Critical Condition: Cybersecurity in Healthcare

By Adam Brand, Director,
IT Security and Privacy

 

 

 

On June 2, the Health Care Industry Cybersecurity Task Force issued a draft of its Report on Improving Cybersecurity in the Health Care Industry, an analysis of how to strengthen patient safety and data security in an increasingly connected world.

The Congressional report, which sums up the state of healthcare cybersecurity to be in “critical condition,” may shock outsiders, but should come as no surprise to those in the industry, who are well-aware of the challenges and have been awaiting the report as a preview of potential future government regulatory action.

The report lists six imperatives, along with several recommendations and action items. The recommendations bring to the forefront several issues facing the healthcare industry — most notably the risk to patient safety. That’s a departure from the traditional focus on privacy and data protection, and suggests a regulatory gap that needs to be addressed quickly.

The release of this report could not have been timelier, coming on the heels of the debilitating worldwide “WannaCry” ransomware attack that forced hospitals in England to cancel surgeries. Last week we published a flash report that takes a deeper look into the Task Force’s document.

We think that organizations should not wait for the government to initiate solutions. Instead, healthcare providers and medical device makers should proactively increase efforts to bolster cybersecurity to avoid potentially overreaching or misaligned legislation.

In our flash report, we recommend that healthcare providers consider the following actions, tied to key themes of the report:

THEME: (providers) Existing efforts are not enough and patient safety is at risk.
ACTION: Expand cybersecurity efforts to include patient safety.

Healthcare leaders should note the emphasis on patient safety and ensure their cybersecurity program has fully addressed risks that could result in patient safety issues, not just a data breach.

THEME: (providers) Legacy devices are a significant problem.
ACTION: Create a concrete plan for legacy devices.

Develop a plan to phase out or update insecure legacy devices and operating systems, ideally over the next five years, and implement compensating controls such as network segmentation, enhanced monitoring and application whitelisting in the next 12 months to help address the near-term risk.

THEME: (providers) Lack of standard cybersecurity practices.
ACTION: Start formally aligning to a cybersecurity framework.

The report recommends that the Department of Health and Human Services (HHS) develop a health-care specific framework based on the minimum standard of security provided by the NIST Cybersecurity Framework and the HIPAA Security Rule. Health care organizations should begin now to think about how they would align their controls to the NIST CSF standard.

THEME: (manufacturers) Lack of cybersecurity focus; software development lifecycle (SDLC) gaps.
ACTION: Expand cybersecurity efforts, focus on SDLC.

Manufacturers should use the report as an opportunity to determine whether their medical device security program is adequate, given the increased attention on this area and the risks highlighted in the report. Specifically, manufacturers should be able to demonstrate clear security inclusion from new product model requirements through product retirement.

THEME: (manufacturers) Legacy systems are a hot-button issue.
ACTION: Increase activities for reducing numbers of in-use legacy devices.

To avoid negative impacts, manufacturers should work with healthcare providers to reduce the number of potentially compromised medical devices, through customer education and incentives.

THEME: (manufacturers) Minimum cybersecurity standards for medical devices.
ACTION: Work with industry peers to develop a standard.

We anticipate that future FDA device approvals will be contingent on meeting minimum cybersecurity standards. With the typical device development process of five to seven years, manufacturers need to collaborate now to get ahead of regulations and avoid business disruption.

The task force took a year to complete its report, and the result is a very thorough look at the challenges facing healthcare security today. Healthcare providers and medical device manufacturers would be well-served by a careful review of the report to determine how the adoption of these recommendations might affect their organizations.

Download the Protiviti flash report here.

Cyber Attacks Can Be Costly – Is Cyber Insurance the Answer?

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

The WannaCry malware attack in mid-May focused the attention of corporations around the world on escalating cyber threats. Our Flash Report released immediately after the attack noted that it marked a new and unsettling aggressiveness on the part of cyber criminals: No previous assault matched the breadth of impact of WannaCry, which affected hospitals, corporations and government offices in more than 150 countries around the world.

The cost of getting businesses up and running after the attack was expected to potentially add up to billions of dollars. Additionally, some organizations could face lawsuits over their failure to secure the previously disclosed Windows vulnerability that the criminals exploited.

