Digital Risk Management: Why Cyber Security Measures Aren’t Enough

Featured article by Michael McQuinn, co-founder and CTO of Criterion Advisory

Most companies of scale have cyber security measures in place – software solutions, policies and protocols, and regular assessments conducted by IT staff members around compliance and efficacy. With these measures in place, the executive management team might feel confident that their digital data is secure – until they’re blind-sided by crisis-inducing error or a data leakage event.

Equating cyber security to digital risk management is a catastrophic mistake. Cyber security is only one element of the comprehensive strategy required to effectively manage digital risk across an enterprise.

Digital risk management is a complex endeavor requiring real-time monitoring, strategic information architecture and advanced expertise in many areas related to technology, development, operations, data integrations and information systems. And, while cyber security is an important component, it is but one of the five critical pillars of digital risk management which include:

1)    Cyber Security protocols around systems breaches, incident management, and known exploit prevention

2)    Data Loss Prevention measures that protect against system failure, corruption and accidental overwriting and deletion

3)    Data Leakage Prevention protocols that ensure that users do not send confidential information outside of the organizational network

4)    Availability protections that ensure that critical business processes aren’t disrupted due to application downtime

5)    Governance policies with respect to obligation, regulation, compliance, client contractual requirements and data custodianship

Traditional IT departments lack the cross-functional expertise required to adequately manage digital risk across these five areas. In fact, Gartner recently published the results of an executive survey which revealed that an estimated 60% of large-scale enterprises will experience a significant digital breach attributable to the IT security team’s inability to manage digital risk with respect to new technologies, the proliferation of connected devices, and interdependencies.[1]

Gartner’s survey also showed that one-third of large scale enterprises reliant on digital models and activities will have hired a digital risk officer by 2017. In a related report titled “Top 10 Strategic Predictions for Businesses to Watch Out For,” Gartner estimates that digital businesses will require 50% less IT business process workers and 500% more digital jobs by 2018.[2]

This vast and radical shift in IT staffing across industries means that organizations will be scrambling to find candidates to fill digital risk positions. In the interim, IT department staff will lack the requisite skill set to effectively assess and manage digital risk at both a strategic and tactical level.

What can large scale organizations do to avoid falling into the 60% that will experience breach?

Recognize that Digital Risk Management Extends Beyond Cyber Security

The key point here is that the failure to integrate all aspects of digital risk management directly lead to digital crises.

For instance, with respect to Anthem’s recent breach that will likely expose the company to liability in the billions, it’s widely believed that hackers infiltrated the health care provider’s networks by using a sophisticated malicious software program that allowed them access to the login credentials of an Anthem employee.[3] Preventing this event would have involved better data management with sound encryption policies, which fall under the pillar of data leakage prevention.

And the infamous Target breach? It’s believed that the architecture of this attack was sequential, starting with infiltration through a third-party vendor. From there, hackers leveraged Target’s vendor portal access to gain control of the retailer’s servers and from there hijacked the point-of-sale systems. Experts widely believe that if Target had detected and countered any of these stepping stones in progress, the attack would likely have fallen apart. [4] Better governance policies would have enabled Target to understand their vendor’s digital risk, and any potential consequences that risk would bear on Target’s brand and balance sheet.

Conduct Independent Cross-Functional Reviews to Create Checks and Balances

According to a report issued by Online Trust Alliance in January 2015, over 90% of the data breaches that occurred during the first half of 2014 occurred as a result of the combination of human error and poorly designed workflows. The report states these breaches could have been prevented if organizations had appropriate digital risk management strategies and policies in place.[5]

In traditional enterprise structure, digital risk evaluation is conducted by non-engineers who require the participation of the people they are assessing, basically turning evaluations into self-assessments. There are no checks and balances to confirm that best practices are being followed and digital risk is being properly managed for the organization. The need for independent assessment becomes crystal clear. Independent review provides digital risk transparency by providing accurate and timely reporting around potential risk factors.

Integrate Subject Matter Experts that Have the Skills Required to Properly Manage Digital Risk

The staggering instances of human error and poorly designed workflows also brings to light that a significant skills gaps exist within IT departments. This is understandable given that comprehensive digital risk management requires highly specialized knowledge of data management and protection practices, advanced systems engineering and architecture, and defensive architecture for public-facing applications to ensure that the organization has clear and continuous oversight to achieve optimal digital risk protection and avoid breach. Internally hiring engineers of this caliber would be cost-prohibitive for any organization, yet it is critical to give IT teams the help they need to succeed in protecting digital assets in an increasingly complex technological landscape.

[1] http://www.gartner.com/newsroom/id/2794417

[2] http://www.networkworld.com/article/2692878/careers/gartner-top-10-technology-trends-for-2015-it-can-t-ignore.html

[3] http://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html?_r=0

[4] http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/

[5] https://otalliance.org/news-events/press-releases/ota-determines-over-90-data-breaches-2014-could-have-been-prevented