the information security risk landscape - advisory · research technology consulting the...

research technology consulting

The Information Security

Risk Landscape How to Discuss Cybersecurity with Your Board

International

Global eHealth Executive Council

2

2

3

4

1

Road Map

©2016 The Advisory Board Company • advisory.com

Why is the Board More Interested

in Information Security Now?

Preparation: Scouting the Risk Landscape

Understanding the Different Perspectives

Crafting and Delivering the Message


3

Breaches Happen to Everyone

Even the Best-Defended Organisations Have Been Breached

Why is the Board More Interested in Information Security Now?

Source: Advisory Board research and analysis.

1) PwC’s The Global State of Information Security Survey 2016

2) National Data Guardian for Health and Care: Review of Data Security, Consent, and Opt-outs, June 2016

3) Ponemon Institute Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2016.

Non-Health Care Examples

Of European companies have experienced

at least one cybersecurity incident over the

last year.1

Of all reported UK data breaches were

from the health sector.2

• Yahoo

• British

Airways

• NASDAQ

• Google

• Sony

• Lockheed

• Apple

• JP Morgan

Chase

• European

Central Bank

• Blackpool Teaching Hospitals NHS

Foundation Trust (UK, 2016)

• Banner Health (US, 2016)

• Chelsea and Westminster Hospital

NHS Foundation Trust (UK, 2016)

• Royal Melbourne Hospital (AUS,

2016)

• Hollywood Presbyterian (US, 2016)

• British Association for Counselling and

Psychotherapy (UK, 2016)

• Anthem & Premera (US, 2015)

• Healthcare.gov (US, 2014)

• LifeLabs (Canada, 2013)

“The Wall of Shame” health care breaches reported

involving 500 or more patients:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Notable Health Care Cyber

Incidents in 2013‒2016

80%

41%

• Organisations in Brazil and South Africa most likely

to have material data breach involving 10,000 or

more records.3

• Organisations in Germany and Australia least likely

to experience material data breach.3

http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF



https://www2.idexpertscorp.com/sixth-annual-ponemon-benchmark-study-on-privacy-security-of-healthcare-data-incidents?utm_source=Referral&utm_medium=press release&utm_campaign=Ponemon 2016






4

Cyber Incident Events Are Expensive


1) Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2015.

2) NetDiligence, 2015 Cyber Claims Study.

3) PwC’s The Global State of Information Security Survey 2016

4) ICO Data Security Incident Trends.

5) Abel R, “Affinity Gaming sues Trustwave over data breach,” SG Magazine, January 20, 2016.

6) http://www.politico.com/story/2015/06/health-care-spending-billions-to-protect-the-records-it-spent-billions-to-install-118432

4% Increase in estimated

financial losses as a

result of all security

incidents compared to

year prior3

The costs don’t stop

after the incident5

Government

agencies are

levying penalties4

8% Increase in information

security budgets due to

the rising security risks3

Health Care

Organisation1

Across All

Industries2

Detection and

Escalation $30,000 to $1.6M

$1,250 to

$4.9M

Notification $4,000 to $1.7M $14M to $15M

Follow-up

response (legal,

public relations,

credit monitoring)

$60,000 to $5.8M $5,000 to $3M

The US Example Globally

Economic Impacts on an Organisation in Health

Care and Across All Industries

€180K—€8M Estimated costs to deal

with a cyber incident6

€1.9M Average total economic

impact from a cyber

incident6


http://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf




https://ico.org.uk/action-weve-taken/data-security-incident-trends/

http://www.scmagazine.com/affinity-gaming-claims-trustwave-failed-in-investigating-remedying-breach/article/466072/

http://www.politico.com/story/2015/06/health-care-spending-billions-to-protect-the-records-it-spent-billions-to-install-118432




























5

Preparation Efforts Not Keeping Pace

Source: Health Care IT Advisor interviews and analysis.

1) “2015 CyberThreat Defense Report: North American and Europe,” Cyber Edge Group.

2) 2015 HIMSS Cybersecurity Survey.

3) “New Trustwave Report Reveals Health Care Security Gaps,” Market Wired, October 3, 2015.

