How can you calculate the value of a data breach in your organisation and implement an effective mitigation strategy? This is the question that Todd Forgie answers in his fascinating presentation, originally delivered at CLOUDSEC Singapore. You can either read the summary below, which includes Forgie's key recommendations, or watch the video at the end of the article.
Forgie is the Vice President of IT and Managed Services at MEDHOST, a healthcare IT company in the US that services about 25% of hospitals in the US and Puerto Rico. He explains that due to the huge growth in the estimated number of successful cyber-attacks and ransomware, it's now critical for organisations to operate with the assumption of a breach.
His own organisation reacted to this by:
- Retraining staff to be able to reduce the mean time to identify ransomware incidents;
- Implementing auto-escalation procedures and capabilities with the IT security department to mitigate attacks;
- Reducing the mean time to restore data.
But in order to make this happen, his organisation had to accurately model the level of risk being faced and the value attributed to that risk. Forgie explains that whilst this is theoretically simple, when it comes to high value data, such as electronic medical records, there's more than meets the eye.
In doing this, Forgie breaks down, in detail, the aspects of "incentive" to the cyber-criminals and the level of "vulnerability" of a particular organisation and "impact". He stresses that these elements need to be effectively conveyed to CFOs and the board. Some of the hard quantifiable metrics that need answering, in order to calculate risk specifically include:
- Top 10 Most Vulnerable Servers by OS type
- Percent and Number of Unpatched Servers
- Total Incidents, and Mean Time to Identify and Mean Time to Resolve for Security Incidents
- Number of Attacks Dropped by Firewalls and Intrusion Prevention Systems
His point is that if this information simply is not available, it's a strong indicator that a particular organisation is very vulnerable. Furthermore, without this information, it's an inhibitor to IT security decision makers getting a seat at the table, communicating the level of risk and getting the funding needed.
Sign up for CIO Asia eNewsletters.