Last year Goldcorp, a Canadian mining company with approximately 15,000 employees, became suddenly aware that its internal network had been compromised. The perpetrators had successfully obtained 15 gigabytes of corporate data including tax returns, personal information, financial and operational data, and even copies of expired passports belonging to some of the directors. Part of this data had been publicly leaked online in an apparent attempt at extortion. The RCMP were contacted and are investigating. Goldcorp reacted quickly with its own security team; however, by then much of its corporate laundry had already been hung out for all to see.
Less than a year earlier, Detour Gold Corp. had the displeasure of a similar experience. Accessing and exposing business data is a profitable endeavour and, according to the Global Risk Institute, it’s one that has grown 38% since 2014, impacting $1 trillion. Considering the heightened risks and sensational consequences due in part to these actions being committed by international criminals and state-sponsored agents, businesses often overlook the risk potential that exists within their own backyard. Understanding security and risk involves looking at the entire organization.
When good employees go bad
Consider that the many technologies designed to keep external intruders out also permit the authorized users to operate daily based only upon trust to do the right things. This intersection of individual staff access, working business data, and business technology can become an equally potent risk to any shadowy hacker from far away. It’s important to also identify these risks and take necessary precautions that anticipate the actions that may occur when good employees go bad. Business technology can be used to increase productivity, but also can be used to wipe tracks clean. Internal process and technical controls can also serve to rapidly identify when data exfiltration is occurring.
Mitigate your business’ security risks
Maintaining an organizational security posture that includes people, processes and technology is key to making sure your organization is at reduced risk of having a really bad day. Every organization should seriously consider preparing an enterprise-wide security plan that establishes structure, policy, training, incident response and regular reviews. Knowing just where to start can seem daunting, but, like any other IT-related process, security can follow a lifecycle model.
The Security Lifecycle is an ongoing process of defining, refining, verifying and prioritizing security policy. The lifecycle defines practices, controls and tasks that aim to secure business data and ensure business continuity. The beginning of this process starts with the definition of security policies, which should generally include both high-level and detailed information, depending on the size and complexity of the organization. The method of policy development can vary, but should involve identifying some important known risks and key information assets to protect as part of the first pass through the lifecycle. For each risk or security priority, there should be a defined set of security controls mapped.
There are four categories of controls, each with areas to be defined according to the risk/security priority:
1. Management controls
• Definition of asset, risk/priority
• Lifecycle – (review interval)
• Compliance-related requirements
• Ownership (of data, process)
2. Operational controls
• Personnel and roles
• Physical security
• Working data controls (input, output and transfer)
• Hardware configuration and maintenance
• Data integrity, backup
• Security-related training
• Incident response and issue escalation process
• Catastrophic recovery testing
3. Technical controls
• Authentication and access
• Logical access controls
• Physical access controls
• Auditing, logging and version tracking
4. Vulnerability assessment mapping
• Consequences of risk
• Technical description (if applicable) including documentation
• Personnel security
• User identity and authentication
• Physical environment
• Media sanitization/disposal
• Backups and maintenance
• Incident-handling technical processes
• Session and account access controls
• Log audit process
• External connections if applicable
• Transport layer security
• Technical vulnerability training
Once the categories have been defined, the organization should conduct a vulnerability assessment to establish a snapshot of the current state of the security controls within the organization and map them against the newly defined controls. At this stage, gaps and adjustments can be made to bring people, processes and technology in closer alignment to the defined security controls. Subsequent reviews will continue to further refine the process of both defining and implementing security controls.
Final thoughts on security
Serious security breaches are often due to multiple controls, whether by process or by technology being circumvented or ignored for too long. The key to protecting your organization’s critical data is to have a clear security posture that defines required controls and enforces them when their parameters are out of range so appropriate responses are triggered in a predictable and timely manner.
Why is all of this so important? Looking back at Goldcorp, reliance on perimeter defence systems is not sufficient to prevent data breaches. A prevailing mentality for many businesses is that they feel they don’t have anything worth stealing, which then becomes a justification to postpone or ignore improving security. There is an old IT security rule that states that 80% of security risk is effectively managed by implementing the most important 20% of available technical security controls. Considering this, try starting small by defining your top five key security issues, which would then likely provide significant results and prevent your company from appearing in the funny papers.
By: Wolrige Mahon LLP (article featured in Business in Vancouver)