Attacks Are Expected… …But Prevention and Funding Efforts Lag

52% Of health care organizations expect

to be compromised by a successful

cyber attack in 20151 33% Agree they have sufficient resources to

prevent or quickly detect a data breach2

Michael Ebert, Partner, KPMG Cyber Security

Clement Chen, Chief Strategy Officer, Leidos Health

“Health care has champagne tastes, but a beer budget.”

“The magnitude of the threat against healthcare information has grown exponentially, but

the intention or spend in securing that information has not always followed.”

25%

28%

32%

42%

60%

64%

Too Many Applications

Lack of Threat Intel

Too Many Endpoints

Too Many New Threats

Lack of Funding

Lack of Appropriate Personnel

Biggest Barriers in Preparation2

20%

22%

30%

31%

33%

35%

Malicious Insider

Advanced Persistant Threats (ATPs)

Software Vulnerabilites

Denial of Service (DOS)

Phishing

Brute Force Attack

Preparedness Against Threats2

10% or Less of IT Budget Goes to Security3

http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/2015-cyberthreat-defense-report-north-america-and-europe.pdf





http://www.marketwired.com/press-release/new-trustwave-report-reveals-health-care-security-gaps-2063394.htm





6

Increasingly Serious Threat Actors

Deep Pockets and Powerful Motivations

Goal: money

Criminal

Hackers

Goal: information, money, disruption

Nation

States

Goal: disruption, money,

fame, transparency

Insiders

Goal: disruption, money, fame

Terrorists

Goal: disruption, money,

fame, transparency

Hacktivists

Stu Sjouwerman, CEO & Founder, KnowBe4

“Cyber crime has gone pro. You’re dealing with highly organised, very well-funded, and extremely smart

people that make 10 times more money than they ever could in any other business where they live. Most

people do not know that in a country like the Ukraine it is legal to hack in foreign countries. So you’re

dealing with office buildings full of people that arrive at 9, leave at 6, take breaks and have health

insurance, and it's a 100% criminal enterprise."

Sources: Hunton & Williams; Advisory Board interviews and analysis.


7

Major Information Security Risks

Address These First


Poor Incident

Response

Preparedness

Weak Technical

Disaster Recovery and

Corporate Business

Continuity

Fragmented Identity

Management and

Access Control

Lack of Data

Encryption

Growth in The Internet

of Things and the

Consumerisation of IT


8

Reduce the Likelihood of a Breach


Systematically identify and catalogue sensitive data

Maintain an up-to-date cybersecurity incident response plan

Develop written information security policies and procedures relating to administrative,

technical and physical safeguards for sensitive data

Develop a plan for managing risks associated with employee relationships

Develop a plan for controlling service provider relationships

Work with information technology vendors to deploy hardware and software tools

that strengthen information security

Develop a training programme for cybersecurity and data loss

9

2

3

4

1

Road Map







10


Assessing Risk


Physical Office Assessment

(shredding, clean desk, access)

Security Governance Assessment

Data Centre Assessments

(SSAE16 SOC II Type 2)

Vendor/Partner Assessments

Infrastructure Assessment

(vulnerability detection/management)

Product Risk Assessments

Risk Assessment is *the* most important method for understanding the

information security risks within your environment.

Assessment Targets


11


Other Key Channels for Risk Discovery


Provide valuable

information

during product

team meetings,

during

architecture

reviews, and in

the corridor.

Employees

Vendor

notifications,

group

memberships,

and social

media surface

risks.

Industry

Patients’

assessments of

products or

services can

surface problem

areas previously

unknown or not

yet addressed.

Your Patients

Intrusion

prevention alerts,

perimeter

security, log

review, and

scanners help to

surface risks.

Technology

Helps predict

types of risks or

attacks based

on your specific

organisation

profile.

Threat Modelling


12


What Types of Risk Are You Looking For?


