According to speakers on a KPMG webcast, the fact that the cybersecurity threat can’t be eliminated means organizations must instead focus their risk management efforts on understanding which information is the most critical and developing processes to secure it – and to prepare for the inevitability of cyber attacks.
“Technology alone can’t win this battle,” said Tony Buffomante, principal in KPMG LLP’s Information Protection and Business Resilience practice.
For example, in the high-profile security breaches that affected the retail sector during the 2013 holiday season, Buffomante said many companies had installed leading IT security tools, but didn't have processes or people able to react to warnings from those tools.
Installing tools such as treat and vulnerability management software can provide important information about emerging threats, but unless those tools are configured properly and tested, they’re unlikely to perform as expected when they’re needed most.
Even worse, not taking advantage of security alerts, network logs or other indications of a potential breach can increase the organization’s liability or compliance challenges after a breach is discovered.
“Data cuts both ways,” said Ron Plesco, managing director, cyberinvestigations, in KPMG’s Forensic practice. “If you have it and aren’t using it, that can be looked at negatively from outside the organization.”
Understanding the Threats
Part of the challenge organizations face is the increasingly sophisticated nature of cyberattacks, which are being launched by well-funded criminals looking to maximize their return on investment as well as nations interested in harvesting commercial intellectual property.
These threats are compounded by changes in technological and business models that are spreading data onto a broader array of cloud platforms and mobile devices. In a growing number of organizations, for example, cloud software may be used without the IT department’s support or knowledge. This wider dispersion of organizational data can undermine traditional approaches to network security that depended largely on controlling access to information.
Planning to Respond
Beyond technology tools, developing and testing effective responses to potential security breaches is an area where too many companies call short.
Plesco said many large organizations have created incident response teams to react to potential breaches. But those teams often lack senior-level authority or visibility, and often fail to conduct scenario tests that can identify potential communications shortcomings before a breach is discovered.
For example, a team combining people from IT, communications, compliance and the general counsel’s office may disagree about who should be notified or what steps should be taken first. Instead, companies should identify the roles various team members would play after a breach is suspected, and should balance technical skills with compliance and management oversight.
“If these issues aren’t addressed in planning before there’s an incident, there’s going to be a lag time in your response,” Plesco said.
An organization’s business continuity plans can provide an effective starting point for a security breach response program, said Dennis Van Ham, a director in KPMG’s Information Protection and Business Resilience practice. Many organizations have identified their most critical data and developed plans to restore information IT functions quickly. Those plans can be examined to identify potential synergies with incident response planning.
The role of third-party vendors and suppliers in maintaining information security is another important consideration. For example, companies need to understand and verify security procedures used by vendors who are accessing or storming customer information.
Similarly, if a breach is suspected, organizations should be able to collaborate with Internet service and software providers to understand any traffic or performance anomalies and the potential implications.