Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 4
Cybersecurity Policies and Procedures

The Institute for Risk Management (IRM) Elliot Bryan, IRM and Willis Towers Watson, UK Alexander Larsen, IRM, and President of Baldwin Global Risk Services Ltd., UK

Tom, the CEO, was surprised. He challenged his chief risk officer, Nathan, and chief information security officer, Maria: “Are you telling me there is not one but six types of policies I need to sign off for cyber risk?” The two answered in tandem: “Yes! Social media, ransomware, cloud computing/third-party vendors, Big Data analytics, the Internet of Things, and bring-your-own-device (BYOD)/mobile devices.”

Social Media Risk Policy

Social media is an Internet-based communication tool and platform that increases and enhances the sharing of information and media. It is often overlooked as an area of risk by organizations that underestimate its potential negative impact—particularly on reputation.

A McDonald’s social-media effort is one example of a known social media risk being realized. The fast-food leader set up the hashtag #McDstories on Twitter to encourage users to share and promote positive stories about the restaurant. It didn’t take long for people to use the hashtag to post mostly negative stories of their experiences, derailing the campaign and embarrassing McDonald’s.

Understand Your Social Media Risks

Currently, there are literally thousands of social media platforms with over 2 billion active users. These include forums, blogs, networking sites, and image/video-sharing sites.

From a risk perspective, there are two key areas that companies on social media are exposed to that need to be considered. These are:

Employee use of social media by mobile phone or computer exposing the organization to risk (e.g., intellectual property and data leakage, viruses, password loss).
Corporate use of social media such as having a Twitter account or Facebook profile exposing the organization to risk (e.g., negative posts about your organization, campaigns backfiring, inefficient use of social media).

Prepare for Your Social Media Policy

The best form of prevention is for your organization to be well prepared before it enters into the social media sphere. Six preparations are recommended:

Engage a multidisciplinary team. Since social media affects a wide range of functions, an effective strategy should bring together senior representatives from human resources (HR), legal, information technology (IT), risk, and any other affected functions.
Clarify the objective of using social media. For example, to improve reputation, attract talent, increase sales, or improve customer engagement.
Undertake a risk assessment.
Obtain senior management mandate and commitment.
Understand legal implications of the do’s and don’ts, monitoring of staff, and disciplinary action. This is where having the legal department on your team can be useful.
Train all staff in the basics of the social media because media policy is essentially useless without the right training.

Choose between Social Media Policy Options

There are a number of options and considerations when creating a social media policy. These include how many policies to have and how extensive they should be. Should it even be called a policy? Employees are hardly likely to feel enthusiastic about a policy, so perhaps social media guidelines or something along those lines may be more appropriate.

Choose between One versus Many Policies

Decide if your organization needs to write one complete social media policy that addresses all currently available social media, or write many policies as you need them. It may seem excessive to have a policy for each network, and indeed, a company may choose to include these into one policy; however, it is important to understand the different impacts each network may have on the company.

Something to keep in mind is that when a company has multiple social media policies, it can become difficult to keep updated. Social Media networks update their content, features, and terms and conditions on a regular basis, and having specific policies would require them to keep up to date with all these changes.

For many companies, having separate policies may be critical. Military, police, IT companies, health care, and political parties, for example, may want to be very specific with regard to what employees can’t do or share online. Loss of sensitive data, such as patient records, staff addresses, political views, and so on, could lead to major reputation loss, danger to staff, or breach of legal requirements.

For other companies, however, it could be more beneficial for a company to have a social media guidance policy that focuses more on behavior and refers to all social media.

Choose between Format Options

Social media policies range from being extensive documents to being short and to the point. There is no right or wrong approach to this, and it will all depend on an organization’s industry, organizational culture, their risks, and motivations for participating in social media. Words and phrases that are familiar from other policies or visions within the organization may be a great way for staff to remember and understand the policy, too.

Examples of Social Media Policies

Rather than going through one or two examples of policies, it is recommended that you look online. There are over 100 policies from various organizations available online from Social Media Governance, a web site created by technology advisor Chris Boudreaux (www.socialmediagovernance.com/policies/). Some examples include:

Employee Code of Conduct for Online Communications
Employee Code of Conduct for Organization Representation in Online Communications
Employee Blogging Disclosure Policy
Employee Personal Blog Policy
Employee Personal Social Network Policy
Employee LinkedIn Policy
Corporate Blogging Policy (including guidelines for comments)
Corporate Facebook Brand Page Usage Policy (including guidelines for public comments and messages)
Corporate Twitter Account Policy
Corporate YouTube Policy (including guidelines for public comments)
Organization Password Policy

Finding the right combination from these examples can help organizations cover all three major social media risk categories (i.e., personal, employee, and corporate use of social media).

It is considered a leading international practice to have at least two social media policies: one for employees using social media for their job and the other for employees using social media in their personal lives. Recommendations on content for both types of accounts are covered in the boxes “Personal Social Media Policy for Employees” and “Social Media Policy for Corporate Accounts.” This first is for employees’ individual use of social media. It focuses on employees’ personal use of social media and should give employees information about what they can and cannot say about your organization on their personal site.

