October is Cybersecurity Awareness Month. In that spirit, I thought I’d take the time to provide you with a practical approach to Information Security. After all, as Internal Auditors, we should be looking for practical solutions to the risks our company faces.

  The Risk

• The Information Security Threat
  • There used to be a time when a hacker was a teenaged kid, bent on playing pranks. But things have changed…
  • Now, a hacker is organized.   Either part of a criminal enterprise or a government.
  • They exploit systems with focused determination. An advanced persistent threat.

• Resistance is Futile
  • If the intelligence reports are correct, there are entire armies of hackers, well trained, well equipped, working shifts, focused on single targets.
  • It isn’t if you’re going to hacked, its when. Even the most sophisticated companies in the world have been victims (JP Morgan, Google, and even the Department of Defense).

• The Supreme Art of War is to subdue the enemy without fighting. ~ Sun Tzu
  • It should be obvious that this is not a war where we can go on an offensive, so we’re limited to taking a defensive posture.
  • But even if you were to hire an army, to implement the best technology, to follow every technical protocol properly, you would never be fully defended.
  • So, I’d like to provide a practical approach that gives you the best opportunity to protect your data.

The 7 Steps to an Effective Information Security Program

• Step One – Data Inventory
  • In order to know what’s at risk, we have to know what we have. This does two things; 1) It helps set priorities for investment, and 2) It helps users know how to handle data. I’ll cover both of these later, but for now,
  • We have to know what we have and what it means to our business.
  • I like to think of the data in four separate buckets:
    • People Data (protection required by law)
    • Competitively Significant Data (our crown jewels)
    • Functional Data (data generally needed to run our business), and
    • Insignificant Data
  • It should be noted that this data inventory can also be used as a part of your business continuity program.

• Step Two – Awareness – Weakest Link
  • The employees are the custodians of the data, and as a result, they are the easiest exploit.
  • They should be educated on the types of data they’re trusted with
  • They should also be trained on the approaches the hackers take (phishing, social engineering, corporate espionage).
  • And they should be provided the tools to protect the data.

• Step Three – Passwords and Encryption
  • Passwords and encryption are basic tools users have to protect data. The way these tools are implemented should be appropriate to the type of data.
  • Users should be trained on the proper use of these tools (strong passwords).

• Step Four – Back up and Recovery
  • Not all threats want to steal data. Some seek to damage infrastructure, to cripple systems and destroy data (so called zero-day attacks)
  • A well established back and recovery process will provide the basic protections your company needs in the event of an attack.

• Step Five – Monitoring
  • When a hack is successful, the perpetrators begin surveillance of your system.   Their goal is to remain undetected as long as possible, which nets them the best opportunity to obtain data and/or do damage.
  • A good monitoring program includes three things:
    • Tools to monitor traffic
    • A team to monitor, and
    • A team to assess breaches and vulnerabilities and manage incident response.

• Step Six – Erecting Walls
  • At points in time, when the Great Wall of China was being constructed, upwards of 20% of the population was involved. Most companies cannot afford such an investment.
  • Instead, it makes more sense to build castles around the data that matters most.
  • In a model used by software development companies, we can construct closed, managed systems. Does all of your data have to be accessible outside the company walls (i.e., Internet).

• Step Seven – Counter Intelligence and Resources (Collaboration)
  • Once you’ve built the proper fortifications and have a solid monitoring program, you can establish more aggressive strategies.
  • The FBI provides resources to aid companies in managing cybersecurity risk. While many companies are hesitant to work with the FBI, my experience is that they are excellent to work with.
  • You can also look to build out false data and use the activities of the hackers to understand what they are after and offer counter intelligence to the FBI.

None of these steps is independent of the other. All of them add value at one level or another.   And rather than thinking of this as a set it and forget it model, each bit should be re-evaluated and revised as needed.