the information security risk landscape - advisory · research technology consulting the...
TRANSCRIPT
research technology consulting
The Information Security
Risk Landscape How to Discuss Cybersecurity with Your Board
International
Global eHealth Executive Council
2
2
3
4
1
Road Map
©2016 The Advisory Board Company • advisory.com
Why is the Board More Interested
in Information Security Now?
Preparation: Scouting the Risk Landscape
Understanding the Different Perspectives
Crafting and Delivering the Message
©2016 The Advisory Board Company • advisory.com
3
Breaches Happen to Everyone
Even the Best-Defended Organisations Have Been Breached
Why is the Board More Interested in Information Security Now?
Source: Advisory Board research and analysis.
1) PwC’s The Global State of Information Security Survey 2016
2) National Data Guardian for Health and Care: Review of Data Security, Consent, and Opt-outs, June 2016
3) Ponemon Institute Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2016.
Non-Health Care Examples
Of European companies have experienced
at least one cybersecurity incident over the
last year.1
Of all reported UK data breaches were
from the health sector.2
• Yahoo
• British
Airways
• NASDAQ
• Sony
• Lockheed
• Apple
• JP Morgan
Chase
• European
Central Bank
• Blackpool Teaching Hospitals NHS
Foundation Trust (UK, 2016)
• Banner Health (US, 2016)
• Chelsea and Westminster Hospital
NHS Foundation Trust (UK, 2016)
• Royal Melbourne Hospital (AUS,
2016)
• Hollywood Presbyterian (US, 2016)
• British Association for Counselling and
Psychotherapy (UK, 2016)
• Anthem & Premera (US, 2015)
• Healthcare.gov (US, 2014)
• LifeLabs (Canada, 2013)
“The Wall of Shame” health care breaches reported
involving 500 or more patients:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Notable Health Care Cyber
Incidents in 2013‒2016
80%
41%
• Organisations in Brazil and South Africa most likely
to have material data breach involving 10,000 or
more records.3
• Organisations in Germany and Australia least likely
to experience material data breach.3
©2016 The Advisory Board Company • advisory.com
4
Cyber Incident Events Are Expensive
Source: Advisory Board research and analysis.
1) Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2015.
2) NetDiligence, 2015 Cyber Claims Study.
3) PwC’s The Global State of Information Security Survey 2016
4) ICO Data Security Incident Trends.
5) Abel R, “Affinity Gaming sues Trustwave over data breach,” SG Magazine, January 20, 2016.
6) http://www.politico.com/story/2015/06/health-care-spending-billions-to-protect-the-records-it-spent-billions-to-install-118432
4% Increase in estimated
financial losses as a
result of all security
incidents compared to
year prior3
The costs don’t stop
after the incident5
Government
agencies are
levying penalties4
8% Increase in information
security budgets due to
the rising security risks3
Health Care
Organisation1
Across All
Industries2
Detection and
Escalation $30,000 to $1.6M
$1,250 to
$4.9M
Notification $4,000 to $1.7M $14M to $15M
Follow-up
response (legal,
public relations,
credit monitoring)
$60,000 to $5.8M $5,000 to $3M
The US Example Globally
Economic Impacts on an Organisation in Health
Care and Across All Industries
€180K—€8M Estimated costs to deal
with a cyber incident6
€1.9M Average total economic
impact from a cyber
incident6
©2016 The Advisory Board Company • advisory.com
5
Preparation Efforts Not Keeping Pace
Source: Health Care IT Advisor interviews and analysis.
1) “2015 CyberThreat Defense Report: North American and Europe,” Cyber Edge Group.
2) 2015 HIMSS Cybersecurity Survey.
3) “New Trustwave Report Reveals Health Care Security Gaps,” Market Wired, October 3, 2015.
Attacks Are Expected… …But Prevention and Funding Efforts Lag
52% Of health care organizations expect
to be compromised by a successful
cyber attack in 20151 33% Agree they have sufficient resources to
prevent or quickly detect a data breach2
Michael Ebert, Partner, KPMG Cyber Security
Clement Chen, Chief Strategy Officer, Leidos Health
“Health care has champagne tastes, but a beer budget.”
“The magnitude of the threat against healthcare information has grown exponentially, but
the intention or spend in securing that information has not always followed.”
