Select Page

Business Need for Investments in Cybersecurity

by | Mar 5, 2015

Introduction

 

In February 2017, Memorial Healthcare System (MHS) in southern Florida was assessed a $5.5 million penalty by the US Office of Civil Rights for HIPAA (Health Insurance Portability and Accountability Act) violations. The penalty was for “failure to implement audit procedures to review, modify, and/or terminate users’ right of access” that allowed improper access to health records(Harris, 2017). This severe financial penalty was for failure to implement required procedures. There are many legislative requirements for cybersecurity controls for various corporate categories. The healthcare sector is required to comply with the HIPPA laws, GLBA relates to the financial services sector, and NIST and FISMA covers US Federal agencies and contractors.

There are three main reasons for corporations to institute data security policies and controls.

  1. Business operational needs.

From a purely practical perspective, a business must have its internal data confidential, available, and unchanged by outside forces, or integrity (CIA). The wide world having unfettered access to internal corporate networks would cause severe disruptions as data is modified, destroyed, or stolen by malicious actors.

  1. Legal requirements.

Legislatures around the world have enacted a myriad of laws regarding cybersecurity and privacy for organizations holding sensitive or personally identifiable data. In the United States, 42 states have legislation mandating cybersecurity(NCSL, 2017), and there are three main federal cybersecurity laws. Failure to comply can result in heavy financial penalties, and even prison sentences for executives and board members.

  1. 1996 Health Insurance Portability and Accountability Act (HIPAA) requires organizations that hold personally identifiable health records to protect that data(HHS, 2003).
  2. 1999 Gramm-Leach-Bliley Act requires personal financial records to be protected(Janger & Schwartz, 2001).
  3. 2002 Federal Information Security Management Act (FISMA) requires federal information systems to be secure(Hulitt & Vaughn, 2010, p. 1).

 

  1. Corporate Social Responsibility

Businesses may hold private personal data from employees, customers, vendors, and even the government. Ethically, it’s the holder’s responsibility to take due care in safeguarding that data from unauthorized disclosure, data modification, or data loss. It’s the morally right thing to do. There’s also a practical aspect to behaving ethically. The public doesn’t like to do business with organizations that it feels are unethical or untrustworthy(Verizon RISK Team, 2017, p. 4). The next section will discuss this in more depth.

 

Ethics in Business and Cybersecurity

 

There’s an interesting experiment called the ‘Ultimatum Game’ that social scientists have developed to study Game Theory, which is essentially the study of how humans interact in strategic situation. In the experiment, two people will split $100, but they are in separate rooms and unable to communicate. The first player may divide the money in any way they choose. The second player can accept the division, or veto, in which case, neither party gets any money. There is no communication and no bargaining, and the game only gets played once(Camerer, 2011, p. 34).

Logically, the second player should accept a $99 to $1 split, because even one dollar is more than the amount received with a veto. However, the experiment shows that people will begin to reject the offer when it drops below 60/40 split and the rejection rate increases with a lower percentage offer. People will reject a personal benefit rather than allow another person to benefit unfairly(Levin, 2006, pp. 2-3). The experiment has been replicated thousands of times worldwide and interestingly, similar results are seen across all cultures, races, genders, ages, and financial status(Camerer, 2011, pp. 48-50). It seems that the human race has an instinctual will to punish members of the group who exhibit antisocial behavior. Its nearly universal(Capraro & Rand, 2017, pp. 2-3).

Morality in business can be debated and viewed through competing religious or ethical codes, and probably has been, for hundreds of years, but an instinct level set of acceptable group behaviors gives a solid foundation for practical reasons for ethical conduct in business. In short, if your corporation behaves, or fails to behave in a manner that the stakeholders believe is counter to the instinctual group behavior in humans, then stakeholders will punish the corporation. Trust is broken, and its very difficult to repair. Interior stakeholders, such as employees will cease to trust management and may reduce work performance, independent problem solving, and may even sabotage operations. Exterior stakeholders, customers or vendors may cease purchasing, or cancel contracts. It’s vital for the health of a business to maintain trust with society.

Cybersecurity is a fundamental business process that protects the private and confidential data of stakeholders, notably customers, vendors, and employees. Data theft or destruction of will result in a loss of trust by and result in negative and punishing behavior by surrounding society.  It’s a loss of positive reputation and can kill a business since no profit can be made if no one will buy from, or work for the ‘evil’ company.

Cybersecurity Investment Recommendations

 

Employee Development

The foundation of a corporation’s data security program is competent and knowledgeable staff, but there’s a global shortage of cybersecurity professional with a shortfall of an estimated 1.5 million unfilled positions by 2020(Van Zadelhoff, 2017). Current industry practice is to approach the problem from three angles to create an inhouse talent pool with depth.

  • Develop current employee cyber skills through training and experience. This is beneficial for the individual employee’s career advancement which increases their job satisfaction level and longevity with the company. It also increases team cohesion and effectiveness due to a history of working together(Zaccaro, Fletcher, & DeChurch, 2017, p. 223). This improves defensive situational awareness(Rajivan & Cooke, 2017, pp. 203-204).
  • Hire qualified talent from the outside labor pool. This can have a positive effect on the total group skill set by adding new people with a more diverse experiences and perspectives. This can improve creative problem solving and innovation(Zaccaro et al., 2017, pp. 233-234).
  • Create an apprenticeship or internship program to develop high school or young college students into future employees. This will increase the depth of your ‘bench’ with quality budding security professionals. An example of this is the “P-TECH educational model (Pathways in Technology Early College High School), which provides a training avenue for students to jumpstart their careers in cybersecurity” (Van Zadelhoff, 2017).