Personal Social Media Policy for Employees

Introduction

Outline research and work done in preparation and organization objectives for the social media program.

Definitions

Be clear from the outset as to what the organization considers its intellectual property, critical data, confidential information, competitors, and other no-go areas to be.

Boundaries and Guidelines

Outline appropriate rules for internal approval processes and information to disclose about the organization and the range of opinions expressed if an employee tweets or blogs views or comments that are work related. Outline appropriate rules for the range of opinions they may express if an employee tweets or blogs personal views or comments (e.g., many organizations restrict political or other sensitive issues being discussed). Remind employees of organization’s policy on bullying and harassment.

Off-Limits Content

Address the content that should obviously be totally off limits on social media (e.g., confidential information, negative comments about competitors, anything illegal).

Safe Use

Remind employees to regularly update social networking passwords and check privacy settings in order to minimize hacking or virus incidents that could lead to identity theft or a virus on organization networks.

Personal Use

Clarify whether employees can use the organization’s Internet and company e-mail system for personal use. Provide staff with clear wording to be added to e-mails and Internet posts that state that the views in the e-mail or post are the views of the employee and not the organization.

Reporting

Provide employees with an e-mail address to report cases of organization-related content posted online that they feel should be responded to. This could be negative comments, fake pages, or inappropriate competitor posts.

Professionalism and Respect

Remind everyone about the importance of professionalism and respect for others. While there are no clear boundaries when discussing professionalism and respect for others, it can often remind people to think twice when posting something.

Data Protection and Monitoring

An employer needs to be up front with its employees if they plan on monitoring employees’ use of social media. Ideally, it can be communicated as a positive—as a way to protect both employer and employee. An alternative is to have an opt-in program that allows staff to access social media freely as long as they add the organization as a follower or friend in order to allow the employer to monitor in a less controlled manner.

Links to Other Policies

Cross-reference your social media policy with other policies already in place such as IT, bullying and harassment, code of organization ethics, and other relevant policies.

Consequences

Refer to current disciplinary procedures and be clear that these also apply to behavior online. Provide examples of serious infringements and what disciplinary actions could result.

Frequently Asked Questions

Having an FAQ will allow staff to quickly find answers to questions they may be looking for rather than rereading, or in most cases not bothering to reread, the full policy.

A second policy focuses on official professional and corporate social media activities. This should cover everything from defining the team to articulating roles and responsibilities, establishing branding guidelines, and becoming clear about what internal and external policies must be complied with.

Social Media Policy for Corporate Accounts

Responsibilities

Identify employees responsible for setting up and managing accounts, posting comments, and responding to comments. Also identify who is responsible for monitoring the use of brand and fake user names or pages.

Dealing with Customer Comments

Outline key do’s and don’ts for responding to positive or negative comments such as avoiding deleting comments or negative posts and avoiding aggressive comments. Link this to a communication plan that provides preapproved messages depending on the stakeholders and social media platform.

Dealing with Fake User Names, Pages, and Promotions/Competitions

Provide key steps to take should a social networking site refuse to take down a user name or page using the organization’s name. Highlight key information to gather, whom to contact within the legal department, and other such details.

Dealing with Promotions/Competitions

Outline key do’s and don’ts for promotions and competitions including who should review social networking’s site terms and conditions to ensure compliance. State how to deal with users who cheat by, for example, setting up multiple accounts.

Ransomware Risk Policies and Procedures

The year 2016 has often been described as the year of the ransomware attack. In just the first three months of 2016, attacks increased tenfold over the entire previous year, with reported victim costs at more than $200 million.¹ Ransomware is a type of malware that is used by an attacker to effectively kidnap an organization’s data and prevent it from using it by encrypting it. This renders your data and files useless until you gain access to the decryption key, for which the attacker will demand a ransom. Attackers know that organizations are becoming more dependent on data for their organization to function and the motivation for hackers to launch an attack increases as the financial value of data is increasing on the black market (also commonly referred to as the “dark web”).

Here are a few examples of known recent ransomware attacks:

Attacks on U.S. police departments—various U.S. police departments have been hit, losing data on open cases.²
Attack on the University of Calgary, Canada, and Brunel University in London—the University of Calgary was forced to pay approximately C$20,000. The attack encrypted all of the university’s e-mails and files.³
Hollywood Hospital in Los Angeles paid a ransom of $17,000 after having lost access to all of its data and faced an extortion demand of $3.4 million.⁴

Understand Your Ransomware Risks

Ransomware is often spread through opening infected e-mail attachments, programs, and compromised web sites. An attacker will often try and persuade an unsuspecting employee to inadvertently download ransomware, usually by displaying messages on a web site and directing them to take an action to resolve a fictitious virus. It is this very action that downloads the ransomware onto the computer and permeates your organization’s network.

An attacker will often send a spam e-mail out to tens of thousands of unsuspecting victims with no real intended target, until an employee accidentally downloads the ransomware. These e-mails can quite often bypass anti-spam filters. The user then receives a message that pops up on their PC stating that their files have been encrypted, or “this operating system has been locked for security reasons.” These e-mails will then usually place a demand (usually in online currency bitcoin) to settle the ransom over a short time period (usually with a ticking clock) in exchange for the decryption key.