In fact, news on May 23 that Target Corp. had agreed to pay $18.5 million to settle state and financial institution claims stemming from an enormous data breach should have warranted as much corporate attention as the WannaCry event. Hackers stole data from up to 40 million credit and debit cards belonging to the retailer’s shoppers during the holiday season in 2013, and the company disclosed that the total cost of its cyber security failure had amounted to $202 million so far. A settlement stemming from a consumer class action has yet to be finalized.

The grave consequences of weak cyber security – from business disruptions to the expense of repairs and lawsuit payouts – may lead some to believe organizations are scrambling to make cyber liability insurance part and parcel of their IT security protocols. Yet, according to recent surveys, roughly half of U.S. firms don’t have cyber risk insurance, and more than 25 percent of executives without a policy say they have no plans to add one. Among the companies that have insurance, only 16 percent reported that they have policies that cover all liabilities.

There are reasons many companies are reluctant to purchase cyber liability insurance or beef up existing policies, and the two main ones are cost and complexity. Certainly, insurers can improve clarity on their policies and enhance the ability for customers to compare different proposals. And, it may very well be the prohibitive cost of cyber insurance that is causing some companies hit by ransomware attacks to try and recoup their losses using kidnapping, ransom and extortion policies originally acquired to protect workers in dangerous locations.

Even so, a cyber liability insurance policy is a prudent course of action in most cases. Although it should never be a substitute for strong cybersecurity defenses, it can spell the difference between a severely affected and fairly unscathed bottom line in the aftermath of an attack. Before committing to a policy, however, it is important that management teams and their insurance brokers discuss three pivotal issues:

  • What kind of cyber liability insurance policy does the company need? Does it need a first-person policy to cover the cost of retrieving data critical to the operation, or does the company possess consumer information that requires protection against third-party lawsuits? Does it need both?
  • What amount of coverage does the company want to obtain? This figure will depend on a number of factors, including the size of the company and the type of coverage it needs. To mitigate third-party risk, for example, settlements like Target’s could provide useful benchmarks.
  • What is the premium an organization is willing to pay? A number of variables should be used to determine this figure, including a company’s earnings, the size of the IT budget, and the operations or data at risk.

Once a company has answered these questions, it can begin to shop for cyber liability insurance. As part of the process, the management team needs to fully understand what the policies cover. But perhaps most importantly, organizations need to understand what the policies don’t cover, which will ultimately indicate whether the policy is worth the expenditure.

Given the sophistication and prevalence of successful data breaches, it is now more important than ever for companies to analyze whether a cyber liability insurance policy should be a part of their overall cyber strategy.

Digital Transformation Success Requires Looking Inward First and Never Wearing Blinders

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader

 

 

 

To stay relevant in the digital economy, technology, media and communications companies must evolve on two fronts: externally and internally. The trick is that they must do both in tandem — and many find this difficult.

External evolution relates to the role the company is playing to help propel the digital wave forward. Namely, what new and game-changing digital products, services and business models is the company innovating and bringing to market successfully? This type of evolution is also about how the business positions itself among its competitors in the digital market and responds to new market demands and rapidly changing consumer expectations. Are those approaches effective? How does the company know?

Internal evolution, meanwhile, is about the ability of the organization to strategically transform its business processes, technology infrastructure, workforce culture and more to compete effectively in an increasingly digital age. Evolving internally is vital to supporting the company’s external evolution. Yet business leaders don’t always make that association.

At some companies, external dynamics — shareholders’ views, consumers’ sentiments, market perceptions about the company’s brand or reputation — are the impetus for external evolution. To respond, these businesses are constantly channeling resources into developing new products, services or campaigns, often at the expense of addressing internal issues that could cause the business to falter, or even fail, over time. Siloed business processes and weak cybersecurity practices are examples of such issues.

In other organizations, too much change is undertaken too quickly, both internally and externally. These businesses launch sweeping digital initiatives that aren’t backed by well-thought-out strategies. They also fail to evaluate the competitive landscape thoroughly. They focus on trying to outpace known and well-established rivals, and overlook or underestimate emerging players that have the potential to disrupt the marketplace and erode their market share.

In both examples, these businesses are making digital journeys with blinders on. One group is focused on short-term wins that don’t spark meaningful or lasting change. The other group is barreling toward a finish line in a race without an end, paying little or no attention to emerging threats and changing conditions in the field around them. In either case, the decisions these companies make are unlikely to position them for long-term digital success. I suggest a better approach below.