HPI: Health Patient Identifier (UK)

NHI: National Health Index (NZ)

PII: Personally identifiable information

BYOD: Bring Your Own Device

Physical/Office Risks

• Multiple office locations

• Theft

• Location access

• Employee mistakes

Data/Privacy Risks

• HPI, NHI, PII, student

records, IP

• Big Data

• Data sharing

• EU/national/local

regulations

Process Risk

• Decentralised data

access control

• Backup and recovery

• Duplicated teams/efforts

External Risks

• Hackers

• Natural disasters

• Terrorism

• Partner/Vendor

mistakes and threats

Technology Risks

• Cloud storage

• Multiple data centers

• Multiple technology

platforms

• (Lack of) encryption

• Endpoints/BYOD

• The Internet of Things

13

2

3

4

1

Road Map







14

Explore On An Individual Basis:

Knowledge and Interest of Key Leaders Vary

Create a Foundation for Future Discussion Through Private Meetings


Key Leaders

General attitude about

risk and security

Level of

knowledge

Concerns around

risk and security

Board Chief

Executive

Officer

Chief

Financial

Officer

Chief Medical

Officer/

Chief Nursing

Officer

Legal

Advice

Chief

Information

Officer

Understand the Different Perspectives of Your Leadership Before You Present to the

Board

One-on-one closed door meetings with key executives will provide a critical understanding of how

each views Information Security and risks to the organisation

!


15

The View From the Boardroom

Common Board Members’ Perspectives on Security and Risk


Potential Perspectives of the Board

Board members mostly experience security through the audit committee.

• Uninformed or misinformed about cybersecurity threats,

vulnerabilities, and consequences

• Uninformed or misinformed about cybersecurity preparedness

• Focused on compliance instead of security

• Fearful of liability, focused on unproductive questions, and

uncertain about proper role

But the norm is shifting and concerns are growing.

Board awareness of cybersecurity risk and exposure is rapidly increasing. As a result, Boards

are more receptive to increasing their focus on cybersecurity.


16

The View From the CEO’s Chair

Common CEO Perspectives of Security and Risk


Potential Perspectives of the Chief Executive Officer

Often organisationally distant from cybersecurity and focused on other

priorities but wants it handled without his/her involvement.

• Uninformed or misinformed about the organisation’s state of

cybersecurity risk and preparedness

• Insufficiently focused on ensuring or investing in appropriate

organisational reforms on cybersecurity

• Unaware of the importance of their leadership role in effecting

changes and monitoring progress in cybersecurity

• Insufficiently engaged with Board to manage risk and cybersecurity

But the rapidly growing number of cyber events has CEOs concerned about security.

CEOs can become a vital ally in driving cultural change and ensuring leadership engagement.


17

The View From Clinicians

Common CMO/CNO Perspectives of Security and Risk


CMIO: Chief Medical Informatics Officer

CNIO: Chief Nursing Informatics Officer

Potential Perspectives of the Chief Medical Officer/Chief Nursing Officer

Often perceive security measures simply as a source of complaints from

clinicians.

• Unaware or confused about cybersecurity risk

• More concerned with improving efficiency and protecting relationships

with clinicians than strengthening security

But growing awareness of clinician liability has started to change attitudes toward

security measures.

CMOs, CNOs, CMIOs, and CNIOs can serve as valuable intermediaries in explaining the need

for security measures to clinicians.


18

The View From Information Technology

Common CIO Perspectives of Security and Risk


Potential Perspectives of the Chief Information Officer

Can see security measures as a barrier and a burden, slowing or even

preventing progress and a potential source of trouble.

• Aware of the risk, but often more supportive of security in theory

than in practice

• Often more focused on installing updated technology and reducing

cost than improving security

But changing awareness among senior executives is leading to heightened level of

attention to security by CIOs

The CIO is a key partner for defining and implementing cybersecurity measures.


19

The View From Finance

Common CFO Perspectives of Security and Risk


Potential Perspectives of the Chief Financial Officer

May see security as an expense to be minimised as long as the financial

auditors are satisfied.

• Uninformed or misinformed about cybersecurity investments

• Insufficiently focused on cybersecurity resource needs

• Focused on compliance instead of security

• Perceives cybersecurity to be someone else’s responsibility

• Misinformed about the extent of insurance coverage for cyber events

But recent publicity about the cost of cyber events has lead to increasing interest levels

among CFOs.

The CFO is well positioned to provide needed resources for a security programme.


20

The View From Legal

Common Legal Advisors Perspectives of Security and Risk


Potential Perspectives of Legal Advisors

May expect the information security team to eliminate all risk.