It is at this point that your organization faces a choice to either pay the ransom or attempt to negotiate with the attacker. Both options are undesirable. If, for example, the attacker exploits a vulnerability in your organization’s computer network and your organization pays the ransom at the first time of asking—then there would be nothing to stop the attacker exploiting that vulnerability again and sustaining repeated attacks. There is also no guarantee that the attacker will pass on the decryption key, after having received a ransom payment. If the affected organization chooses to negotiate, they also lose access to critical data for that period of time, which could result in a paralysis of organization operations and loss of revenues.

How Cybercriminals Spread Ransomware

New methods to spread ransomware are constantly being innovated. Only prevention via a robust cyber risk management system—including employee education—can help your organization manage ransomware risk effectively. The methods commonly used by criminals include:

Spam e-mail campaigns.
Bypassing vulnerable software and password protection.
Internet traffic redirecting targets to malicious web sites, very commonly from legitimate web sites.
SMS messages (targeting mobile devices).
Legitimate web sites that have malicious code injected into their web pages.
Drive-by downloads, a user inadvertently visiting a web site that is running malicious code.⁵

Prepare for Your Ransomware Policy

Your policies and overriding message should make it clear from the outset that protection across ransomware threats is the responsibility of all employees and not just the IT security function.

Be Proactive

As ransomware attacks are becoming so frequent, these policies are framed on the presumption that it is more a case of when, and not if, your organization is targeted.⁶ The purpose of this key policy content is to enable the organization to be proactive in preventing avoidable threats to your organization from ransomware attacks. Ransomware attacks are often sophisticated enough to bypass defensive IT anti-virus software, so it is vital that capabilities are deployed across the entire network to identify and contain the malicious activity.

Education, Education, Education

Run regular—at a minimum every three to six months—phishing e-mail tests with all employees, and mandatory training for all new employees. A training module for a large organization could also include a set of e-mails with unsolicited web links, and the employee has to decide which ones to avoid. Help employees become part of the security process, perhaps by getting them developing posters to increase employee awareness of ransomware attacks.⁷

Have a Clear Internal Escalation Procedure

Ensure that employees know where to send a suspicious e-mail, including on how to mark the e-mail header to avoid them inadvertently passing the virus to someone else.

Choose between Ransomware Policy Options

While an organization might want to focus on having a single policy (including IT and employee best practices), it may be worth having separate ones to avoid diluting the importance of having buy-in your employees. While leading practice IT hygiene can underpin the success of the employee policy, it is important to realize that the IT and employee practices must work together, as a weakness in either policy will undo all of the good work that you have done in the other.

Employees are often cited as the weakest link in IT security management.

Ransomware Policy Key Content

Back Up Data Regularly

Perform and test regular data backups that are perhaps daily, weekly, or monthly to an online backup service to limit the impact of data or system loss and to speed up the recovery process in the event of an attack.

Segregate Your Data

Store your data in different locations, so that an attack on a single point does not hold all of your data to ransom.

Keep Antivirus Software Up to Date

These updates can often be automated, but if not, ensure that the update is always chosen and implemented instantly.

Embrace Best-in-Class “Anti-spam” Software

A lot of ransomware attacks come from phishing e-mails, so make your first layer of protection as robust as possible by preventing as many unwanted and inappropriate e-mails as possible.

Use Strong Passwords

Have minimum length of passwords, including upper- and lowercase letters and rules on the use of names and birthdays.⁸ Change passwords regularly.

Use Blacklisting Software⁹

Limit the potential for visits to harmful and malicious web sites by restricting access through blacklisting software. Enable specified programs to run on computers to block categories of web sites that may include (but are not limited to) content from the following categories:

Adult, sexually explicit
Criminal activity
Gambling
Intolerance and hate
Violence and weapons
Phishing, fraud, spam¹⁰

There may also be others, but by having a policy it avoids you documenting a list of categories that employees are unable to visit. This has the added benefit of enhancing employee productivity.

Limit Application Use

Use a standardized and restrictive set of applications that are essential only for work use, and limit these to a manageable number. Use a mainstream browser that supports safe browsing.¹¹

Apply the Principle of “Least Privilege”

Restrict employee access to only the critical folders and data that are required for their job role. Use an application procedure for access to a folder and process that requires permission for access.

