engaged to evaluate security risk utilizing a practical and understandable process. This is easier said than done. Internal auditors and compliance professionals can provide expertise in assessing an organization’s security risk-management process and in evaluating the performance of a risk analysis. Good risk-management processes are inherent in methodologies applied by internal auditors and compliance professionals who routinely conduct risk assessments as part of audit and compliance activities to determine how to best allocate resources.

One way to evaluate a high-impact but low-probability cyber-security incident is through scenario planning, which can augment analysis of past events and help companies anticipate new threats. The discipline of scenario analysis can be valuable to effective risk assessments because it forces managers to ask, “What could go wrong in the future?” Scenario analysis is the process of analyzing a number of possible future events and focuses attention on possible outcomes of an event occurring and the associated consequences. Proper scenario analysis improves decision making by allowing management to more completely consider various outcomes and their implications to the organization.

Be Aware of Technology Trends

Unfortunately, data thieves prey on the very conveniences that draw us to technology. The easier technology is to use, the more vulnerable we become. New technologies, including mobile devices, social media, and various apps are driving business to new heights, but also exposing new risks. Meanwhile, attackers are more sophisticated and harder to detect, and IT security response is being stretched beyond current capabilities.

Here are some technology trends for audit and compliance professionals to watch as they can aid in identifying new and more advanced threats:

  • Big Data – Aggregation of more and more data from across the enterprise means sensitive data is in a repository and potentially vulnerable. Much of this data (personally identifiable, financial, health, intellectual property, etc.) is subject to compliance regulations including PCI-DSS, HIPAA, and the Sarbanes-Oxley Act. As a general rule, sensitive data is a target for hackers.
  • Computer Science Algorithms – New and surprising discoveries are constantly being made about ways of combining data to reveal other data. Computer scientists are devising inventive techniques such that the true de-identification of data (which is presumed to be less sensitive) is becoming more difficult. An important factor that facilitates re-identification of data is the proliferation of personal information online and in offline record systems. Internal audit and compliance in its assurance activities can assist an organization in achieving the balance between useful targeting and activities that raise privacy concerns or other inappropriate uses that Big Data can motivate.
  • Operational Capacity – Techniques that bring together and analyze multiple data sources may enable the identification of behavioral patterns and trends in order to more quickly and efficiently detect an attack. But currently security teams lack the time and manpower to sort and contextually analyze large quantities of security data.
  • Consumers and Privacy – Problematic for privacy officials are studies indicating that consumers dislike the collecting and sharing data about their behavior and that they are willing to pay to avoid sharing their information with third parties. Moreover research is showing that millennials are willing to give up some privacy for the right incentives. Will this result in expectations of more processes and controls over sensitive information?

It is clear that cyber-security is not just an information technology issue. Rather, cyber-security represents a challenge that has broader business, operations, regulatory, and risk implications. Traditional methods of addressing cyber-risks have focused predominantly on preventing incidents through defensive security strategies from a compliance-oriented lens. While breach prevention remains paramount, companies should now emphasize the importance of understanding the landscape of existing and emerging threats and establishing agility in detecting and responding to attacks. Within the right context, big data security analytics can bring together the disparate elements of an event to determine impact, scope, regulatory response, and remediation. In short, supporting a strong response plan.