25%
28%
32%
42%
60%
64%
Too Many Applications
Lack of Threat Intel
Too Many Endpoints
Too Many New Threats
Lack of Funding
Lack of Appropriate Personnel
Biggest Barriers in Preparation2
20%
22%
30%
31%
33%
35%
Malicious Insider
Advanced Persistant Threats (ATPs)
Software Vulnerabilites
Denial of Service (DOS)
Phishing
Brute Force Attack
Preparedness Against Threats2
10% or Less of IT Budget Goes to Security3
©2016 The Advisory Board Company • advisory.com
6
Increasingly Serious Threat Actors
Deep Pockets and Powerful Motivations
Goal: money
Criminal
Hackers
Goal: information, money, disruption
Nation
States
Goal: disruption, money,
fame, transparency
Insiders
Goal: disruption, money, fame
Terrorists
Goal: disruption, money,
fame, transparency
Hacktivists
Stu Sjouwerman, CEO & Founder, KnowBe4
“Cyber crime has gone pro. You’re dealing with highly organised, very well-funded, and extremely smart
people that make 10 times more money than they ever could in any other business where they live. Most
people do not know that in a country like the Ukraine it is legal to hack in foreign countries. So you’re
dealing with office buildings full of people that arrive at 9, leave at 6, take breaks and have health
insurance, and it's a 100% criminal enterprise."
Sources: Hunton & Williams; Advisory Board interviews and analysis.
©2016 The Advisory Board Company • advisory.com
7
Major Information Security Risks
Address These First
Source: Advisory Board research and analysis.
Poor Incident
Response
Preparedness
Weak Technical
Disaster Recovery and
Corporate Business
Continuity
Fragmented Identity
Management and
Access Control
Lack of Data
Encryption
Growth in The Internet
of Things and the
Consumerisation of IT
©2016 The Advisory Board Company • advisory.com
8
Reduce the Likelihood of a Breach
Source: Advisory Board research and analysis.
Systematically identify and catalogue sensitive data
Maintain an up-to-date cybersecurity incident response plan
Develop written information security policies and procedures relating to administrative,
technical and physical safeguards for sensitive data
Develop a plan for managing risks associated with employee relationships
Develop a plan for controlling service provider relationships
Work with information technology vendors to deploy hardware and software tools
that strengthen information security
Develop a training programme for cybersecurity and data loss
9
2
3
4
1
Road Map
©2016 The Advisory Board Company • advisory.com
Why is the Board More Interested in Information Security Now?
Preparation: Scouting the Risk Landscape
Understanding the Different Perspectives
Crafting and Delivering the Message
©2016 The Advisory Board Company • advisory.com
10
Preparation: Scouting the Risk Landscape
Assessing Risk
Source: Advisory Board research and analysis.
Physical Office Assessment
(shredding, clean desk, access)
Security Governance Assessment
Data Centre Assessments
(SSAE16 SOC II Type 2)
Vendor/Partner Assessments
Infrastructure Assessment
(vulnerability detection/management)
Product Risk Assessments
Risk Assessment is *the* most important method for understanding the
information security risks within your environment.
Assessment Targets
©2016 The Advisory Board Company • advisory.com
11
Preparation: Scouting the Risk Landscape
Other Key Channels for Risk Discovery
Source: Advisory Board research and analysis.
Provide valuable
information
during product
team meetings,
during
architecture
reviews, and in
the corridor.
Employees
Vendor
notifications,
group
memberships,
and social
media surface
risks.
Industry
Patients’
assessments of
products or
services can
surface problem
areas previously
unknown or not
yet addressed.
Your Patients
Intrusion
prevention alerts,
perimeter
security, log
review, and
scanners help to
surface risks.
Technology
Helps predict
types of risks or
attacks based
on your specific
organisation
profile.
Threat Modelling
©2016 The Advisory Board Company • advisory.com
12
Preparation: Scouting the Risk Landscape
What Types of Risk Are You Looking For?
Source: Advisory Board research and analysis.
HPI: Health Patient Identifier (UK)
NHI: National Health Index (NZ)
PII: Personally identifiable information
BYOD: Bring Your Own Device
Physical/Office Risks
• Multiple office locations
• Theft
• Location access
• Employee mistakes
Data/Privacy Risks
• HPI, NHI, PII, student
records, IP
• Big Data
• Data sharing
• EU/national/local
regulations
Process Risk
• Decentralised data
access control
• Backup and recovery
• Duplicated teams/efforts
External Risks
• Hackers
• Natural disasters
• Terrorism
• Partner/Vendor
mistakes and threats
Technology Risks
• Cloud storage
• Multiple data centers
• Multiple technology
platforms
• (Lack of) encryption
• Endpoints/BYOD
• The Internet of Things
13
2
3
4
1
Road Map
©2016 The Advisory Board Company • advisory.com
Why is the Board More Interested in Information Security Now?