Cloud Computing and Third-Party Vendors

Cloud computing can offer many operational efficiencies and can greatly enhance your organizations access to resources. Typically, a cloud provider hosts a network of remote servers that store, manage and process huge volumes of data on the Internet. This offers an alternative to an organization using the limited space and flexibility of a hard drive. Examples of cloud services include Google Drive, Apple iCloud, Dropbox, and Amazon Cloud Drive. Key benefits include:

Flexibility. Employees can access data from servers remotely that aren’t hard-wired in-house servers, thus creating a more flexible and mobile work lifestyle for your organization. Cloud resources are scalable for large corporations and affordable for small ones.¹²
Cost savings. Hard-wired IT infrastructure is costly to implement and may not offer the return on investment that had been anticipated. Cloud providers often operate on pay-per-use models that ensure that you are allocating your resources efficiently.¹³
Reliability. Cloud computing allows your organization to benefit from the cloud provider’s economies of scale. The cloud provider is possibly more likely to be able to provide 24/7 support in the event of an outage, and have the expertise in their staff to support the infrastructure.¹⁴
Enhanced security. While there are risks that come with trusting the cloud provider’s network security, their security and encryption capabilities often supersede most organizations’ internal security capabilities.¹⁵

Understand Your Cloud Computing Risks

The three primary risks that emerge related to cloud computing emerge from Internet dependency, concentration of data, and poorly executed contracts. Internet dependency is a risk that seems unavoidable in today’s digital business world. An Internet outage can prevent and delay important business functions, including transactions. While outages from Internet service providers can cause outages, cloud-computing sites can also go down. Even a temporary interruption of service can cause major problems for clients.

An organization that relies on cloud providers also relies on a third party to safeguard their centralized data. If the cloud provider’s network is compromised, this could result in the client’s loss of access to data, resulting in a damaged reputation. Using a cloud provider that does not adequately protect data can have tremendous negative consequences for organizations, employees, and customers.

Additional risk can emerge from weak service contracts with a cloud provider. Once an agreement is signed, it is very difficult to resolve any problems it causes or fails to address. Should anything go wrong, organizations will, at best, suffer from being stuck in a fractured service relationship. In a worst-case scenario, a client organization can face unexpected liabilities.

Prepare for Your Cloud Computing Policy

Clarify the purpose of your cloud computing policy as to how your organization may reap the benefits of using a cloud service while limiting the threats such as reputation loss and liabilities (should the service not perform as expected). It is vital that organizations both procure cloud provider services effectively and understand the contract language and negotiate key terms.

It is vital that you procure your cloud services and achieve a customer agreement and service level agreement that enables your organization to achieve its desired outcomes, prevent disputes and ensure that your organization does not assume all of the risk should the cloud fail. Getting the front-end processes right during the procurement stage is key in preventing problems further down the line and helps migrate your applications to the cloud successfully. More detail is provided below.¹⁶

Procure Cloud Provider Services Effectively

Some key processes that can help you procure cloud providers effectively are discussed in detail in this section.

Identify Your Desired Outcomes from a Cloud Provider

Issue an invitation to tender (ITT) that communicates your key desired outcomes to your chosen short list of providers. This could be for a migration of your application software to a state-of-the-art data center, enhanced cost savings, and access to better IT security and reliability of organization continuity, or a combination of all three. This will help your organization narrow your short list.¹⁷

Review

Request and review your shortlisted providers’ standard contracts. Rank these contracts with the assistance of a legal advisor in terms of favorability.¹⁸ Do thorough due diligence, and ensure that they retain security certification, and have positive audit results. Review your cloud providers’ security, privacy, and data storage policies.

Be Selective

Consider only providers that have agreed to meet your outcomes and make this a condition of your contract.¹⁹

Scope

Have a precontractual scope with your chosen provider. Agree on a transition plan for moving applications to the new virtual environment. Discuss scenarios precontract and understand who would be liable in the event of something going wrong. Identify key owners for the various tasks and operate on deadlines. Ensure that the project is only finished when applications are successfully transferred to the cloud and organization as usual is achieved. Obtain evidence that your provider can meet these objectives.²⁰

Draft

Start drafting the contract by using incentivized payment provisions that are linked to the predetermined outcomes. Use acceptance provisions to hold your cloud provider accountable. Remove “Agreements to Agree” from standard contracts, as these are not operative, potentially discharging the cloud provider’s liability.²¹ Check the architecture works. Only sign the contract as soon as organization as usual has been achieved and the migration is complete and works effectively.²²

Clarify

Understand the contract language and negotiate key terms. As is common with an industry in its infancy, there are frequently errors in cloud contracts. These contracts (especially with larger providers) tend to be heavily weighted in their favor. There are also the added complications of finite case law and the fact that the choice of law governing these contracts is often overseas meaning that the settlement of a dispute could potentially be very costly.²³ This applies in particular, if your organization is the controller for personal data such as:

Account numbers and balances of clients.
Personal information of your customers.
Personal information of employees.
Medical history of patients if you’re a health care provider.

It is vital that you contract with providers with best-in-class security and the contract does not totally exonerate them from liability in the event of a data breach. It is also better to have a bespoke contract rather than a standard contract, as quite often cloud providers can change their standard terms and post them on their web site without necessarily warning their customers.²⁴

Generally, the customer service agreements are usually split into four sections:

Customer agreement
Acceptable use policy (AUP)
Service-level agreement
Privacy policy²⁵

The box “Customer Agreement Key Content” highlights key content that you should pay close attention to when negotiating a contract with a cloud provider.

