New cybersecurity breaches happen all the time.
The trick is to identify the critical data and to prioritize the key methods to protect that data before your breach becomes a headline.
Wawa’s Public Problem
One of this month’s cybersecurity headline victims is the Wawa fuel and convenience store chain.
In late December 2019, Wawa Inc. admitted to a breach that that exfiltrated credit cards. The breach had been in place for nearly nine months.
On Jan. 27, 2020, 100,000 of a reported 30 million credit card accounts appeared for sale on Joker’s Stash, a popular fraud bazaar known for selling credit card information. These card numbers were tracked to the Wawa breach, and were primarily obtained from locations in Florida and Pennsylvania.
Wawa may have been particularly vulnerable to credit card theft due to their fuel stations. Most fuel stations have not adopted the chip-based card readers. Thus, they still rely upon magnetic strip readers, which are more vulnerable to attack.
The Vulnerabilities We Know
As a business owner or CISO, knowing that others have been breached doesn’t offer any satisfaction; it only increases stress. According to a DarkReading Whitepaper, 44% of organizations surveyed expect to suffer a major breach in the coming year, despite 88% of organizations also believing that they have either maintained or decreased their vulnerability.
Where do the threats come from? Sixty-two percent of surveyed respondents see careless or rule-breaking end users as their greatest risk for a breach. That’s more than twice as high as the next cited sources.
Respondents also see their top three security threats as: Cybercriminals (55%), authorized users (45%), and application vulnerabilities (43%).
So, why are authorized users so high? Probably because we know they make mistakes – whether by using bad passwords or clicking on phishing emails.
As our security infrastructure becomes more complex and widespread, it becomes harder to defend any environment. Survey respondents believe vulnerabilities increased due to: the improved sophistication of attacks (67%), the increasing number of ways to attack corporate networks (53%), and the sheer increase in the number of attacks (47%).
Fortunately, there are also signs of improvement. The number or respondents who cited patching as an issue dropped from 35% to 27%, and the failure to enforce security policies likewise dropped from 23% to 13%. Additionally, “lack of senior management attention or interest” dropped from 30% to a much more promising 13%.
However, budgets continue to be an issue for 27% of respondents (up from 25% last year).
This survey provides a snapshot of the IT world in which we exist. However, if you want your organization to avoid becoming the next headline, what do you do?
Prioritizing in Cybersecurity
In cybersecurity, we often become focused on the latest vulnerabilities, patches, and hacking methods. However, the attention on recent attacks allows us to only see where hackers have been, and not where they are going.
Likewise, the destination and methods used by attackers varies from organization to organization, and from day to day. While many organizations share commonalities, no single organization is exactly the same because of the differences in technology, personnel, and vital assets.
That’s why it’s essential to use a risk framework, which provides a fundamental method to identify and focus cybersecurity efforts on the priorities that are most appropriate for your specific organization.
Yet, to do so effectively, you must involve your entire organization. After all, what’s the point of creating an impenetrable cybersecurity system if it doesn’t contain your most valuable organizational assets?
Keep in mind that definitions of value will also change from person to person and department to department. If you survey your own organization, you will find that your financial team worries about the cash, IT worries about the infrastructure, and your sales reps worry about communication. Each team is correct in its own way, so a true risk evaluation requires someone to provide balance and perspective for the organization as a whole.
From both a general and an IT-centric perspective, the three key steps are to identify, assess and manage risk.
Last year, we considered disaster recovery as hurricanes hit the East Coast. We noted that, by evaluating how disaster might impact each system, you’ll be able to focus in on which assets require protection.
However, the value of data also needs to be considered from multiple points of view.
For example, to conduct ongoing business, it is more important for a fuel retail chain to process credit cards and far less important to access historical credit card data. Therefore, when it comes to disaster recovery, credit card processing takes precedence.
However, from a breach perspective, the priorities reverse because unauthorized access to personal information triggers fines and makes headlines. In this case, both types of data may ultimately become key assets to protect, but the same usually cannot be said for emails, invoices or shipping records for the fuel chain.
By identifying your key assets, you’re providing your IT department with a prioritized list to investigate.
This investigation should determine how those assets might be attacked from a technical point of view. The attacks should be evaluated for their probability.
Combined with the value of the attack, these scores create a ranked index of assets and their potential attack vectors.
To some degree, this IT risk assessment might be done in a disaster recovery evaluation. But, oftentimes, corporate disaster recovery documents are broad and somewhat generic. When you’re trying to create a working document used to determine operational priorities, risks require more detailed evaluations.
For example, the disaster recovery plan probably has an entry for server failure or server breach. But, does it differentiate between the data server and the Citrix ADC servers?
Each device is exposed to a unique environment, contains distinct information, and bears a different risk profile.
After identifying and assessing the risk, your team will have a prioritized list of assets, and the most likely attack vectors.
Most mature IT organizations already have, at least, an informal priority list in their heads. And, their existing security should already address most of the critical risks.
Going through a risk evaluation formalizes the priority list, and ensures that your IT department’s understanding of the company’s critical assets matches the understanding of the other managers.
Additionally, obtaining the advanced buy-in of the other managers in assigning risk values will often help provide justification to fund the necessary IT projects.
Getting the Right Support
Although it’s important to keep your risk profile current, no team succeeds by hopping from one priority to another before it’s been completed.
Your team needs to make a realistic distinction between different tiers of assets to ensure that your most critical assets are protected first.
We all understand that emergency issues cannot be completely eliminated. However, by securing your most critical assets, you’ll reduce the urgency required to address other issues.
Naturally, resource constraints also cause issues. Budgets are limited, and increasingly it’s difficult to find the skilled IT workers. In fact, 20%of this year’s survey respondents site a shortage of skilled workers as a top cause of breaches.
With new vulnerabilities being found every week, it can be challenging for IT departments to keep up and manage their priorities.
The teams at Ideal Integrations and Blue Bastion offers IT management services to pick up the slack and help your department stay ahead of attackers. We’ll help you create risk profiles and keep them up-to-date so you can be confident in your cybersecurity.
Whether you are interested in significant outsourcing or just simple assistance on a specific project, we’re here to help.
Contact us today to get started! Just complete the form below, or call 412-349-6680.