The U.S. Department of Defense revealed that “at the top of the U.S. intelligence community’s 2013 assessment of global threats is cyber, followed by terrorism and transnational organized crime.” The severity and impact of cyber threats have changed the landscape in which governments, corporations and individuals operate. Breaches of personal financial and health data are becoming more commonplace.
The threat is ongoing and the government industry is a target given the massive amounts of citizen data that is stored. At one point, this was considered largely an IT issue, but the increase in frequency and sophistication of cyberattacks requires institutions to make this a priority in their C-suites and board rooms.
Cyber Risk Management
It is critical that government entities maintain a formal process for managing cyber risks. It is important to know what the risks are, how they are managed and mitigated, and who is accountable. The Federal Financial Institutions Examination Council (FFIEC) defines a process for managing cyber risk that applies to other industries, as well; the process emphasizes four areas:
- Governance: The governance process starts with a risk assessment that identifies an initial assessment of new threats followed by identifying and prioritizing gaps in policies, procedures and controls, and then updating and testing those policies, procedures and controls as necessary. It is important to know if your staff is providing you with accurate and timely information about your risks and your ability to mitigate them, so you can prioritize resource allocations and keep boards and legislators informed.
- Threat Intelligence: Threat intelligence consists of both internal and external resources that provide management with information needed to make informed decisions. Internal sources of information include internal audit reports and fraud detection tools. External sources could include the Department of Homeland Security, FBI InfraGard, Information Sharing and Analysis Organizations (ISAOs), National Council of ISACs (Information Sharing and Analysis Centers), and the newly-formed Cyber Threat Intelligence Integration Center. The key point to understand is how your entity is identifying and monitoring cyber threats and attacks both to the entity and to the sector as a whole.
- Third-party/Vendor Management: Understanding third-party or vendor relationships and the impact they may have on your data is another area of critical importance. Too often, entities outsource a service and assume they’ve eliminated risks as they relate to those processes being outsourced. Entities should strive to fully understand the connectivity of systems and users that have been given access to their data and controls at the third party or vendor that protects their data. They should also perform adequate due diligence prior to initiating a relationship to ensure that third-party partners are fully aware of all relevant threats and that they are consistently auditing and monitoring their own security programs.
- Incident Response: In the unlikely event that a cyber threat occurs, organizations should have a plan to adequately respond and recover from the event. Incident response plans and teams should be implemented, as well as internal and external escalation and notification processes. It is important to know how often your organization is testing its plans to respond to a cyberattack and whether those plans include key internal and external stakeholders.
The key to a successful cyber risk management program is to first establish the security tone from the top and build a security culture. Once the culture is set, you can take the following steps:
- Identify, measure, mitigate and monitor risks.
- Develop risk management processes commensurate with your entity’s level of risk and complexity.
- Align IT strategy with overall strategy and account for how risks will be managed both now and in the future.
- Create a governance process to ensure ongoing awareness and accountability.
- Ensure reports are meaningful and timely with metrics on vulnerability to cyber risks and potential impact.
For more information on cybersecurity, please contact your Eide Bailly representative.