Last week, BusinessInsurance.com reported that
Target Corp.,
which last month had a massive data breach that exposed the credit and debit
card information of some 70 million customers, has at least $100 million of
cyber insurance, including self-insured retentions, and $65 million of
directors and officers liability coverage, according to insurance industry
sources.
Many Arm Chair analysts are wagering that the insurance
company will not pay out the money as the policy is based on Target properly
executing security compliance policies.
Hence the title of my article as Target is likely to be left
holding the bag for entire cost of the breech, which most analysts have at well
over the $100 Million mark. The latest stock market news is rumoring the
possibility of a $1 Billion dollar penalty.
So how does this impact your business? Aside from learning
lessons from the nitty gritty of Target’s attack and an analysis of the hacker’s
attack vectors, let’s look at ways Target could have protected themselves from
an almost bottomless pit of risk? Everyone knows with PCI comes with a certain
amount of risk but are you correctly assessing that impact to your business.
Organizations mitigate their risk with insurance and evaluate possible penalties
for lack of compliance. However as demonstrated by Target’s insurance woes,
insurance is based on your adherence to compliance and penalties can far exceed
your expectations when credit cards are involved.
My technical background previously made me a cynic about
compliance, I relegated it to a bureaucratic paper work exercise. However in
the last couple of years my opinions have matured, perhaps because I have
switched my work from dealing with small companies to larger corporations. In small
companies’ key staff have the ability to assess the whole network and business
impacts on security. Large corporation’s networks are so immense and complex
that management technics are required to keep on top of security issues.
So in larger corporations what management technics are
available keep security on track? There are so many issues and areas of
concerns, projects and demands that often spreadsheets and custom databases are
produced to evaluate security. I’m sure we have all had to create volumes of
seemingly meaningless graphical charts always colored with management’s
favorite of red, yellow and green representing system status. Management cling
to these reports to try to get a grasp on the issues that might be coming to
impact them all too soon.
The short coming with any graphics and the attempt at
compliance they represent is the data used to generate them, hence the old
adage “garbage in garbage out”. Even if the spreadsheet is updated daily the
information is at best outdated, more likely confusing and misleading. Graphical analysis of a problem is only as
good as the data that feeds it. GRC or Governance Risk Compliance tools
were made for this problem. GRC tools are there to make sure that accuracy in
reports comes from the details collected and complied automatically. Information
collection is logged, processes are documented and repeatable.
So Target is a multinational chain, I’m sure they have a GRC
tool. Given the assumption that Target’s Insurers will not pay out the policy, do
you think Target executives are re-evaluating their application of their GRC
system? Taking hindsight as our friend what could Target Management have done
differently to change the outcome of this attack aside from the technical
aspects of security?
Let’s look at what Target was risking with lack of
compliance; $100 Million Dollars, I’m sure lawyers somewhere inside Target
would have had knowledge that with lack
of compliance they were making their cyber insurance null and void. What was
missing was the information coming together of both implied and immediate risk
exposed by not meeting compliance standards. Risk Analysis performed by in
individual business unit in isolation has to make assumptions about other area’s
actions. The goal of Risk Analysis is processing of information from multiple
and diverse sources to quantitatively analyze a complex problem with repeatable
results. The repeatability portion of Risk Analysis is required to allow
scenario modelling to help determine best course of actions to seemingly no win
situations.
Is Risk Analysis the focus of your GRC tool? While
spreadsheets do a poor job of acting as your compliance tool of choice, it is
possible to manage compliance with this antiqued system. Risk analysis calculations
are far more complex and require information from such disparate sources even
most GRC tools are left wanting in this area.
Issues arise with GRC tools when the glitz and glamour of
the Sales Engineer’s “Model System” that was demonstrated for you wears off. The
realities of a generic tool that does not allow for customizations to suit your
business needs leaves your security and compliance largely unassessed. Worse is
a tool that is so cumbersome and complex that its implementation consumes everyone’s
time. Then your expensive GRC tool has just weakened security as no one has any
time left to actually action any information received from the tool or the tool
never gets implemented. Risk Analysis is a difficult subject to assess and most
tools don’t have a good system. Risk Analysis needs to have an array of
customization features and options to allow scenario modelling to give any
meaningful answers to “What If Scenarios”.
So how do you avoid burning cycles on spreadsheet compliance
and have a GRC system simple enough to work for your business:
1)
Look for products that are customer focused and
communicative during the sale process, if the sales staff don’t pay you any
attention their tech support and through life product support is going to be
worse.
2)
Find a tools that automates and streamlines your
processes and does more than just act as a giant spreadsheet but actually ties
together technical and managerial security information to present RISK
governance and compliance.
3)
Find a tool that give meaningful graphics allowing
management to quickly assess status of security and areas that require their
attention. Simple Red, Yellow or Green coloring does not really answer the
question of where compliance or risk is a problem. Giving status indications is
great, simple color charts also require the ability to draw data out of the
graph quickly to allow management to have deep understanding of problems
impacting the business.
4)
Make the sales engineer work for you showing
implementations that map to your business use cases. Sales Engineers get paid
to convince you that their product can meet your needs make them jump through
the hoops you feel is necessary to prove the suitability of their product to
your business.
Finally remember compliance is not there to make you
implement secure business practices. Compliance is there to make sure you have
not missed an important piece and so other businesses know that you have
properly secured your network so they can do business with you. Risk Analysis
is more than a simple formula applied to project progress percentages but
rather a series of analysis providing guidance to your overall decisions about
security implementation for your business. These two business functions can
guide your choices to maximize your impact on your company’s security.