Customer Agreement Key Content

Limitations of Liability

This section stipulates the maximum amount the provider would be liable for in the event of deletion or damage to data or any monetary loss created by the inability of the customer to access the service. Ensure that the provider’s aggregate limit liability isn’t capped too low. Disclaimers often exclude cases where the provider is grossly negligent, so ensure that the clause works both ways and that the clause protects you as well as the provider. Negotiate broad time periods for indemnity claims.²⁶

Disaster Recovery

Ensure that your provider is aware of your recovery time objectives and can meet these. Store data in different locations to mitigate the impact of a cyber attack.

Terms and Termination

Advance notice should be in excess of 30 days. Ensure that the provider retains the data for a minimum period during transition to a new provider.²⁷

Suspension of Service

Ensure that there is a minimum period of notice given should the cloud provider decide to suspend the service, and aim for a minimum of 60 days.²⁸

Exclusions

Fully understand these exclusions and ask identify which scenarios would not fall on the provider should they occur. Ensure cloud providers retain liability for data safety, and for outages. Many provider standard contracts contain “agreements to agree,”²⁹ that are not operative contractually, meaning that they can’t be relied upon if the cloud provider fails to deliver on its services.³⁰ You must also ensure that there are no caveats and assumptions.

Acceptable Use Policy (AUP)

These can often change without warning, so it is vital you keep up to date with changes. Be sure that your organization and employees do not violate the AUP as there are often significant consequences of doing so. It may be prudent to update your IT policy guide accordingly for employees, if your organization decides to adopt the use of cloud. Request clarification on vague terms and clarify what actions the provider deems unacceptable.³¹

Service-Level Agreement

Review your provider’s service availability guarantees and credits and negotiate to get the most favorable terms. Automate a process for detecting and logging outages.³² Be mindful of your provider’s commitment exclusions.

Security and Privacy Policy

Negotiate with your provider where your data should be located, after understanding how sensitive the data is to the location, and select an appropriate cloud provider that ensures compliance and understanding of local data regulations.³³ Ensure provider commitment to physical security procedures. Since provider-led contracts tend to place the onus of obligations on the customer you should understand the provider’s data security posture and how your data would be replicated, backed up, encrypted, and deleted when it becomes redundant.³⁴ Enforce tight notification provisions. Make sure that provider notifies you in the event of any security breaches or suspicious activity.³⁵ Review whether your provider outsources administration and whether these administrators have strong levels of security.³⁶

Big Data Analytics

The benefits of Big Data analytics are being felt across many organizations. While these are numerous, the key benefit is the enhanced capability of being able to collect large volumes of data and apply analytical tools, to help assist organizations in identifying where to focus their marketing efforts and allocate resources efficiently.

Understand Your Big Data Risks

While the use of Big Data analytics unlocks huge possibilities for organizations (i.e., opportunities), it can also open organizations to new threats. Hackers are aware of this shift and are growing both more persistent and more savvy in how they unlawfully access networks. There are two main types of threats:

Increased risk of privacy breaches. Big data analytics relies on the aggregation of huge amounts of personal data. A personal data event could result in reputational damage, regulatory fines, and potential liabilities to those data subjects.
Regulatory compliance. Globally, there are trends toward more onerous requirements in safeguarding personal data. The new EU General Data Protection Regulations, due to be enforced in May 2018, will impose requirements on companies to have a compliance-first approach to the use of data. Failure or negligence in providing the relevant safeguards can lead to regulatory fines of up to 4 percent of global turnover. Compliance projects can also drain productivity in achieving organization tasks.

Prepare for Your Big Data Policy

Clarify that the purpose of your big data policy is to not only be regulatory compliant and avoid unwanted headlines but to maintain factual and secure data that will help drive organization growth.³⁷

Again, as this the case with ransomware attacks, organizations can opt to have individual IT and employee policies.

A significant number of data breaches occur through negligent employee practices, so it is vital that employees are full engaged and educated in good IT hygiene in securing confidential organization data and customer data.

While, there are numerous policies available, it is best practice to follow the “privacy by design” principle. Privacy by design requires an organization to minimize harm to a data customer by designing a set of rules and processes for acquiring and creating data, migrating that data into systems, and best practice storage and uses of that data.³⁸ This is a key requirement for organizations’ subject to the EU’s new General Data Protection Regulation requirements that are due to be enforced in May 2018 and enforced by heavy penalties.

Big Data “Privacy by Design” Key Content

Redundant Data

Delete redundant data, that is, data that is no longer relevant for analytical purposes.³⁹

Antivirus Protection

Adopt best in class antivirus protection and make sure updates and patches are updated regularly or if possible, automated.⁴⁰

Encrypt Data

Encrypt data both in rest and in transit. Data at rest is typically data that is not moving, and is usually copied data that is stored on backup drives or on hard drives. Data at transit, conversely, is data that is moving between networks and would apply heavily in use of big data analytics. This practice is often termed “end-to-end encryption.” Enable careful management of decryption keys.⁴¹

Spread Data Storage

Storing data in multiple locations minimizes the impact of a data breach of one of those locations.

