Simply Cyber (vol 7) – Crowdsource Your Security Program: Wild West Wisdom

Are you still looking for that silver bullet, that one-stop solution to risk management and compliance with the seeming Hydra of security regulations: DFARS, FARS, ITAR, HIPAA, state-level privacy laws, and so on? Will the mysterious masked answer ride in on “A fiery horse with the speed of light, a cloud of dust and a hearty “Hi-Ho Silver”? No way, pardner.

The bad news is that there is no Lone Ranger to guarantee your data protection; the good news is that you can enlist both paid and unpaid resources to help you manage organizational risk. Your crowd of resources consists of people inside and outside your organization who have a vested interest in protecting your data and its infrastructure. On the inside, there is your staff; on the outside, there are clients, supply chain partners, service providers, government agencies, and para-governmental institutions.

Risk management is a team sport. Responsibility cannot be assigned to one or a few people within your organization, nor can it be transferred in toto to a managed services company. (HINT: Read the small print in that service provider contract.) Liability if something goes amiss and your protected data are exposed is not assumed by the provider—who is your ally but not the safety for your corporation’s officers and board of directors. The buck stops with you regardless of where the warranties from the service providers stop; nonetheless, you’re not alone. Work your crowd(s)!

Internal Crowd. Staff members can inadvertently or advertently enable an exploit, even those who are among the designated security team. Recent reports indicate that a majority of companies feel vulnerable to insider attacks, have confirmed insider attacks in the past year, and required an average of 206 days to detect a data breach. (Not surprisingly, the longer an attacker can remain undetected and uncontained inside your information environment, the greater the damage done, the cost to recover, and difficulty of proving “reasonable care” in a court of law.) Given those conditions, investing in your internal staff’s training on cybersecurity practices delivers a return in at least two ways:

Vulnerability mitigation: by reducing the number of potential attack surfaces
Earlier containment: by increasing the number of potential detection points

External Crowd. As with inside staff, external partners can inhibit or enable your security program objectives. Make sure your supply chain partners practice the security you preach! A third-party HVAC vendor figured prominently in the Target data breach (cost for the 23-month discovery process alone was $163M!), and through early June 2018, third-party vendors were responsible for data hacks at My Fitness Pal (Under Armour: 150M user accounts), MyHeritage genealogy site (92M records), and others. As small and midsized businesses (SMBs) face costs for data breaches that are 36% higher in 2018 (average: $120K) than in 2017 (average: $88K), a variety of governmental, para-governmental, and corporate groups have assembled toolkits and resources. The US Telecom Cybersecurity Toolkit contains hundreds of resources in an easily navigated, well-indexed document with hyperlinks to source documents—it’s a truly remarkable resource. The National Institute of Standards and Technology (NIST, under the US Department of Commerce) is the US lead in defining guidelines for protecting information infrastructure; NIST SP 800-171A and the companion Handbook 162 contain specific recommendations for achieving and maintaining compliance with DFARS.

Be on the lookout.
The familiar principles of total quality management (TQM) can be applied to organizational risk management. Empower your staff by training them in how to detect social engineering, business email compromise (BEC), and other signs of mischief—and designate a point of contact for reporting and tracking them. Encourage your staff to look for information system performance anomalies. Promote an ethos of group and individual accountability so that staff recognize and report when they themselves may have made a mistake, for example, by opening a tempting email.

Form your posse.
Identify your technical and nontechnical security team members. Encourage your technical team to explore learning opportunities through membership in organizations like ISSA or InfraGard, and become familiar with initiatives like the Colorado Threat Information-Sharing (CTIS) initiative. Remember that company officers and members of the board of directors have a fiduciary responsibility to participate actively in security programs: They are the ones who will face questioning if a data breach occurs. Help them understand what constitutes “reasonable care.”

Pony up!
Invest the time needed to develop and implement a robust training program, security gap analysis, and incident response plan. Assistance is available through initiatives like the NIST Manufacturing Extension Partnership program (Manufacturer’s Edge in Colorado), the Small Business Administration (Pikes Peak SBDC in Colorado), and state-level training grant and funding programs. Establish relationships with appropriate law enforcement and forensics experts as part of your incident response plan.

Head ‘em up, move ‘em out.
Approach development of a crowdsourcing strategy for your security program with a clear understanding of roles and responsibilities. What do you expect from your internal and external resources? What do they expect from you? Clear communication is essential, beginning with simple statements that describe the current security condition of the organization, which includes an initial information flow map, and the future target(s)—your system security plan. Next identify security gaps, determine their business impact and priority, and decide how to address them (e.g., avoid, mitigate, transfer, accept; deny or ignore should not options). This becomes your plan of actions and milestones (POAM), your to-do list for risk management. And because execution of even the best-laid plans may be interrupted by a security event or incident, outline your incident response plan. Specify, for example, how an event is differentiated from an incident, where protected information is located, who is on the incident response team, what the containment/recovery objectives are for different categories of incidents, and who has responsibility for notifications.

There’s a lot to do, so get started and crowdsource the tasks. There is no need to be the Lone Ranger. Rather, the answer to the question “Who was that masked man?” should be “We are.”

Footnotes
Research shows the following:

90% of those surveyed feel vulnerable to insider attacks, and 53% of those confirmed insider attacks within the past year, with slightly more concern expressed about the risk of accidental/unintentional attacks (51%) than about malicious/deliberate attacks. CA Technologies, 2018 Insider Threat Report. Read more here
49% of non-POS malicious software was installed via malicious email. Verizon. 2018 DBIR Report. Read more here
Time to detect a data breach averages 206 days. Ponemon Institute, 2017 Cost of Data Breach Study: United States. Read more here

CyberGRX. Top Third-Party Breaches of 2018 (So Far). Read more here

Here are just a few US-based governmental and para-governmental resources:

If needed, refer organizational leaders to the congressional hearing with former OPM director Katherine Archuleta for an example of how difficult such questions can be. Reporter M. Jones.
Transcript of hearings before the House Committee on Oversight and Government Reform (16 June 2015).