• Uninformed or misinformed about cybersecurity risk

• Focused on regulatory or contractual compliance instead of

security

• Perceives cybersecurity to be someone else’s responsibility

• Sometimes not included in cybersecurity initiatives

But regulatory changes and new case law are increasing awareness about cyber risk and

responsibilities

The Legal Advisors are important for establishing the right security governance structure and

policies, and providing legal support on regulatory, contractual, and incident response.


21

Marshal Your Executive Allies

Build a Foundation with Private Meetings Before Presenting


Understand the different perspectives of your leadership before presenting to the Board

One-on-one, closed door meetings with key executives will provide a critical understanding of

how each views information security and risks to the organisation.

Board CFO

Legal

Advice

CMO/

CNO

CEO

CIO

Leadership is Often Poorly Informed Awareness is Changing

• Board member attitudes

vary but they are often

uninformed or misinformed

about cybersecurity risk and

preparedness

• Frequently unclear about

what their role is or should

be in managing the cyber

risk of the organisation

• Board member awareness

of cyber risk is growing

• Can be incredibly valuable

allies to your efforts if

approached thoughtfully

22

2

3

4

1

Road Map







23

A Framework for a Successful Discussion

Four Keys to Holding an Effective Discussion on Security



• Make sure you

understand the

organisation’s current

state

• Hold private

meetings with key

leaders to

understand their

concerns and

perspectives

• Talk in business

terms and leverage

scenarios to illustrate

the organisation’s

risk profile from

various threats

• Discuss

improvements made

to lower risk

• Provide

alternatives for

changing the

organisation's risk

posture

• Acknowledge

trade-offs for each

alternative

• Provide examples of

various roles they

can play in

managing cyber risk.

• Ask for their

guidance and

assistance

Be Ready to Listen

!

Prepare in Advance Keep it Simple Be Clear About

Alternatives Discuss Roles


24

Be Prepared: Make Sure You Are Well Informed

Gather All the Information You Can About the Current State in Advance

Prepare in Advance


• Evaluate standard security

frameworks like ISO27001.

• Leverage what makes the most

sense for your organisation.

Controls

Administrative Controls • Acceptable Use and Application Security policies

• Training and awareness

• Endpoint security guidelines

Physical Controls • Heavily-secured data centres

• Proximity cards

• Hard drive and paper shredding

Technical Controls • Intrusion Prevention Systems

• Consolidated logging

• Phishing email detection

• Mobile device management

• Full environment scanning

Services

Policy and Procedure Development and Management

Privacy and Information Security Awareness and Training

Comprehensive Risk Assessment and Evaluation

Application Security Evaluation

Acquisition and Partnership Assessment

Vendor Assessment

Data Classification and Destruction

Compliance Management (National/regional regulatory

bodies and internal policies and procedures)

Intrusion Detection and Prevention

Network/Application Penetration Testing

Vulnerability Assessment and Remediation

Digital Forensic Investigation

Incident Triage, Evaluation and Management

Physical Security Consulting and Design

Industry Collaboration and Partnerships


25

Examples Scenarios

Leverage Threat Scenarios To Illustrate Risk

Talk in Business Terms

Keep It Simple


For Each Scenario Discuss

Situation

How it might

happen?

Vulnerability

What weakness is

exploited?

Awareness

How would the

organisation become

aware of the situation?

Response

What would the

incident response

look like?

Implications

What is the potential

impact on strategic

plans and operations?

Mitigations

What mitigations could be

used to reduce the risk?

What are the financial and

operational impacts of

those mitigations?

Improvements

What recent

improvements have

already been make that

may lower the risk?

• Stolen device

• Insider abuse

• Phishing

• Ransomware


26

Provide Choices

Let Them Lead by Outlining Alternatives Rather Than Mandates

Be Clear About Alternatives


Example Alternatives

Alternative A

Maintain current risk level

Alternative B

Moderate reduction in cyber risk by

addressing only major weaknesses or

largest threats

Alternative C

Focus on a specific area of improvement

such as education or incident response

Risk Reduction vs. Cost and Frustration

For each alternative provide estimates of:

• Risk reduction

• Cost

• Operational impact


27

Ask For Support and Guidance

Discuss Possible Roles for the Board

Discuss Roles


Metrics

What information and metrics would the

Board and senior executives like to see

on a recurring basis?