Lawful Collation and Processing

Ensure compliance with your governing regular to ensure that collection is necessary, explicit consent has been achieved and through the movement of networks between countries, if applicable.⁴²

PCI Compliance

PCI-DSS is an industry standard for organizations that collect payment data. The goal of this is to ensure that card data issued by the major card provider is stored and processed appropriately. A data breach may result in costly assessments from representatives of the major credit card organizations, in conjunction with fines.⁴³

Third-Party Vendors

If the organization uses third-party administrators or cloud providers to process or store data, thorough due diligence should be undertaken of their security and privacy protection procedures. Contracts should also be tightly worded, to minimize liability on behalf of your organization should a breach occur.⁴⁴

Big Data may mean certain amendments need to be made to existing or other organization policies.

Employee Policy Key Content Amendments for Big Data

Education

All employees and new joiners should undergo regular tests on the data protection laws that they are subject to, and completion of scenarios that ensure they fully understand the principle of good data housekeeping. Passwords and decryption keys should never be stored in an easily accessible place.⁴⁵

USB and External Storage

Prevent employees from using their own personal USBs at work and ensure that authorized USB’s are encrypted.

Bring Your Own Device (BYOD policy)

Guidelines around password protection and two factor authentication of employees’ personal devices (phones and laptops) should be taken, and necessary disciplinary action should these guidelines not be adhered to. As discussed later in this chapter, ensure employees are compliant with your organization’s BYOD policy and appropriate security measures are taken if your organization decides to implement it.

The Internet of Things

The Internet of Things (IoT) has the potential to deliver untold benefits for organizations. McKinsey Global estimates that it can deliver between $2.7 billion and $6.2 trillion of value to the global economy by 2025, with the number of connected devices to exceed 50 billion by 2020.⁴⁶ Essentially, IoT enables the linking together of physical “connected” devices via the Internet that help organizations collect data, complete tasks more efficiently, and thus develop and sell tailored customer solutions. The major advantage to an organization is the ability to use the vast amounts of data to collate big data analytics.

Understand Your IoT Risks

The Internet of Things means more connected devices, and a potential “wild west” type scenario in which a hack into one device can make it easier to hack into others.⁴⁷ This is particularly poignant, as an organization may be fairly far removed from the chain in a device that gets hacked and yet suffer significant reputational damage even if your organization was not the initial target. Some examples:

In 2015 Fiat Chrysler had to recall of 1.4 million vehicles to fix a vulnerability that allowed an attacker to wirelessly hack into the vehicle.⁴⁸
In 2014 a German Steel Mill blast furnace suffered massive damage, after hackers gained access to controls through hacking employee e-mails and gaining access to the plant’s office network.⁴⁹
Categories of IoT threats include:
Data protection—huge sources of personal data are gathered from all aspect of an individual’s life, making them more easily identifiable. This creates potential liabilities, fines, and reputational damage.
More connected devices—increasing likelihood of a hack.
Speed of change—the speed at which devices become connected and the growth of IoT technology may outstrip the rate at which appropriate security controls of the connected devices are implemented. The organization may lose control of how many devices are connected to their data, leading to liabilities that have not been accounted for in risk registers. An example are smart meters, where mobile phones can be used to regulate temperature control within a home.⁵⁰
Increased likelihood of outages—sheer volumes of servers communicating huge volumes of data traffic can overwhelm the server and lead to downtime.⁵¹
Security lags—unencrypted links are often used to communicate between devices.⁵²

Prepare for Your “Internet of Things” Policy

Clarify that the purpose of this policy is to assist your organization to reap the opportunities from the Internet of Things by gaining a handle on the new risks that your organization will now face. The policy content should factor in security of the data that you collect on your own devices but also should include provisions for other organizations that operate the other connected devices.

“Internet of Things” Key Content

Identify all stakeholders (regulators, individuals, those using the devices, members of the public, data owners).
Identify worst case scenarios.
Encrypt data from the data center to the end point.
Segregate IoT network from critical corporate data.⁵³
Identify and map (as best you can) all devices that are connected to the device or devices that you sell to your customers, in particular how they collect data and how they communicate with each other and how these links are protected.⁵⁴
Focused policies on appropriate collection, use, and protection of consumer data.⁵⁵
Document permissible uses. Make sure that other organizations that have networks that connect with your device have a clear set of guidelines for what your device can be used for.⁵⁶
Restrict use on applications and limit liability within your contracts.
Install best in class antivirus and firewall software, and thoroughly audit any resellers security policies and practices.

Mobile or Bring Your Own Devices (BYOD)

The working environment is changing fast, and companies are responding to calls from employees for increased flexibility in their working practices. This is part of a tidal shift toward agile working, with employees choosing to centralize all aspects of their lives into a single device. In turn, companies are looking to reap the benefits of lower costs and increased employee productivity. These mutual benefits have led to staggering adoption rate of BYOD schemes by companies; it is estimated that around 85 percent of companies now allow employees to bring their own devices to work.⁵⁷ There is, however, a darker side to BYOD⁵⁸; it is inevitable that emerging work practices will lead to emerging risks, in particular around data protection.

