A successful network attack isn't a matter of if -- it's a matter of when. This is the approach enterprises should take in their information security planning, according to top experts.
"The more connected you are, the more risk you have. There's no way around it," Sean Mahoney, a partner at K&L Gates, told a roomful of compliance and privacy executives at the recent NRS Technology and Compliance Communication Forum in Boston.
"You're constantly looking at risk, and you're constantly accepting residual risk," Christopher Perretta, executive vice president and CIO of State Street Corp., said at the annual Advanced Cyber Security Center conference in Boston this month. Companies need to understand what happens if that residual risk comes to fruition.
This idea of risk acceptance and, therefore, risk management is important because of the sheer number of attacks enterprises face and the devastating consequences of successful attacks.
According to a 2014 Ponemon Institute study on the cost of data breaches, an organization has a 22% chance of experiencing a data breach impacting at least 10,000 customer records in the next two years. The chance of experiencing a breach impacting at least twice that many records in the next two years -- nearly 17% -- is greater than the chance of rolling a given number on a six-sided die.
Experts said enterprises need to be prepared when their number comes up, for these breaches are not limited to the lazy and the negligent.
Former US Homeland Security Secretary Michael Chertoff, now working as a security consultant, said in a keynote at the ACSC conference that some enterprises with the most advanced security are breached repeatedly. "How do you deal with the fact that you are going to be breached?"
Chertoff recounted a particular security assessment he was asked to do shortly after starting his security firm, the Chertoff Group. The client spent time boasting of the organization's physical prevention measures during the assessment. "They were in the process of building a big wall, and they had cameras and sensors." He asked the client what the organization would do if someone came over the wall. The client's response? "We hadn't thought about that.
He proceeded to ask the client imperative questions relevant to a security breach, such as where dangerous materials within the facility were located (to assess how they would be protected). "What I think they learned through this process was that all of the sensors only made sense [with] training and exercise of [a] consequence management plan."
Mahoney said an incident response plan recognizes that "even if you do everything right, there's still a pretty good chance that you're gonna get hit." Also, "whatever you drill for won't happen… but you'll learn a whole lot in the process -- how people work together, how different people interact -- and that can be useful in itself."
Experts said redundancy -- particularly in terms of data backups and machine imaging, as well as backup power generators and redundant IT infrastructure -- is central to a good incident response plan. These redundancies and backups are important not only in terms of disaster recovery, but also in terms of compliance and public relations.
If a device goes missing or a data breach occurs, and it's not clear what specific data was compromised, various laws -- depending on the industry and jurisdiction -- compel disclosure of the breach in a major newspaper of general circulation.
Mahoney put the problem more simply: "You can't answer any [questions] unless you know what data's affected."