Board

Define

acceptable

levels of risk,

establish

urgency

CEO

Lead

organisational

reforms and

cultural changes,

oversee strategy

development

CFO

Ensure

appropriate

funding

CMO/CNO

Act as liaison to

medical staff

and arbiter of

tradeoffs

between risk

reduction and

operational

impact

Legal Advice

Ensure

appropriate

governance

and

compliance

with laws and

regulation

CIO

Enable

technical

counter

measures and

enforce

policies


28

Action Items

Modern Cyber Risk Requires Engaged Leadership


Imperatives for an Effective Board

Discussion About Security

1

2

3

Preparation is key to

effective discussions

4

5

6

Start by understanding the current level of

the organisation’s cyber risk.

Hold private meetings with key leaders to

explore their general attitude, level of

understanding and interest in cybersecurity.

Leverage scenarios to explain potential risks

and consequences using business terms

instead of technical jargon.

Provide alternatives rather than mandates.

Ask for guidance on such issues as risk

mitigation, roles and responsibilities and

metrics.

Recognise that attitudes among board

members are changing and create an

opportunity for new discussions on cyber risk.


29

Resources

• A Four-Step Plan to Prevent Ransomware

Ransomware attacks encrypt your files and demand ransom for the decryption key. In some

cases, hospitals have paid large amounts of money to regain access to their data. This

infographic depicts our recommendations for four common-sense steps to protect your data.

• Health Care Mobile Device Usage Policies: Not Too Onerous, Not Too Porous

This report discusses the necessity of health care mobility policies, includes recommendations

on what should be included in those policies, provides best/appropriate practices, and offers

advice for dealing with numerous challenges providers encounter, such as bring your own device

(BYOD) policies.

• How to Build a Breach Plan

The speed and honesty with which an organisation responds can have a great impact on limiting

the damage. This on-demand presentation, we focus on the most important things to have in

place before a breach occurs. This is a US-based resource yet the advice presented has

universal application.

• Breach Response Toolkit

The Breach Response Toolkit assembles, in advance of a breach, the resources necessary for

managing timely notification and placating patient concerns arising from it.

https://www.advisory.com/international/research/global-ehealth-executive-council/resources/posters/four-steps-to-prevent-ransomware-attacks



https://www.advisory.com/international/research/global-ehealth-executive-council/research-notes/2014/health-care-mobile-device-usage-policies

https://www.advisory.com/International/Research/Global-eHealth-Executive-Council/Events/Webconferences/2016/How-to-Build-a-Breach-Plan



https://www.advisory.com/international/research/global-ehealth-executive-council/studies/2011/hipaa-a-risk-management-approach-to-privacy-and-security/hardwiring-breach-mitigation/practice-10-breach-response-toolkit


30

We Can Help

Publications

and Analytics

Best Practice Studies

Best practice case studies and

briefings based on member-

driven programme agenda

Reports and Expert

Perspectives

Briefings and Insights for

executives centered around the

most pressing issues facing

health care leaders today

Toolkits and Templates

Web-accessible toolkits and

template–including calculators–

enabling members to quickly

achieve best practices

Presentations

and Interactions

Web-Based

Services

Expert

Support

National Meetings and

Workshops

Educational intensives on

most urgent health care topics

Live and On-Demand

Webconferences

Unlimited access to all live

and online archived

programme webconferences

Private Label Webcasts

Web-enabled sessions to

present research to individual

members paired with

discussion

Advisory.com/international

Secured member website

providing online access to

research, services,

announcements

Programme Insights

Regular programme updates,

alerts, and expert perspectives

on events affecting health care

IT

Dedicated Advisor

Dedicated team to triage

member requests and

questions to ensure A+

member satisfaction

Facilitated Networking

Experts connect peers across

the membership for high-value

interactions upon request

Hands-On Strategic Support

Expert review of strategic

documents to identify

strengths and weaknesses,

and areas for further

development

International

Global eHealth Executive Council

Third Floor, Melbourne House

46 Aldwych, London WC2B 4LL, UK

P +44 (0) 203 100 6800 │ advisory.com

the information security risk landscape - advisory · research technology consulting the...

Documents