Many industries are rallying to improve their cyber security postures. When I observe these rally cries, I hear the lyrics to a Twisted Sister song: “We’re not gonna to take it … anymore!”
As the headlines increase with data breaches, the fighting instinct grows more to address the out of control issue of data breaches.
Industries are coming together to share information on cyber threats and best practices. Here are some examples:
- Member-owned non-profit Financial Services Information Sharing Analysis Center (FS-ISAC) is a group of financial services organizations and security vendors collaborating by sharing threat information with analysis and recommended solutions. There are others emerging in other industries like retail, healthcare, energy and aviation.
- Privately held HITRUST in the USA, which collaborates with healthcare, technology and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data.
- Retail Cyber Intelligence Sharing Center (R-CISC) is a member-based organization for retailers to obtain information sharing, education and research.
- Special government agencies like the Department of Homeland Security and various intelligence agencies.
The motive and business model may vary from each group but the importance is that action is being taken with the mutual goal to improve cyber security. The value of information sharing among your industry peers allows you to compare notes and best practices in this very dynamic threat land.
In many cases, the threat tactics on a particular type of organization can be seen in other organizations in the same industry. However, there are challenges in information sharing for threat protection – it can be daunting to comb through too much information and have it be actionable. The good news is technology is evolving to assist with this.
Another rally cry has been seen is the cyber exercises that many industries are participating. Most recently, a dozen healthcare insurance companies representing 60 percent of the US population took part in CyberRX 2.0, a cyber exercise aimed at evaluating the organizations’ response and minimizing the impact of a data breach.
Both the Health Information Trust Alliance (HITRUST) and Deloitte Advisory Cyber Risk Services managed the exercises. According to Deloitte, the attack scenarios exposed some interesting peculiarities of the health care industry. This is the value for same industry organizations to share information and participate in similar exercises.
This comes close to the recent news from research firm IDC forecasting that healthcare breaches will NOT slow down in 2016, given the high value of the healthcare record being up to 50x more valuable than any other industry records. IDC sets the alarm with the prediction that one out of three healthcare record will be compromised in 2016.
What is attributing to this is the digital transformation the industry is embracing while being laggards on security in both information technology and operational technology. Digital data delivers more efficiency and better treatment but at the cost of patient personal data being abused.
What about the patient’s safety? Imagine if your health is being monitored with a device that is compromised and the wrong information is given to your provider. Diagnosis and treatment can be life or death. Fraudulent billing also represents up to 10 percent of healthcare expenditures. That should be motivation to fight back.
In North America, more than 350 organizations and 3,000 participants from across the electric utility industry and federal and state governments participated in the North American Reliability Corporation’s (NERC’s) industry-wide grid security and incident response exercise GridEx III – a two-day effort of rigorous exercises. The participation almost doubled compared to 2011 with 200 organizations.
This proactive effort is critical for an industry that has had the most incidents reported (CERT). Consider the implication if critical infrastructure like energy is compromised. It can have a devastating rippling effect; businesses come to a halt if machines are not powered; buildings and houses have no heat or light; safety concerns would grow.
Since 2011, the financial services has been conducting cyber security exercises in conjunction with Securities Industry and Financial Markets Association (SIFMA) and service provider Norwich University Applied Research in a project called Quantum Dawn. In September 2015, Quantum Dawn 3 built on lessons learned from the previous exercises and focused on exercising procedures to maintain market operations in the event of a systemic attack.
Such exercises included simulating the degradation of critical infrastructure affecting the clearance and processing of equities, rehearsing internal processing requiring the orchestration of business continuity, equities operations and IT security, as well as playing out the interaction between firms and public sector.
Under the new CIO leadership of Tony Scott, the US Federal Government conducted a 30-day Sprint this summer to assess their cyber security posture. Federal agencies reported back on their progress and any challenges they face in closing four specific security loopholes. The result of this effort is reflected in Cyber Security Strategic Implementation Plan (CSIP) from the Office of Management and Budget with a prescriptive plan to address the gaps.
Some may say, “I’m already assessing my security with penetration tests. How does this differ from penetration testing?”
They are similar with intent to identify vulnerabilities in technology, process and people. Such testing or assessments offer insight into the organization’s cyber resiliency. These highly public industry challenges further amplify the topic and proactive efforts. The public is no longer hearing only about data breaches. I applaud these industry-like efforts to fight the cyber threats.
What are your thoughts on the industry rallies to improve cyber security?
Title image courtesy of ShutterStock