Look inward first

Using technology to improve operations internally is one way for companies to further their digital transformation and bring it to a broader scale. Evolving internally builds a safe foundation that can support their external evolution. For example, a business that has the right digital processes in place and is not burdened by legacy IT systems undermining its agility can score a number of operational successes — from simplifying or automating repetitive or labor-intensive business processes to implementing new tools to enhance workforce communication and collaboration. These successes can then be translated externally into the ability to innovate quickly, deliver better service to customers and meet the expectations of stakeholders.

I recommend reading Protiviti’s white paper, Catching the Digital Wave of Change, which explains how the way a business embraces technology can, in turn, help to change the way employees and customers perceive the organization. Change from the inside shines to the outside.

Tear off the blinders

When setting the strategy for a digital initiative, businesses must analyze the markets in which they are operating, as well as the competitor landscape. In their quest to achieve digital transformation, they must be careful not to miss what’s happening in the “ecosystem” around them.

Ron Adner, a professor of strategy and entrepreneurship at Dartmouth College’s Tuck School of Business, explained in a 2016 Harvard Business Review article that the “nature of disruption is changing … [and now] occurring at the level of ecosystems,” rather than at the product or service level. He posited that businesses need to “approach their competitive strategy with a wide lens that captures ecosystem dynamics” if they want to succeed in an Internet of Things world.

Adner pointed specifically to the example of a well-known company that produces imaging products with its historic basis in photography. That company’s long and painful journey to becoming a digital company as an example of what can happen when leadership “does not appreciate the dynamics of the broader ecosystem around it.” The company did not respond fast enough or appropriately to changes in the digital imaging ecosystem, and it cost the company dearly. Adner wrote that the “lesson for today’s leading firms is that risk lies not only in a lack of attentiveness to disruptive change but also in embracing the wrong part of the change.”

I don’t have much more to add to Adner’s insight other than to say that wearing blinders — not looking at the whole picture — in the digital era is likely to cause a company to lose or never find its way. Businesses may miss the right moment to pursue transformation or make the wrong decision about how and what to change. And no matter how innovative the business may be today, if it’s focused only on achieving one type of change or pursuing only one goal blindly, it’s bound to be overtaken or pushed off the track by competitors in the future.

Retailers, Tech Firms and Financial Services Providers: It’s Time to Shape the Future of Mobile Payments — Are You Ready?

By Gordon Tucker, Managing Director, Technology, Media and Communications Industry Leader; Rick Childs, Managing Director, Consumer Products and Services Industry Leader; and Jason Goldberg, Director, Financial Services Business Performance Improvement

 

The global mobile payments market is projected to reach US$780 billion by the end of 2017, according to research firm TrendForce. That figure seems impressive until you consider that the ability to pay for goods and services with a mobile device has been a reality for years. It’s been nearly a decade since Starbucks, one of the biggest mobile payments success stories to date, launched its app and rewards program. And recent research by the Mobile Economic Forum found that one-fifth of global consumers have made a mobile payment in-store. Given the exponential growth in smart device innovation and adoption over the past decade and consumers’ inherent desire for convenience and speed when making a purchase, it is logical to think that the mobile channel would dominate as the avenue for payments by now. It’s where we’re headed, to be sure. But some formidable obstacles have been impeding the growth of the industry, such as:

  • Persistent concerns about fraud, privacy and security: Even though most consumers are aware of “digital wallets” — apps on smartphones that store credit card information and facilitate mobile payments — many remain wary of the risks. Fraud has been a problem, with weak authentication practices and identity theft at the root of many incidents — including those involving well-known brands like Apple Pay and Samsung Pay.

Consumers also worry about how companies are collecting and using data, including purchasing history and even geolocation. How and if that sensitive information is being protected from hackers is yet another concern. Tokenization helps to secure valuable transaction data, but data stored in digital wallets or merchants’ payment systems may still be vulnerable. Also, new entrants to the market may lack the security sophistication needed to protect sensitive data from compromise.

