Analyzing Business Information Security for a data breach use case
In a digital business world that is highly distributed via an eco-system, ensuring your digital assurance becomes vital. Everything needs to continuously work and Confidentially, Integrity and Auditability have to be assured, especially when your business is regulated and should demonstrate to be “in control”. Nevertheless, how do we do that when business models are under fire by hackers? Hackers using heavily automated attack methods and work as well in a distributed evasive platform-model that disguise their identity and criminal organization. Therefore, hackers form a threat to your business. Varying from State sponsored hackers to scriptkiddies all finding sophisticated ways to hammer on your front porch of your business. To you an IP address means your API store or critical business process; for a hacker it is just an IP number attack not caring and knowing the impact.
As business leaders, we need to question ourselves:
- How can we as business managers distinguish diverse type of hackers and their intention?
- How can we simulate scenarios and calculate the impact on the business in terms of economic loss?
- What can we do to identify, protect and respond to that and which security investments are justified to mitigate the risks?
These are typical questions a CISO needs to master in a world where money is made via digital business platforms and the role of the CISO is to take leadership and ownership. This is exactly where we guide tech leaders of the future on when following the Cybersecurity master program. Periodically we examine cases students executed as part of assignments and shed new light or fresh insights on the topic. This time we ask Pascal de Haan (DSM) and Tim Vandeput (TConsult) on analyzing BIS and the potential impact of a data breach at a financial company.
1. What problem did you investigate?
We investigated the potential impact of a vulnerability in the digital channels of a financial institution. Financial players are more and more reliant on digital interaction with their customers and partners, partly triggered by new regulations, which require banks and other financial organizations to expose their services via API’s.
The additional introduction of DevOps also leads to more frequent updates and more frequent releases of functionality in the digital channels and, hence, increases the likelihood of vulnerabilities in code being released as well. In this scenario, we assumed such a vulnerability to allow less honorable persons to extract customer records, including personal information from the core systems. With more than 3 million active customers, this could result in significant financial and non-financial damages to the case company.
2. How did you do this? What was your approach to this?
We started our research assignment by looking at the company’s annual report, press releases and other publicly available information, as well as internal documents, to obtain a view on its current strategy and risk governance. Then we conducted an interview with the organizations’ head of IT Security. This was necessary to gather data for the next steps where we performed a data breach tangible and intangible cost analysis and resulting gap analysis using reference data from IBM Ponemon and Verizon DBIR. The visual below demonstrates the several attack vectors we have investigated as viable scenarios. Not just for our case but they could be relevant for any financial company.
We then proposed security mitigation activities with alternatives and performed a Return on Security Investment (ROSI) calculation to demonstrate that the investments are justified. Finally, we linked everything together through a Cybersecurity Balanced Scorecard (BSC) and accompanying roadmap that show how these investments in cybersecurity support the organizations strategy. A nice exercise was the CISO assessment which compared the type of CISO the case company has now, compared to what is recommended based on the CISO Assessment Level Model (CALM) by Russel Reynolds.
3. What did you find? What should people really know?
Read the full article blog here