Cybersecurity Process

The current corporate data security controls are handled by separate IT groups which creates inefficiencies in incident detection, response and reporting. The current industry movement is toward a unified process such a central Security Operations Center (SOC)(Torres, 2015). The SOC provides a single point for collection all sensor data, metrics, and logs for analysis of security incidents(Proficio, 2017). The staff can triage the incidents and coordinate the correct response. The centralization and integration of information also allows for accurate and efficient report generation for legal compliance and remediation efforts(Rothke, 2012).

 

Technology

The creation and staffing of a central SOC facility allows a unified solution referred to as a Security Information and Event Management (SIEM) system to collect network data, analyze massive data sets for incidents, then coordinate responses. It’s very efficient and required by some security frameworks due to the need for centralized and automated analysis systems(Zimmerman, 2014). A commonly used framework is the NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations(Kohnke, Sigler, & Shoemaker, 2017). This framework is developed by the US Federal National Institute of Standards and Technology and is extensively discussed in industry literature. A SIEM software suite will satisfy the following required security controls of NIST 800-171(NIST, 2015):

  • 1.12 Monitor and control remote access sessions.
  • 1.18 Control connection of mobile devices.
  • 1.20 Verify and control/limit connections to and use of external systems.
  • 3.3 Review and update audited events.
  • 3.4 Alert in the event of an audit process failure.
  • 3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
  • 3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.
  • 3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
  • 3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion.
  • 3.9 Limit management of audit functionality to a subset of privileged users.
  • 14.1 Identify, report, and correct system flaws in a timely manner.
  • 14.3 Monitor system security alerts and advisories and take action in response.
  • 14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
  • 14.6 Monitor organizational systems including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
  • 14.7 Identify unauthorized use of organizational systems(NIST, 2015, pp. 10-15).

 

 

Summary

 

A robust cybersecurity program will assure a strong corporate security posture which will reduce data loss incidents and the accompanying civil and criminal liability. The reduction of security incidents will also reduce loss of reputation and trust with the community and stakeholders, thereby increasing the strength of the corporate brand. The cybersecurity program will be improved by training inhouse and hiring qualified cybersecurity professionals to staff a central Security operations Center (SOC) with a newly implemented Security Information and Event Management (SIEM) software suite. This should greatly increase the security posture. And finally, strong data security is ethical correct.

 

 

 

Reference

 

Camerer, C. F. (2011). Behavioral game theory: Experiments in strategic interaction: Princeton University Press.

Capraro, V., & Rand, D. G. (2017). Do the right thing: Preferences for moral behavior, rather than equity or efficiency per se, drive human prosociality.

Harris, H. (2017, Mar 13, 2017). A Breakdown of the Second Largest HIPAA Fine to Date – $5.5 Million.   Retrieved 3/17/2018, from https://www.tripwire.com/state-of-security/featured/breakdown-second-largest-hipaa-fine-date-5-5-million/

HHS. (2003). Summary of the HIPAA privacy rule Washington, DC: Author. Retrieved December (Vol. 2, pp. 2007): US Department of Health Human Services.

Hulitt, E., & Vaughn, R. B. (2010). Information system security compliance to FISMA standard: a quantitative measure. Telecommunication Systems, 45(2-3), 139-152.

Janger, E. J., & Schwartz, P. M. (2001). The Gramm-Leach-Bliley act, information privacy, and the limits of default rules. Minn. L. Rev., 86, 1219.

Kohnke, A., Sigler, K., & Shoemaker, D. (2017). Implementing Cybersecurity : a guide to the National Institute of Standards and Technology Risk Management Framework. Boca Raton, FL: Taylor & Francis Group.

Levin, J. (2006). Experimental Evidence.

NCSL. (2017, 12/29/2017). Cybersecurity Legislation 2017. 3/17/2018, from http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx

NIST. (2015). NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations NIST Special Publication (Vol. 800, pp. 76).

Proficio. (2017). CIO Guide: Why Switch to a Hybrid SOC.

Rajivan, P., & Cooke, N. (2017). Impact of team collaboration on cybersecurity situational awareness Theory and Models for Cyber Situation Awareness (pp. 203-226): Springer.

Rothke, B. (2012). Building a Security Operations Center (SOC). Paper presented at the RSA Conference 2012. https://www.rsaconference.com/writable/presentations/file_upload/tech-203.pdf

Torres, A. (2015). Building a World-Class Security Operations Center: A Roadmap (pp. 12): SANS Institute.

Van Zadelhoff, M. (2017). Cybersecurity has a serious talent shortage. here’s how to fix it: May.

Verizon RISK Team. (2017). 2017 Data Breach Investigations Report. (10th Edition).

Zaccaro, S. J., Fletcher, L. S., & DeChurch, L. A. (2017). Creativity and Innovation in Multiteam Systems. Team Creativity and Innovation, 225.

Zimmerman, C. (2014). Ten Strategies of a World-Class Cybersecurity Operations Center: The MITRE Corporation.