  • Bad timing: When solutions like Apple Pay, Google Wallet and Android Pay were being rolled out by mobile manufacturers and tech providers a few years ago, EMV chip card technology was also hitting the market. Retailers were initially confused, and frustrated, about whether to adopt mobile payments or EMV chip card technology. Most prioritized the latter. Now, adoption of that technology is near-universal in retail, even though EMV chip card transactions are slower than mobile payments or even traditional credit card payments.
  • Lack of a consistent experience: Merchants of all types have been racing to launch their own digital wallets. But it is unlikely that many will achieve long-term success with their ventures because consumers are already overwhelmed by choice in the market. Plus, these offerings are diverse, which means the mobile payments experience for consumers also varies. That works against efforts by retailers, and the mobile payments industry to engage consumers and convince them to pay with their smart devices at every opportunity. And there’s another ingredient for mobile payments success that not all retailers can capture: A key reason that apps from brands like Starbucks, Taco Bell and Dominos are so popular is that consumers do business with these retailers frequently — sometimes daily.
  • The fact that old habits die hard: One more dynamic that’s working against mobile payment adoption is the simple fact that it’s still easier and faster, in most cases, for consumers to pay for goods and services with cash, debit card or credit card. They’re comfortable with these methods, so they’re in no hurry to change. And many businesses that offer mobile payment options fail to do enough to incentivize consumers to make the switch — for example, they don’t provide compelling rewards to customers who use their app frequently.

A Growing Swell of Expectations From Consumers

The picture is not all bleak. There are other strong trends in motion that will help to drive mobile payments innovation as well as consumer adoption and use of these solutions. Here are some of the dynamics to watch:

  • New shopping trends will help mobile payments grow — a lot. Showrooming — where consumers examine merchandise in a traditional brick-and-mortar retail store or another offline setting and then buy it online, sometimes at a lower price — is just one example. It’s a retail experience that’s made for mobile — and it’s expanding as large e-commerce players like Amazon and Microsoft get in the game. Retailers can use mobile payment apps to incentivize shoppers to buy items in the store by offering discounts, special rewards or free delivery.
  • Mobile shopping apps are becoming more experiential for consumers. The core purpose of a mobile payment service is to facilitate transactions, of course, but that’s not enough to engage a consumer. Mobile shopping apps are evolving to help customers discover and research products before they are at the store and then help them locate those products while they’re in the store. These apps can also store shoppers’ receipts, gift cards and shopping lists; present discounts and coupons; enable comparison shopping; make the checkout process simple and fast, and more. Look for customer loyalty programs to evolve, as well; for instance, using data insights, a retailer could offer individualized incentives to mobile shoppers and reward them for specific behaviors.
  • A friction-free experience is becoming an expectation, fast. Mobile payments success hinges on creating a simple, seamless, value-adding and branded customer experience. Leading players in the person-to-person (P2P) payments space are setting the standard for the frictionless consumer experience — and winning over mobile-minded millennials. Recent research from Bank of America found that 62 percent of millennials use a P2P service.

Entrants in the P2P space are also focusing on the back end, trying to simplify operations and bake in security wherever possible without undermining the consumer experience. Good infrastructure that supports a secure and seamless customer experience is essential to the future of mobile payments. In the coming months on the blog, we’ll be exploring topics that retailers, technology companies and financial services providers, specifically, should consider when developing their mobile payments strategy. These topics include operational effectiveness, risk and compliance issues, technology strategy, and security and data privacy. Each of the industries mentioned above has an important role to play in helping to shape the evolution of the mobile payments industry. It will be through their collaboration, cooperation and innovation that the mobile payments experience can become what businesses and consumers alike envision it can — and should — be.

Was Friday’s Ransomware Attack Covered in Your Cyber Plan?

By Scott Laliberte, Managing Director
Technology Consulting

 

 

 

Less than a month ago, my colleague Adam Brand talked about the need to include ransomware in the cybersecurity repertoire of companies, emphasizing a business outcome-driven approach to cybersecurity, rather than a narrow-focused sensitive data perspective. Last Friday’s global ransomware attack brought this message home with a bang.

The wide-spread attack struck hospitals, companies and government offices around the world, with the majority of the attacks targeting Russia, Ukraine and Taiwan. It disrupted computers that support factories, banks and transport systems. The National Health Service in the United Kingdom was attacked, causing some surgical procedures to be cancelled and ambulances to be diverted. In addition, several major global companies reported they were hit by the attack, which currently is believed to have infected more than 200,000 computers globally, with some claiming the number is closer to 300,000.

