The Executive Order, “Improving Critical Infrastructure Cybersecurity” impacts all federal contractors as the government uses mandates and Executive Orders to establish stronger baselines in the information supply chain. The current emphasis on cyber liability and controlled, unclassified information (CUI) compliance as seen in both Defense and Civilian agency regulations suggests that the ability to respond to real and potential cyber breaches is a key measure of compliance and best practices. In 2017, it will likely also impact procurement practices.
This ability is also a critical indicator of the maturity of an organization’s information security program in today’s converged world of cloud plus IoT (Internet of Things).
Cyber liabilities, including breaches, are increasing in administrative overhead and penalty costs as shown in the Ponemon Institute 2016 study.
Government regulatory bodies like the Federal Trade Commission (FTC) are issuing public guidance on incident response reinforcing the significance of the FTC Guidance for Responding to Data Breaches, and suggesting that best practices will be used as a marker for cyber liability in the future.
It’s clear that your organization’s ability to manage cyber incidents is a requirement of doing business. Putting this into perspective requires organizations to examine how they stack up against requirements like CUI that will impact revenue, profit and contracting partnerships.
Implementing effective response(s)
No organization can prevent 100 percent of cyber threats which range from insider threats to cyber attacks to third-party risks.
Incident response readiness includes the preparation, detection and response to and recovery from threats. Incident response, as a marker of the quality of your business, will require a comprehensive response framework that outlines priorities for each incident scenario and escalation — not just help desk or security operations center (SOC) capability responses. This will also require a communication plan and reporting processes to address the vendor supply chain, privacy implications and corporate due diligences and protections.
The Ponemon2016 Study
“Cost of the Data Breach”
Average total cost approximately $4 million
Average cost per record is now $158
Organizations can start by creating a framework compliant with NIST SP 800-61 addressing the key roles, procedures and action items to reduce the impacts and effects of real and potential events. CEOs should incorporate and retain experienced outside counsel in the areas of legal affairs, security auditing and forensics as a means of enhancing the proper foundation of due diligence as it relates to cyber protections. At EmeSec, we have also encouraged our clients to help minimize the business impact of a breach by using public relations as part of the incident response.
Specific components organizations need to consider include, but are not limited to:
Incident investigation — NIST offers resources to help define the taxonomy of cyber incidents. Some of the categories are broadly defined as unauthorized access, malicious code, denial of service and inappropriate or unauthorized usage.
Definition of response team roles — Your plan should specify team structures, individual roles and responsibilities, escalation processes, and war-room protocols established by type of event, incident or breach.
Data-classification frameworks — Determine the types of data that has been accessed or exfiltrated. This will define your response strategy and activities. For example, a company might have one set of response processes for confidential customer data and an entirely different set of processes for a loss of critical intellectual property or CUI.
Post-incident procedures — Identify those actions that aren’t technical in nature following an incident. These may include reporting to DoD, your contracting officer(s), and teaming partners. Additional actions may require a press release or a partner communication. Document your lessons learned, response actions, and areas for improvement.
Strong response plans help ensure that minor events do not escalate into trust issues associated with major incidents. Incident responses should always consider and incorporate strategies to reduce lasting reputational and business effects. Although Federal Contractors and their subcontractors have until December 2017 to fully comply with the CUI mandate, the risks of contract loss and/or disqualification from future opportunities and the responsibilities for staying in business, require a clear look at your best practices in 2017.
Maria C. Horton is the president and CEO of EmeSec, a cybersecurity professional services firm. Horton founded EmeSec in 2003 after retiring from her post as a CIO of the U.S. Naval Medical Center.