Preparation: Scouting the Risk Landscape
Understanding the Different Perspectives
Crafting and Delivering the Message
©2016 The Advisory Board Company • advisory.com
14
Explore On An Individual Basis:
Knowledge and Interest of Key Leaders Vary
Create a Foundation for Future Discussion Through Private Meetings
Source: Advisory Board research and analysis.
Key Leaders
General attitude about
risk and security
Level of
knowledge
Concerns around
risk and security
Board Chief
Executive
Officer
Chief
Financial
Officer
Chief Medical
Officer/
Chief Nursing
Officer
Legal
Advice
Chief
Information
Officer
Understand the Different Perspectives of Your Leadership Before You Present to the
Board
One-on-one closed door meetings with key executives will provide a critical understanding of how
each views Information Security and risks to the organisation
!
©2016 The Advisory Board Company • advisory.com
15
The View From the Boardroom
Common Board Members’ Perspectives on Security and Risk
Source: Advisory Board research and analysis.
Potential Perspectives of the Board
Board members mostly experience security through the audit committee.
• Uninformed or misinformed about cybersecurity threats,
vulnerabilities, and consequences
• Uninformed or misinformed about cybersecurity preparedness
• Focused on compliance instead of security
• Fearful of liability, focused on unproductive questions, and
uncertain about proper role
But the norm is shifting and concerns are growing.
Board awareness of cybersecurity risk and exposure is rapidly increasing. As a result, Boards
are more receptive to increasing their focus on cybersecurity.
©2016 The Advisory Board Company • advisory.com
16
The View From the CEO’s Chair
Common CEO Perspectives of Security and Risk
Source: Advisory Board research and analysis.
Potential Perspectives of the Chief Executive Officer
Often organisationally distant from cybersecurity and focused on other
priorities but wants it handled without his/her involvement.
• Uninformed or misinformed about the organisation’s state of
cybersecurity risk and preparedness
• Insufficiently focused on ensuring or investing in appropriate
organisational reforms on cybersecurity
• Unaware of the importance of their leadership role in effecting
changes and monitoring progress in cybersecurity
• Insufficiently engaged with Board to manage risk and cybersecurity
But the rapidly growing number of cyber events has CEOs concerned about security.
CEOs can become a vital ally in driving cultural change and ensuring leadership engagement.
©2016 The Advisory Board Company • advisory.com
17
The View From Clinicians
Common CMO/CNO Perspectives of Security and Risk
Source: Advisory Board research and analysis.
CMIO: Chief Medical Informatics Officer
CNIO: Chief Nursing Informatics Officer
Potential Perspectives of the Chief Medical Officer/Chief Nursing Officer
Often perceive security measures simply as a source of complaints from
clinicians.
• Unaware or confused about cybersecurity risk
• More concerned with improving efficiency and protecting relationships
with clinicians than strengthening security
But growing awareness of clinician liability has started to change attitudes toward
security measures.
CMOs, CNOs, CMIOs, and CNIOs can serve as valuable intermediaries in explaining the need
for security measures to clinicians.
©2016 The Advisory Board Company • advisory.com
18
The View From Information Technology
Common CIO Perspectives of Security and Risk
Source: Advisory Board research and analysis.
Potential Perspectives of the Chief Information Officer
Can see security measures as a barrier and a burden, slowing or even
preventing progress and a potential source of trouble.
• Aware of the risk, but often more supportive of security in theory
than in practice
• Often more focused on installing updated technology and reducing
cost than improving security
But changing awareness among senior executives is leading to heightened level of
attention to security by CIOs
The CIO is a key partner for defining and implementing cybersecurity measures.
©2016 The Advisory Board Company • advisory.com
19
The View From Finance
Common CFO Perspectives of Security and Risk
Source: Advisory Board research and analysis.
Potential Perspectives of the Chief Financial Officer
May see security as an expense to be minimised as long as the financial
auditors are satisfied.
• Uninformed or misinformed about cybersecurity investments
• Insufficiently focused on cybersecurity resource needs
• Focused on compliance instead of security
• Perceives cybersecurity to be someone else’s responsibility
• Misinformed about the extent of insurance coverage for cyber events
But recent publicity about the cost of cyber events has lead to increasing interest levels
among CFOs.