The event is not unique but it is the biggest of its kind so far, and reinforces a harsh reality: Cyber attacks are not just about data loss or intrusions on privacy, but they can impact organizational operations, patient care (for healthcare providers) and critical infrastructure, and cause possible loss of life. Systems that support critical operations – such as medical devices and industrial control systems – often run on older technology that is more vulnerable to these attacks. You may have ignored these systems up till now because they do not contain critical data – ignore them no more.

In the wake of this latest attack, Protiviti issued a Flash Report today that summarizes the circumstances and reiterates the point we’ve made often before – namely, that cybersecurity needs to be extracted from the silo of IT security operations and considered in the context of the risk it poses to the business. The Flash Report also provides some immediate and longer-term recommendations for companies to shield themselves from future events like this one. Download the report here, and share your thoughts in the comments.

The Internet of Things: A Game Changer for IT Audit

By Anthony Chalker, Managing Director
IT Audit Practice

 

 

 

I recently had the honor of attending the ISACA’s 2017 North America CACS Conference in Las Vegas, where I discussed how the Internet of Things (IoT) continues to transform the mission of IT auditors. The IoT is a perfect example of an all-around disruptor, including in IT audit departments, as businesses collect, analyze and act on data captured outside of the traditional IT boundaries. As a result, IT auditors now routinely must take steps to provide assurance over systems that are no longer under their direct control.

Auditors are fully aware of the challenge. Participants in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey acknowledge that they need to improve their IoT technical knowledge, or they’ll be unable to do their job. Technical knowledge ranked as a top-five issue among the most important internal audit priorities in the survey report. Without an in-depth understanding of the IoT, the technology that enables it and the business opportunities and risks it presents, we as auditors will be unable to quickly recognize innovations and how they could affect the organization’s business model or strategic objectives in the midst of a disruptive environment.

Below are just a few baseline points we covered during the conference discussion panel:

What is the IoT?
The IoT is an environment in which virtually any object, animal or person with a unique identifier on the internet has the ability to communicate over a network with another device, without the need for human-to-human or human-to-computer interaction. The IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS) and the internet. In short, the IoT is giving the world a digital nervous system that’s connecting people, processes and systems, from devices, such as smartphones and tablets on the consumer level, to machine sensors on the industrial level.

What is driving the IoT’s growth?
The explosive growth of IoT is supported by several converging supporting technologies including:

  • Adoption of IpV6 – The ability to have a seemingly unlimited number of unique identifiers on the Internet. To put this in perspective, IpV6 allows every atom on the face of the earth to have its own identifier, with enough left over for another 100 Earths.
  • Enhanced sensors – The dramatic drop in cost combined with the equally dramatic increase in capabilities of sensors to capture, analyze, store and transmit data.
  • Low-power/wide area communications – The ability to transmit data from a wide range of sensors across a simplified and secure communication infrastructure utilizing batteries or other low-power sources designed for the expected useful life of the sensor.

The convergence of these developments is ushering in a new digital platform that allows organizations to devise new and inventive methods of reaching strategic objectives. In a recent McKinsey article, the authors estimate that the IoT will have a $4 to $11 trillion economic impact over the next eight years.

What is the role of the IT auditor in an IoT environment?
The IoT integrates technologies to enhance business information needs. However, this does not mean that IoT projects necessarily originate in the IT organization. Many of the current IoT projects are occurring outside of the traditional walls of IT. As such, the IoT does not represent as much of a change in the purpose of the IT landscape or the types of issues that auditors typically address as it represents a change in where strategy is being implemented. We need to acknowledge this shift and ensure that we have a seat at the table to understand how the organization’s strategy is driving the IoT vision and the related IT risks that need to be addresses to successfully fulfill that vision.

To be sure, IoT discussions are happening across organizations today, from purchasing to research and development. IoT is not limited to a single industry or business process. As an IT auditor, are you part of these conversations? Are you in the loop of your organization’s IoT strategic initiatives? Again, we need to ensure a seat at the table to effectively perform our role as risk counselors and assurance advisors to management and the board about this rapidly evolving area. Unlike many areas on our traditional risk plan, IoT does not have an embedded platform of existing policies and procedures to leverage.  If we are not part of the strategic discussion, it will be difficult to fulfill our risk advisory role. Simply stated, we need to get in the loop, or we’ll find ourselves  on the outside looking in.

