Cybersecurity and Third-Party Risk. Gregory C. Rasner
Чтение книги онлайн.

Читать онлайн книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner страница 11

СКАЧАТЬ that may cause financial or bodily harm. The most highly regulated industries, such as energy, biotechnology, finance, telecommunications, aerospace, and many others, have robust Third‐Party Risk Management and cybersecurity teams. However, if these industries rely on doing what the regulators require of them, they are not going to be performing their best practices.

      Being reliant on the government to set the standard for what to do and how to do it is a recipe for disaster. This is not to say, however, that regulations are without their merit when enforced correctly. The argument here is not about whether there should be regulations, but more about if organizations should be advised to view those regulations as the bare minimum to perform. In the case of cybersecurity and third‐party risk, regulations provide some excellent guidance on what is important for organizations. However, if a cybersecurity or third‐party risk team only relies on regulators for the best practical procedures to follow, there's a high likelihood their companies will be hacked. In fact, the likelihood is that they will be hacked quite a bit faster than those companies that view regulatory requirements as their starting point.

      To illustrate the point, we can look at the Payment Card Industry Security Standard (PCI‐DSS), which is the payment card standard (using credit and debit cards), to guarantee consumer financial data protection. PCI‐DSS has very specific recommendations and is regularly updated for how to secure networks, protect user data, require strong access controls, perform network security tests, and regularly review information security policies. PCI‐DSS is tested regularly, and its standards are considered rigorous. It is not regulated by the government; instead, it's a group of companies that standardized their practices. Meaning, private companies collaborated to create what is nationally viewed as a success in security.

      The goal is reduce risk to a level that is commensurate with your company's effort to reduce it, based upon its risk appetite. This risk reduction effort of a third party requires a change in a company's cybersecurity approach and attitude. As we dive into the numbers, it will become apparent that not enough companies perform the required due diligence. Out of those that do, some do not perform it at the level necessary to reduce the risk. Often, risk reduction is performed as a compliance effort, and merely viewed as a checkbox to complete in order to keep regulators and auditors at bay. This attitude of “ignoring the risk” or “doing it as ‘checkbox’ security” has caused cybersecurity Third‐Party Risk Management (TPRM) to be absent from adequate attention and activity.

      Security is an ongoing activity—a continuously occurring activity and not one that occurs at a point in time. Compliance activities are performed as a checklist by internal or external auditors to verify that a company's team is following regulations. It's is an important activity that helps prevent bad acts. Employees and companies see these checks being performed, then are discouraged from doing bad things, such as ill‐gotten gains via insider trading or killing fish by dumping chemicals. Security has the dubious distinction of being sure data is not lost. Once data is lost, it cannot be retrieved—it is gone forever into the Dark Web or other places. The deterrent must come from the company's cybersecurity efforts, not the government regulators.

      A company can be 100‐percent compliant and also be 100‐percent owned by hackers. For example, you can drive a car with seatbelts, an automatic brake system (ABS), collision detection and avoidance, blind spot detection, and more, all turned on. Say your car is up to current safety regulations, you, the driver, are all buckled up and sober. There should be no accidents or injuries. Yet, another driver who doesn't always pay attention to the safety warnings fails to perform their best practices while driving, resulting in a collision with injuries. You, a driver, were 100‐percent compliant, yet another driver was not.

      Another difference in compliance activities is the timing of each action. Compliance activities are done at a certain point in time for what is present in terms of controls and checks. Another third party (i.e., auditors, regulators) or an internal team ensures that the company they're working with satisfies a set of requirements that allows it to continue to perform business. When all conditions have been satisfied, the compliance activity is finished. Security, however, is never finished. It is continually monitored, reviewed, and improved.

      Following are a few examples of the major third‐party breaches to show how easily they cross over any boundary (i.e., geographic, sectors, sizes):

       Target (2013): The data of 70 million customers and 40 million credit/debit card information records was leaked by HVAC company Fazio Mechanical Services.

       Lowe's (2014): Millions of drivers' records were exposed by SafetyFirst, a vendor that stored the exposed data in an online database.

       JP Morgan Chase & Co (2014): Contact information for 76 million consumers and 7 million small businesses was exposed by a third‐party website used to sponsor a foot race.

       Sam's Club, Costco, CVS, RiteAid, Walmart Canada, Tesco (2015): Millions of customer data records were hacked at PNI Digital Media, which is used for online photo ordering and printing.

       T‐Mobile (2015): A total of 15 million personally identifiable information (PII) records were leaked by Experian, a customer credit assessment company.

       Forever СКАЧАТЬ