Understand Your BYOD Risks

The principles of BYOD are largely around giving employees more freedom in how and where they work. The fact remains that the company, as a data controller, has overall responsibility for the data, yet it will retain significantly less control over an employee’s devices, than it would its own device.⁵⁹ Employees are often seen as a weak link in the data security chain, and the risks of reputational damage are amplified. All of the positives benefits around increased productivity, or reduced hardware costs could soon be eliminated through a single oversight or irresponsible act.

The key risks associated with BYOD are as follows:

Accidental or intentional data breach leading to harm to customers, reputational damage, and fines.
Employees connecting to unsecured networks, opening up vulnerabilities.
Theft of sensitive corporate data and intellectual property, leading to missed opportunities and revenue loss.
Merging of end user data and corporate data.⁶⁰
Interception of data between the personal device and corporate system leading to reputational damage and fines.⁶¹
Loss of device and hack.
Privacy regulations, use abroad could open up additional risks in relation to privacy regulations.⁶²
Malware infection leading to data leakage and data corruption.⁶³

Prepare for Your BYOD Policy

An enterprise-wide BYOD policy will assist your company in locking in the benefits of employee satisfaction, productivity, and reduced costs while avoiding potentially large-scale embarrassments. Following are some key steps that will help your company prepare toward developing a successful mobile device strategy.

Determine How the Mobile Devices Will Be Used

Be clear on how you expect the mobile devices to benefit your business.⁶⁴ Companies should ask themselves if they want the devices to connect with the existing network infrastructure, process sensitive information or act as a tool to help your sales and marketing employees. This will assist you in determining the tightness of the control environment and levels of password protection required.⁶⁵

Get All Company Functions to Contribute

It is vital that the BYOD policy has input across the company from Human Resources, Legal, IT, accounting and the employees.⁶⁶ This is crucial in helping the company get a broader understanding of its emerging risks, underpinning the policy. It will also ensure wider accountability across the company, rather than being an “IT” issue. Consider using interactive games or tests to help employees truly understand the risks rather than getting them to search through pages of documents. They will, however, have to eventually read and fully understand the policy.

Understand the Emerging Risks

The implementation of BYOD should not introduce vulnerabilities into already secure networks.⁶⁷ Be clear on agreements that you have with other companies and ensure that the BYOD does not contravene these agreements.⁶⁸ The emerging risks can be documented, and can seamlessly link in with your other policies such as your overall IT security and social media policies to form the foundation of your policy.

Consider Mobile Device Management

Mobile device management solutions underpin secure BYOD policies and can assist in mitigating many of the merging risks. Examples of these solutions include SOTI MobiControl, Vmware AirWatch, Citrix Xen Mobile, and IBM MaaS360.⁶⁹ It is crucial that these are procured carefully and matched with the objectives of the BYOD. Mobile device management can provide all-encompassing solutions such as enforcing a pass code, encrypting stored data, and wiping a device if it gets lost.⁷⁰

Audit Your Data

Understand the data that you hold as an organization, consider how many sensitive data records that you hold, and be clear on which personal data are permitted to be processed on a personal device.

Separate End-User Data and Corporate Data

Cloud adoption is also increasing, and many end users may use their devices to store personal documents, contacts, and e-mails in iCloud.⁷¹ End users must be clear on the acceptable use of the cloud when adopting BYOD, to avoid leaking personal data into the cloud and accidental data breaches.⁷²

Protect and Encrypt

All devices should retain a strong password, and two-factor authentication. Encryption should be used to store data on the device effectively, and locks should be in place should an incorrect password be entered in too many times. Support and guidance for the end user is crucial in this regard. Encryption at rest is a useful risk prevention procedure should a device be lost or stolen.

Employee Responsibility

An end-user agreement is essential in clarifying that personal data must not be shared. The end-user agreement illustrates the need for employees to be held accountable, and the signing of this agreement is a demonstration of their understanding of their responsibilities and the risks involved when adopting BYOD. They must also have clearly defined parameters as to how the devices can and should not be used.⁷³ It is crucial that restrictive practices are communicated to the end user, with a support network available.⁷⁴ The end-user agreement can be used in conjunction with the company’s security policy to cover the life cycle of the device, including loss scenarios, disposal, and when an employee leaves the company.⁷⁵

Choose between BYOD Policy Options

It is vital that companies find a balance between achieving the objectives of the organization without compromising security. Your organization could choose one of the following options.

Disallow BYOD

This is the ultimate risk-avoidance measure. BYOD is fast becoming a work “norm” and preventing BYOD will limit the benefits that a company achieves and may result in employee frustrations and flouting the prohibitions on use.⁷⁶

The “Do Nothing” Approach

Some companies may choose to offer this approach in order to enable extensive take up by employees or avoid stifling creativity and innovation. This is potentially dangerous in that it can lead to serious personal data leakage and a lack of control over their intellectual property, resulting in reputational damage and harm to customers.⁷⁷

Corporate Devices Only

This option helps the company retain more control over their IT assets, policies, baseline security measures, and configurations. While this option ensures consistent security baselines and retained accountability within the organization, it can lead to increased costs per person and a higher number of connected devices.⁷⁸

Have a Managed BYOD Policy

A managed BYOD policy documents the responsibilities and ensures accountability of the employee through the use of an end-user agreement. It allows employees flexibility but limits the introduction of new risks. The security controls, limitations of use, and types of devices used are largely dependent on the volume and sensitivity of the company data and how the device is intended to be used.⁷⁹ Clear communication with employees is vital in helping them understanding the risks associated with using company data on mobile devices. The policy does need to be continuously monitored and improved where necessary with clear internal escalation points for queries by end users.

