Название: Cybersecurity and Third-Party Risk
Автор: Gregory C. Rasner
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119809562
isbn:
The most successful companies at preventing their systems from being compromised go beyond what a regulator or regulation mandates them to do for compliance. The regulations and their enforcers get involved after something bad has already occurred. Sarbanes‐Oxley (SOX) was a financial regulation designed to lower the risk of financial fraud by publicly traded companies after the damage done by the tech bubble crash in the early 2000s. The Dodd‐Frank Wall Street Reform and Consumer Protection Act was passed in 2010 after the financial meltdown leading to the Great Recession. These widespread changes in regulation occurred as a reaction to the excesses and missteps that lawmakers felt led to the meltdown. Nearly every regulation passed is due to a previous misstep, not in anticipation of the next misstep or mistake
Being reliant on the government to set the standard for what to do and how to do it is a recipe for disaster. This is not to say, however, that regulations are without their merit when enforced correctly. The argument here is not about whether there should be regulations, but more about if organizations should be advised to view those regulations as the bare minimum to perform. In the case of cybersecurity and third‐party risk, regulations provide some excellent guidance on what is important for organizations. However, if a cybersecurity or third‐party risk team only relies on regulators for the best practical procedures to follow, there's a high likelihood their companies will be hacked. In fact, the likelihood is that they will be hacked quite a bit faster than those companies that view regulatory requirements as their starting point.
To illustrate the point, we can look at the Payment Card Industry Security Standard (PCI‐DSS), which is the payment card standard (using credit and debit cards), to guarantee consumer financial data protection. PCI‐DSS has very specific recommendations and is regularly updated for how to secure networks, protect user data, require strong access controls, perform network security tests, and regularly review information security policies. PCI‐DSS is tested regularly, and its standards are considered rigorous. It is not regulated by the government; instead, it's a group of companies that standardized their practices. Meaning, private companies collaborated to create what is nationally viewed as a success in security.
Third‐party risk, or what another company is doing to lower risk to your company, might seem like it places a CISO and the cybersecurity organization at a disadvantage because they cannot control what goes on at another entity. However, that is a myth. While a third party cannot be directly controlled, there are ways to direct and monitor their behavior and choices to greatly reduce your risk. Anyone who has ever been taught risk or worked as a risk professional knows the mantra: Risk can never be zero. In fact, anything is possible. Regardless of whether your company is using all the fancy technology and expensive software, or employing hundreds of cybersecurity professionals hunting for vulnerabilities, there still is a chance, or risk, of a breach.
The goal is reduce risk to a level that is commensurate with your company's effort to reduce it, based upon its risk appetite. This risk reduction effort of a third party requires a change in a company's cybersecurity approach and attitude. As we dive into the numbers, it will become apparent that not enough companies perform the required due diligence. Out of those that do, some do not perform it at the level necessary to reduce the risk. Often, risk reduction is performed as a compliance effort, and merely viewed as a checkbox to complete in order to keep regulators and auditors at bay. This attitude of “ignoring the risk” or “doing it as ‘checkbox’ security” has caused cybersecurity Third‐Party Risk Management (TPRM) to be absent from adequate attention and activity.
Compliance Does Not Equal Security
Compliance is not security, yet security is an important piece of compliance. By definition, being compliant is when your organization meets the minimum requirements for specific regulations at a specific moment in time. If we look at many of the companies on the recently breached list, it's likely all were meeting their regulatory obligations for compliance in their respective industries. In the case of Target when its payment system was hacked, it had just completed a certification of its PCI‐DSS. Most regulations are simply a form of deterrence (of things like insider trading or dumping chemicals into a river). Regulations discourage bad behavior either by people or companies.
Security is an ongoing activity—a continuously occurring activity and not one that occurs at a point in time. Compliance activities are performed as a checklist by internal or external auditors to verify that a company's team is following regulations. It's is an important activity that helps prevent bad acts. Employees and companies see these checks being performed, then are discouraged from doing bad things, such as ill‐gotten gains via insider trading or killing fish by dumping chemicals. Security has the dubious distinction of being sure data is not lost. Once data is lost, it cannot be retrieved—it is gone forever into the Dark Web or other places. The deterrent must come from the company's cybersecurity efforts, not the government regulators.
A company can be 100‐percent compliant and also be 100‐percent owned by hackers. For example, you can drive a car with seatbelts, an automatic brake system (ABS), collision detection and avoidance, blind spot detection, and more, all turned on. Say your car is up to current safety regulations, you, the driver, are all buckled up and sober. There should be no accidents or injuries. Yet, another driver who doesn't always pay attention to the safety warnings fails to perform their best practices while driving, resulting in a collision with injuries. You, a driver, were 100‐percent compliant, yet another driver was not.
Another difference in compliance activities is the timing of each action. Compliance activities are done at a certain point in time for what is present in terms of controls and checks. Another third party (i.e., auditors, regulators) or an internal team ensures that the company they're working with satisfies a set of requirements that allows it to continue to perform business. When all conditions have been satisfied, the compliance activity is finished. Security, however, is never finished. It is continually monitored, reviewed, and improved.
Third‐Party Breach Examples
Throughout many chapters in this book, you will find case study sections where we dive into some of these breaches. However, it is important to understand the scope and history of how often third‐party incidents occur. Many public breaches attributed to a particular company are, in fact, the result of a third party. One of the most well‐known examples is the Target breach. In fact, it was Target's Heating, Ventilation, and Air Conditioning (HVAC) provider that was breached to get access to Target's data.
Following are a few examples of the major third‐party breaches to show how easily they cross over any boundary (i.e., geographic, sectors, sizes):
Target (2013): The data of 70 million customers and 40 million credit/debit card information records was leaked by HVAC company Fazio Mechanical Services.
Lowe's (2014): Millions of drivers' records were exposed by SafetyFirst, a vendor that stored the exposed data in an online database.
JP Morgan Chase & Co (2014): Contact information for 76 million consumers and 7 million small businesses was exposed by a third‐party website used to sponsor a foot race.
Sam's Club, Costco, CVS, RiteAid, Walmart Canada, Tesco (2015): Millions of customer data records were hacked at PNI Digital Media, which is used for online photo ordering and printing.
T‐Mobile (2015): A total of 15 million personally identifiable information (PII) records were leaked by Experian, a customer credit assessment company.
Forever СКАЧАТЬ