Data protection and privacy: in 2016, is your network truly secure?

By: Ray Boisvert, President of ISECIS and former Assistant Director, Intelligence for the Canadian Security Intelligence Service (CSIS)

During almost three decades in national security, a good deal of it in the covert planning and operational security areas of the Canadian Security Intelligence Service (CSIS), I’ve been exposed to a number of challenging scenarios. Notwithstanding the national security context, most of those cases either represented immediate threat-to-life risks or had significant reputational challenges, requiring constant care and attention.

One way our teams at CSIS consistently met operational objectives, which included optimum resilience from compromise or discovery (while avoiding disaster), was the inviolability of our operation security, or “op sec,” doctrine. 

This approach involved a simple philosophy that looked something like this:

  • Assume the worst. In a business sense, this means identifying all potential risks.
  • Never make assumptions, again from a private sector perspective, accept that “black swans,” or unintended consequences, do emerge.
  •  Survey, survey, and then survey again… for those operating businesses, it is critical that you own your environment, manage your defenses in real time, and remain ever vigilant.
  • Most importantly, plan and practice your exfiltration routes. Assuming that disaster will eventually strike, even for the best-prepared firms, prioritize a response and recovery plan - - and then practice it.

With that as a backdrop, let me to ask you the following questions. Do you believe your data is secure? Do you truly believe that your enterprise is positioned to effectively identify and respond to a destructive breach?  

If your answer is yes to either question, in my professional opinion, you are very likely to be the next in line to be seriously compromised.  

Why? Because irrespective of whatever investments you have previously made, we are now in the age of persistent threats and the need for constant vigilance.

As business leaders know well, complacency in any organization can be harmful to one’s competitiveness; in this volatile and rapidly emerging threat environment, it can be lethal.

Should your firm be the next "fortunate" entity to garner the attention of a criminal hacking collective, or perhaps even worse, a disgruntled employee who has decided to betray your trust, then you had better know (and not assume) that you have taken credible and independently assessed resilience measures that include the application of advanced analytics along with establishing an effective response strategy.

The list of increasingly difficult-to-manage threats of a cyber or internal data loss event is increasing from the mildly complex towards full business interruption scenarios.  

Back to my questions.  Would your firm have the necessary pre-staged resources to prevent and then properly manage a class action lawsuit that is rapidly becoming the norm, especially when the loss involves personal identifiable information (PII)?  How would your Board or executive team react to government regulators seeking assurances in regard to the protection of financial assets or intellectual property?  How would you describe your “defense in depth” to external partners or stakeholders should a breach in the supply chain, originating on your servers, contaminates many others?  When facing mounting costs related to all of the above, what can your organization show, not simply try to explain, when insurers measuring your firm’s level of preparatory due diligence ask the tough questions?

If there is any doubt with respect to your firm’s resilience formula, then your ability to cope with a rapidly emerging crisis and avert a possible organizationally destructive moment is, in my estimation, rated as being rather low. 

Equally important to consider, and based on national security level experience, you cannot suddenly build the necessary capability once a crisis has begun -- of course, never at a place or timing of your choosing.

This view is no longer the fantasy of cyber security vendors or from overly pessimistic national security gurus.  This is the business environment in 2016.  One way to validate that proposition is to consider the less than comforting statistics that have emerged from the previous year, along with what lies ahead.

A recent PwC study provides details with respect to one of the most important trend-lines of relevance to the majority of Canadian business owners: 

- Seventy-four percent of small and medium businesses experienced a security issue in 2015. Equally important is the following analytical assessment: “This number will only increase due to SMBs being perceived as ‘easy targets’.” 

Why are they perceived to be easy targets? It is my estimation that many SMBs believe they are prepared, when in fact what they have is superficial security.  Hence my clear concerns and line of questions in this critical area.

-Secondly, to be painfully frank, when it comes to the true level of cyber and insider threat resilience, many organizations are likely closer to being in the zone of the unsure.  In the multitude of discussions I have had with business leaders, there is a sense that some believe that they will remain under the radar of threat actors, and thus unlikely to be targeted for a data breach.   And even fewer have considered the possibility of insider betrayal.  Hope and unsupported beliefs, as the saying goes, do not a business plan make.  

 Given this perceived state of readiness, along with the fact that threat events in 2016 will only increase, there is a data security assurance gap.  Again, a legitimate question is how can this be?  Well, never wanting to leave an audience feeling only partially uneasy, let me close by offering you the following analysis from Juniper Research:

“ The rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015”.

It is a brave new century that must be managed in an entirely new way, one that takes a page from the CSIS playbook of care, attention, planning, practice, and being in a state of perpetual discomfort.

Ray Boisvert, CEO and founder of I-Sec Integrated Strategies, a Senior Associate at Hill+Knowlton Strategies, and the former Assistant Director of Intelligence for the Canadian Security Intelligence Service. With 30+ years of experience, he offers advice pertaining to critical risks affecting private and public sector business activities: cyber and “insider” threats, as well as modern day hazards related to espionage and terrorism.