Examples of BYOD Policies

There are numerous BYOD policies available, many of which contain the following sections:

Acceptable use (end-user agreement)
Devices and support
Reimbursement
Security
Risks/Liabilities/Disclaimers⁸⁰

BYOD Policy Key Content

Acceptable use

Agreement to use the mobile device in compliance with company policies, such as the data protection, IT usage and risk policy.
Blocking of web sites during work hours.⁸¹
Compliance with acceptable usage of device on company time.
Limiting what devices may or may not be used for, such as storing illicit material or transferring proprietary information.⁸²
Zero tolerance policy for texting, calling, or e-mailing while driving.⁸³

Devices and Support

Choose-your-own-device (CYOD) policy. Essentially this limits employee choice of devices to a preapproved list, set by the company, giving IT more control and mitigating unforeseen security and management issues.⁸⁴
The list is at the company’s discretion and may include iPhone and Android, as well as the necessary models.⁸⁵
IT verifying the device before granting permission for BYOD.⁸⁶

Reimbursement

This section details where the company will reimburse employees for use of the device during work hours.⁸⁷

Security

Agreement of minimum security provisions as detailed by the Mobile Device Management (MDM).⁸⁸

Minimum password lengths, containing capital letters and symbols.⁸⁹
Acknowledgement of password policy, and lockout should an incorrect one be entered in more than a defined number of times.⁹⁰
Locked by password or pin if the device is idle.⁹¹
Details on where company data is prohibited from being saved and edited.

Risks/Liabilities/Disclaimers

Reporting time constraints should a device be lost or stolen.⁹²
Full liability for the employee should there be complete loss of company data and introduction of bugs or malware.⁹³
The company reserves the right to disconnect the device or disable services.⁹⁴
Employee to take additional precautions such as backing up e-mail and contacts.⁹⁵
Expectations of adherence to acceptable use policy.⁹⁶

Conclusion

The following cyber risk management statement represents those organization capabilities CEO and board expect to be demonstrated in terms of cyber risk policies.

Cyber Risk Policies

An appropriate mix of tailored cyber risk management–specific policies and procedures guide processes, practices and organization risk management activities. These put cyber risk principles into effect and are systematically applied through the cyber risk management process. The organization can demonstrate to all stakeholders how it manages cyber risk. At a minimum, policies and procedures are fully in effect to cover: mobile devices, ransomware, social media, third-party vendors/cloud computing, “Big Data Analytics” and Internet of Things. Various approaches are deployed to make such risks the responsibility of all employees, not just the IT function. A cycle of continuous improvement throughout the organization allows development along the risk maturity curve. The policies provide a platform for companies to maximize digital opportunities while managing the threats associated with advances in technology, data-driven insight, and evolving work practices.

Notes

About IRM

Founded in 1983 with a head office in London and international membership chapters, the Institute for Risk Management is a specialist institute that continues to develop professional risk qualifications, courses, events, and publications. In 2014, IRM hosted a major Cyber Risk summit and published Cyber Risk as member-led thought leadership research to give risk professionals the practical knowledge they need.

About Elliot Bryan, BA (Hons), ACII

Elliot is an associate and an account executive for Finex Cyber and TMT practice at Willis Towers Watson, London, United Kingdom. In this role, he specializes in advising on, negotiating, and placing cyber, professional indemnity for technology companies, and intellectual property insurance for clients, across a wide range of industry sectors. Elliot advises clients on program design, placement, and risk profiling with a particular focus on policy wording and coverage analysis.

He is a graduate of the University of Sheffield and an associate of the Chartered Insurance Institute.

About Alexander Larsen, FIRM, President of Baldwin Global Risk Services

Alexander is a strategic/enterprise and project risk manager who holds a degree in risk management from Glasgow Caledonian University and is a fellow of the Institute of Risk Management (IRM). He is also currently President of Baldwin Global Risk Services based in the United Kingdom.

He has 15 years of experience working in the United Kingdom, Middle East, and Asia, within risk management across a wide range of sectors, including oil and gas, construction, utilities, finance, and the public sector. He has considerable expertise in training and working with organizations to develop, enhance, and embed their enterprise risk management (ERM), project risk management (PRM), business continuity management (BCM), and partnership management processes.

He has attended conferences globally as an expert speaker and to run master classes and contributes articles to various risk publications. In 2015, he contributed a chapter titled “Implementing Risk Management within Middle Eastern Oil and Gas Companies,” based on his experiences from around the Middle East including Iraq, for the John Wiley & Sons publication Implementing Enterprise Risk Management: Case Studies and Best Practices.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.