IoT does not inherently require a new IT audit skill set as much as it demands a new approach to identifying the linkage of strategy to IoT solutions. Here are a few questions we as auditors should consider as we continue to develop and refine strategies and solutions to help businesses maximize their IoT experience:

  • How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization.
  • Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns?
  • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.

Auditors recognize that they need to improve their IoT technical knowledge, a skill set that is only going to grow in demand given the rapid deployment of connected devices throughout industry. We need to continually communicate with IoT experts and company managements and boards to create policies and procedures that address IoT opportunities and risks for organizations and industries alike. Perhaps the biggest risk on the auditor’s side of the ledger is failing to help his or her organization utilize IoT to make the most of its growth potential.

Undetected Breaches and Ransomware Change How We Think About Cybersecurity

By Adam Brand, Director
IT Security and Privacy

 

 

 

As new possibilities in information technology continue to transform organizations, they may outpace any cybersecurity protections already in place. Controls that seemed adequate yesterday might not be equal to the challenges presented by new technology and ever-evolving threats today. Our recently-published issue of Board Perspectives: Risk Oversight (Issue 90) discusses eight of today’s business realities directors should consider as they oversee cybersecurity risk, and it is worth a read. We’d like to comment further on two of these realities here.

  • The first reality represents a change in thinking: Whereas the adage of yesterday was “It’s not a matter of if a cyber risk event will occur, but a matter of when,” we now know that it’s better to acknowledge that cyber risk events are already occurring, whether we’re aware of them or not.
  • The second reality revises the familiar advice to identify and protect the critical data assets and information systems, aka “crown jewels,” extending that advice to include being aware of the adverse business outcomes that result from the unavailability or compromise of business-critical but non-sensitive data.

Both of these realities have one thing in common: Boards must remain open to new ways of thinking about cybersecurity, because organizations’ information technology assets — and the ways criminals exploit them — keep evolving. Or to paraphrase the Greek philosopher Heraclitus, the only constant in cyber threats is change.

Hunting for Hackers

Thinking “cyber risk events are not a matter of if, but a matter of when” is no longer sufficient — unless you think of “when” as having happened already. Breach statistics show that the vast majority of breaches are not self-detected. In one example from our own incident response practice, a firm that had several threat detection measures in place was blissfully unaware of a credit card breach until they were informed about it by the Secret Service. The attacker had been in the environment for over one year! This example is not uncommon, as breach statistics also show that the average time between an attack and its detection is over six months.

In hindsight, the proper response to this kind of threat would have been a proactive one — a technique known as “breach assessment” or “threat hunting.” Rather than using in-place technologies and processes as a check on prospective cyber risk events, threat hunting searches proactively for attacks already in progress by asking, “Are we already breached, but unaware of it?” More organizations are now augmenting their cyber defenses with the creation of internal “threat hunting” teams or engaging third parties for periodic breach assessments. Support of ongoing threat hunting and regular third-party breach assessments are two ways for boards to ward off the possibility of a long-term, undetected breach.

More Than Crown Jewels

Just a short time ago, “identifying and protecting critical data and systems” — aka, crown jewels — was the standard measure of adequate cyber risk management. However, a narrow focus on sensitive data, rather than an outcome-driven approach to cyber risk management, could cause an organization to overlook real threats elsewhere — like those presented by ransomware, for example. In the past few years, ransomware has changed the risk equation for companies by targeting operational rather than sensitive data. Encrypting non-sensitive information for ransom may not be the exact high-risk data loss we’ve all been warned about but it will cripple business operations nevertheless until the ransom is paid.

Until recently, firms who possessed only non-sensitive data could rest easy knowing they had no “crown jewels” to protect. They should rest no longer, as all firms are vulnerable to ransomware. Boards should be vigilant about this risk, and ensure that safeguards are in place — as well as continuity plans. Shifting focus from warding off a specific data breach — like the loss of sensitive data via a specific application — to considering all adverse business outcomes leads to more comprehensive cybersecurity solutions.

While all eight new business realities discussed in our latest Board Perspectives warrant attention, these two in particular highlight the need for evolving an organization’s approach to cyber risk oversight, now and in the future. You can read our latest Board Perspectives issue here, and we’d love to hear from you in the comment section below.