The CFO is well positioned to provide needed resources for a security programme.
©2016 The Advisory Board Company • advisory.com
20
The View From Legal
Common Legal Advisors Perspectives of Security and Risk
Source: Advisory Board research and analysis.
Potential Perspectives of Legal Advisors
May expect the information security team to eliminate all risk.
• Uninformed or misinformed about cybersecurity risk
• Focused on regulatory or contractual compliance instead of
security
• Perceives cybersecurity to be someone else’s responsibility
• Sometimes not included in cybersecurity initiatives
But regulatory changes and new case law are increasing awareness about cyber risk and
responsibilities
The Legal Advisors are important for establishing the right security governance structure and
policies, and providing legal support on regulatory, contractual, and incident response.
©2016 The Advisory Board Company • advisory.com
21
Marshal Your Executive Allies
Build a Foundation with Private Meetings Before Presenting
Source: Advisory Board research and analysis.
Understand the different perspectives of your leadership before presenting to the Board
One-on-one, closed door meetings with key executives will provide a critical understanding of
how each views information security and risks to the organisation.
Board CFO
Legal
Advice
CMO/
CNO
CEO
CIO
Leadership is Often Poorly Informed Awareness is Changing
• Board member attitudes
vary but they are often
uninformed or misinformed
about cybersecurity risk and
preparedness
• Frequently unclear about
what their role is or should
be in managing the cyber
risk of the organisation
• Board member awareness
of cyber risk is growing
• Can be incredibly valuable
allies to your efforts if
approached thoughtfully
22
2
3
4
1
Road Map
©2016 The Advisory Board Company • advisory.com
Why is the Board More Interested in Information Security Now?
Preparation: Scouting the Risk Landscape
Understanding the Different Perspectives
Crafting and Delivering the Message
©2016 The Advisory Board Company • advisory.com
23
A Framework for a Successful Discussion
Four Keys to Holding an Effective Discussion on Security
Crafting and Delivering the Message
Source: Advisory Board research and analysis.
• Make sure you
understand the
organisation’s current
state
• Hold private
meetings with key
leaders to
understand their
concerns and
perspectives
• Talk in business
terms and leverage
scenarios to illustrate
the organisation’s
risk profile from
various threats
• Discuss
improvements made
to lower risk
• Provide
alternatives for
changing the
organisation's risk
posture
• Acknowledge
trade-offs for each
alternative
• Provide examples of
various roles they
can play in
managing cyber risk.
• Ask for their
guidance and
assistance
Be Ready to Listen
!
Prepare in Advance Keep it Simple Be Clear About
Alternatives Discuss Roles
©2016 The Advisory Board Company • advisory.com
24
Be Prepared: Make Sure You Are Well Informed
Gather All the Information You Can About the Current State in Advance
Prepare in Advance
Source: Advisory Board research and analysis.
• Evaluate standard security
frameworks like ISO27001.
• Leverage what makes the most
sense for your organisation.
Controls
Administrative Controls • Acceptable Use and Application Security policies
• Training and awareness
• Endpoint security guidelines
Physical Controls • Heavily-secured data centres
• Proximity cards
• Hard drive and paper shredding
Technical Controls • Intrusion Prevention Systems
• Consolidated logging
• Phishing email detection
• Mobile device management
• Full environment scanning
Services
Policy and Procedure Development and Management
Privacy and Information Security Awareness and Training
Comprehensive Risk Assessment and Evaluation
Application Security Evaluation
Acquisition and Partnership Assessment
Vendor Assessment
Data Classification and Destruction
Compliance Management (National/regional regulatory
bodies and internal policies and procedures)
Intrusion Detection and Prevention
Network/Application Penetration Testing
Vulnerability Assessment and Remediation
Digital Forensic Investigation
Incident Triage, Evaluation and Management
Physical Security Consulting and Design
Industry Collaboration and Partnerships
©2016 The Advisory Board Company • advisory.com
25
Examples Scenarios
Leverage Threat Scenarios To Illustrate Risk
Talk in Business Terms
Keep It Simple
Source: Advisory Board research and analysis.
For Each Scenario Discuss
Situation
How it might
happen?
Vulnerability
What weakness is
exploited?
Awareness
How would the
organisation become
aware of the situation?
Response
What would the
incident response
look like?
Implications
What is the potential
impact on strategic
plans and operations?
Mitigations
What mitigations could be
used to reduce the risk?
What are the financial and
operational impacts of
those mitigations?
