This issue of the series is focused on the first two of the four key management questions: How do we track what digital information is leaving our organization and where is that information is going? How do we know who’s really logging into our network, and from where? How do we control what software is running on our devices? How do we limit the information we voluntarily make available to a cyber-adversary?
It may be fair to wonder, especially if the board member doesn’t have a professional IT background, if asking executives about specific information security measures might invite jargon-ridden replies that leave him or her no better off than before.
However, a basic awareness of key elements to look for can help in understanding the risk management implications of an answer even if you’re unfamiliar with some of the technical terminology. To do this, we suggest viewing the company’s information security practices through the lens of risk management maturity: that is, the extent to which it has progressed toward risk intelligence in its approach to each of the four areas mentioned above.
It’s not just who gets in, it’s what gets out
At many companies, cybersecurity practices are heavily weighted toward measures such as firewalls and passwords aimed at limiting access to the company’s network. But even though these precautions are essential, they’re not enough. Cyber criminals are becoming increasingly adept at infiltrating corporate networks without triggering an intruder alert. Once they’re inside, they can easily siphon information off your network unnoticed unless you are actively looking for signs of suspicious activity.
To help defeat cybercriminals who make it past the access controls, a mature cyber threat risk management capability will include safeguards against unauthorized information distribution, as well as against unauthorized information access. Effective performance in this respect makes use of technologies and processes that monitor outbound information traffic for both content – is the information appropriate to share? – and destination – where is it being sent?
Destination, in particular, can be a red flag; if information is being sent to a country where your company has no operational presence, it’s probably wise to look into who’s sending it there and why. A mature capability will also be able to restrict the transmission of suspicious communications until their legitimacy is verified – for example, with technologies that electronically “quarantine” the communication while appropriate checks take place.
When James from West Bay logs in from Uzbekistan, worry
Because cyber criminals are getting better at impersonating bona-fide corporate personnel, a company shouldn’t assume that everyone who logs in with legitimate credentials is actually a legitimate user. A mature cyber threat risk management capability will use at least two methods – possibly more, depending on the value of the assets being protected – to verify a person’s real-life identity before accepting him or her as authentic.
Available techniques include biometrics (e.g., laptop fingerprint readers), code token devices (thumbnail-sized devices, physically carried by legitimate users, that generate a different random authentication code at every login), and “machine fingerprinting” programs that track post-login behavior against historical patterns to determine the likelihood that a user is genuine. Other, more esoteric approaches also exist, which your IT security team should be able to describe.
Here, too, information about location – in this case, the countries from where supposed users are accessing your network – can be central to identifying potential threats. Logins from countries in which your company lacks operations should be flagged and investigated to determine whether the users in question are genuine or fraudulent. Yes, it’s possible that James from West Bay really is legitimately logging in from Uzbekistan while on vacation – but it doesn’t hurt to check.
Information in this series is based on the Deloitte whitepaper “Risk intelligent governance in the age of cyber threats.” You can access Deloitte Risk Intelligence whitepapers series free at www.deloitte.com/us/RiskIntelligence.