Cyber & Social Risk Considerations

Implementing Social Risk Management in Defense of Information Assets.

Hacking is harder than it used to be. Twenty years ago, the discipline of Information Security was confined to arcane knowledge stored deep within IT. Not many organizations were security conscious, and those that were, may not have been monitoring for security threats outside of malware and whatever hits the firewall. As Operational IT Security defenses matured and became more sophisticated, Information Security matured from an IT discipline into the business discipline of Information Risk Management. When more and more IT organizations hardened their exterior, deployed network- and host-based agents to detect anomalies, and baked security into the systems and networks through which valuable information assets flow, the temptation might be strong to declare victory and assert that the organization is now ‘secure’.

As the baseline for Operational IT Security has steadily increased over time, classical hacking (that is, a determined attacker who manages to punch through external defenses to capture systems and assets) diminished in effectiveness. Less talented hackers (the most plentiful kind) would resign themselves to a game of patience and numbers, searching for systems where a system administrator made a configuration mistake that could be exploited. However, as systems became hardened, less talented hackers searched for new, easier targets. And they found them: an organization’s workforce. Modern cyber-attacks focus on the human element. It is much easier to get data out of unprepared employees than to break into well-defended and monitored systems.

Consider the IT challenge of unpatched and vulnerable computers. Before the era of centralized automated patch management, ensuring that all first- and third-party applications were up to the latest secure revision was a challenge. Today, IT can detect anomalous configurations and out-of-date applications, and manage the patch process from one central location. This is similar to the situation we find ourselves in with human risk to information assets. An organization that understands information risk management only through the lens of IT may miss the opportunity to properly patch their workforce. How exactly does one patch their workforce? In the same manner as software is patched: with a management-driven program to measure and reduce social risk to data.

In the early stages of maturity, an organizations’ Social Risk Management initiative may resemble once-a-year training covering topics mandated by an audit or compliance requirement. This may be aligned to an internal HR mandate to provide ongoing training to the workforce. However, such actions are insufficient in a risk environment where direct threats against the workforce evolve much more quickly than once-per-year training can hope to cover. Modern hackers understand this information asymmetry that they (for now) have regained the upper hand that they had lost as Operational IT Security improved, and that this vulnerability will continue to exist until the organization ‘patches their workforce’.

Figure 1: Modern breaches and data loss incidents are human initiated

Finding

Human Factor?

41% of breach events were due to human error or oversight

31% of incidents were the result of information asset loss

76% of breaches were the result of weak or stolen account credentials

49% of incidents were initiated via social engineering

* Data Sources: OTA analysis utilizing data provided by the Open Security Foundation, Risk Based Security, Symantec and the Privacy Rights Clearinghouse

This is where the discipline of Social Risk Management can have the greatest mitigating impact on human risk to information assets. Social Risk Management’s goal is the attainment and maintenance of the Secure Corporate Mind. This entails defining human risks to information assets, and establishing a programmatic approach to measure and reduce Social Risk to assets. The program defines three key participants and how they should think about their relationship to data and their responsibility in defending it.

Figure 2: The Secure Corporate Mind

As the impact of this type of attack is organization-wide, it is important to integrate a Social Risk Management program into your organizations’ larger Risk Management or Data Security initiatives.

The Risk Leader needs to establish what the current Social Risk posture is across eight risk areas:

  • Email Use Security
  • Visitor Management
  • Need-To-Know Enforcement
  • Telephone Use Security
  • Physical Asset Security
  • Secure Information Handling & Privacy
  • Acceptable Use Compliance

For each Social Risk area, an awareness campaign is deployed to all user endpoints using a focused, actionable, and multi-modal approach, gathering and publishing risk metrics every 45 days. At the end of a 90- day campaign, an assessment is conducted to measure risk and ensure that the new metric is aligned with strategic risk management goals.

Figure 3: Social Risk Management Strategic Execution

The remediation of Social Risk is a multi-disciplinary affair. Remember that Social Risk to data is not an IT problem. That is, one cannot simply implement a technology or install a service that will materially reduce Social Risk. A combination of focused training, content, adjustments to the risk culture, and enhancements to Human Resource and Management processes is required to effectively implement a Social Risk Management Program. It is important to fight the perception that this is a training program, even though user training is a significant portion of the work involved. As training is delivered, the real work of measuring and analyzing risk to data occurs out of sight. Once the baseline Social Risk metric for a given risk area is established, the three most likely attack vectors within that area are identified. Training is then focused on reducing risk in those three critical area. This is delivered across all social risk areas in 90-day blocks.

Figure 4: Sample Social Risk Management Implementation Schedule

A full cycle of the Social Risk Management program can take up to one year to complete, assuming a deployment structure similar to the one shown in Figure 4. New campaigns are launched every 45 days so that there are always two Social Risk areas in active mitigation at any one time. The content delivery model allows for a multi-modal approach to education and culture change such that it never feels like training to the end user. The content that is used to deliver the message must support the organization’s risk management efforts, not define it. One cannot reduce Social Risk against a syllabus alone. Security awareness content is a commodity, and any content solution should align with internally defined Social Risk areas.

To create a Secure Corporate Mind, one must attack the root cause of Social Risk: an organization’s culture. A successful Social Risk program builds around the culture, and not through it. It works within the possible, with a constant progressive nudge towards a more human-centered information defense model. Senior leadership must take an active role in promoting the program and ensure that all levels of the organization are participating in a manner that maintains momentum. Leadership positions the initiative as being driven by a strong commitment to defend Value through the management of human behavior. Pervasive multi-modal delivery for the duration of the campaign is key to success, as is the perception that the message is delivered in a fun way;
fear-based messaging reduces the long-term effectiveness of the program. Aside from direct training of users (which is vital in the introduction of Social Risk), the social risk manager may also use games, quizzes, newsletters, posters, contests, surveys, and other tools to remain continually engaged with the workforce.

Most importantly, defense-of-data responsibilities are integrated into ongoing organizational management methods. One example is to enhance all job descriptions with a clause outlining the workers’ responsibility to actively defend the organizations’ information assets, systems, and platforms. This is then aligned with department-level Social Risk metrics to identify which parts of the organization require closer Social Risk Management. Managers can be provided with worker-level Social Risk Management guidance, with tools to measure compliance to risk goals. The organization can even choose to include defense-of-data actions in annual employee review criteria (including test scores from Social Risk measurement actions).

As this new cultural value takes hold, subsequent Social Risk Management cycles can be shortened as the largest risk areas are mitigated and the Secure Corporate Mind is achieved.
 

Download the whitepaper version of this post
 


Sabino Marquez is Senior Director of Information Risk, Privacy & Cybersecurity at Accretive Solutions. Sabino is a highly accomplished business leader with proven success in building, enhancing, and managing enterprise risk, security and information governance programs aligned to strategic business objectives. Sabino helps organizations elevate the discipline of information risk management to a competitive differentiator and centerpiece of customer trust. Sabino’s current professional focus is the strategic convergence of information risk management, data security, information privacy, and social risk.