Improvements
What recent
improvements have
already been make that
may lower the risk?
• Stolen device
• Insider abuse
• Phishing
• Ransomware
©2016 The Advisory Board Company • advisory.com
26
Provide Choices
Let Them Lead by Outlining Alternatives Rather Than Mandates
Be Clear About Alternatives
Source: Advisory Board research and analysis.
Example Alternatives
Alternative A
Maintain current risk level
Alternative B
Moderate reduction in cyber risk by
addressing only major weaknesses or
largest threats
Alternative C
Focus on a specific area of improvement
such as education or incident response
Risk Reduction vs. Cost and Frustration
For each alternative provide estimates of:
• Risk reduction
• Cost
• Operational impact
©2016 The Advisory Board Company • advisory.com
27
Ask For Support and Guidance
Discuss Possible Roles for the Board
Discuss Roles
Source: Advisory Board research and analysis.
Metrics
What information and metrics would the
Board and senior executives like to see
on a recurring basis?
Board
Define
acceptable
levels of risk,
establish
urgency
CEO
Lead
organisational
reforms and
cultural changes,
oversee strategy
development
CFO
Ensure
appropriate
funding
CMO/CNO
Act as liaison to
medical staff
and arbiter of
tradeoffs
between risk
reduction and
operational
impact
Legal Advice
Ensure
appropriate
governance
and
compliance
with laws and
regulation
CIO
Enable
technical
counter
measures and
enforce
policies
©2016 The Advisory Board Company • advisory.com
28
Action Items
Modern Cyber Risk Requires Engaged Leadership
Source: Advisory Board research and analysis.
Imperatives for an Effective Board
Discussion About Security
1
2
3
Preparation is key to
effective discussions
4
5
6
Start by understanding the current level of
the organisation’s cyber risk.
Hold private meetings with key leaders to
explore their general attitude, level of
understanding and interest in cybersecurity.
Leverage scenarios to explain potential risks
and consequences using business terms
instead of technical jargon.
Provide alternatives rather than mandates.
Ask for guidance on such issues as risk
mitigation, roles and responsibilities and
metrics.
Recognise that attitudes among board
members are changing and create an
opportunity for new discussions on cyber risk.
©2016 The Advisory Board Company • advisory.com
29
Resources
• A Four-Step Plan to Prevent Ransomware
Ransomware attacks encrypt your files and demand ransom for the decryption key. In some
cases, hospitals have paid large amounts of money to regain access to their data. This
infographic depicts our recommendations for four common-sense steps to protect your data.
• Health Care Mobile Device Usage Policies: Not Too Onerous, Not Too Porous
This report discusses the necessity of health care mobility policies, includes recommendations
on what should be included in those policies, provides best/appropriate practices, and offers
advice for dealing with numerous challenges providers encounter, such as bring your own device
(BYOD) policies.
• How to Build a Breach Plan
The speed and honesty with which an organisation responds can have a great impact on limiting
the damage. This on-demand presentation, we focus on the most important things to have in
place before a breach occurs. This is a US-based resource yet the advice presented has
universal application.
• Breach Response Toolkit
The Breach Response Toolkit assembles, in advance of a breach, the resources necessary for
managing timely notification and placating patient concerns arising from it.
©2016 The Advisory Board Company • advisory.com
30
We Can Help
Publications
and Analytics
Best Practice Studies
Best practice case studies and
briefings based on member-
driven programme agenda
Reports and Expert
Perspectives
Briefings and Insights for
executives centered around the
most pressing issues facing
health care leaders today
Toolkits and Templates
Web-accessible toolkits and
template–including calculators–
enabling members to quickly
achieve best practices
Presentations
and Interactions
Web-Based
Services
Expert
Support
National Meetings and
Workshops
Educational intensives on
most urgent health care topics
Live and On-Demand
Webconferences
Unlimited access to all live
and online archived
programme webconferences
Private Label Webcasts
Web-enabled sessions to
present research to individual
members paired with
discussion
Advisory.com/international
Secured member website
providing online access to
research, services,
announcements
Programme Insights
Regular programme updates,
alerts, and expert perspectives
on events affecting health care
IT
Dedicated Advisor
Dedicated team to triage
member requests and
questions to ensure A+
member satisfaction
Facilitated Networking
Experts connect peers across
the membership for high-value
interactions upon request
Hands-On Strategic Support
Expert review of strategic
documents to identify
strengths and weaknesses,
and areas for further
development
International
Global eHealth Executive Council