Managing Online Risk: Apps, Mobile, and Social Media Security
()
About this ebook
In recent years, building a corporate online presence has become nonnegotiable for businesses, as consumers expect to connect with them in as many ways as possible. There are benefits to companies that use online technology, but there are risks as well. Managing Online Risk presents the tools and resources needed to better understand the security and reputational risks of online and digital activity, and how to mitigate those risks to minimize potential losses.
Managing Online Risk highlights security and risk management best practices that address concerns such as data collection and storage, liability, recruitment, employee communications, compliance violations, security of devices (in contexts like mobile, apps, and cloud computing), and more. Additionally, this book offers a companion website that was developed in parallel with the book and includes the latest updates and resources for topics covered in the book.
- Explores the risks associated with online and digital activity and covers the latest technologies, such as social media and mobile devices
- Includes interviews with risk management experts and company executives, case studies, checklists, and policy samples
- A website with related content and updates (including video) is also available
Deborah Gonzalez
Deborah Gonzalez, Esq. is the founder of Law2sm, LLC, a legal consulting firm focusing on helping its clients navigate the legal issues relating to the new digital and social media world. Deborah graduated from New York Law School and is licensed to practice law in New York and Georgia. Deborah began her career in the corporate arena working in various positions in the information technology area - from network administrator to manager of the IS department for a top-6 CPA firm in New York City. During her tenure she managed day-to-day IT operations; designed and implemented IT-related training for employees, managers, and IT staff; developed policies and protocols for IT-corporate use; and monitored emerging trends for IT business strategies and management. Deborah used this foundation as a starting point with her legal practice, which is now transporting her beyond the Internet to the social space where the physical and digital dimensions of her clients co-exist and where she can leverage her legal expertise to their benefit. Deborah enjoys engaging with those around her - so social media is a natural fit. But it is her skill in being able to connect the dots to understand the next big paradigm shift in global communication and legal application that makes her a leader in social media and online law. Deborah serves as Chair of the GA Bar Association’s Annual Program on Social Media and the Law and serves as a social media legal liaison for social media marketing companies and their clients. In addition, Deborah speaks on legal issues relating to intellectual property, social media and online legal trends and practices, and online risk management in various venues throughout the United States and abroad. Follow her on Twitter: @DGOnlineSec and @Law2sm, or visit www.managingonlinerisk.com or www.law2sm.com.
Related to Managing Online Risk
Related ebooks
Cybersecurity: Issues of Today, a Path for Tomorrow Rating: 0 out of 5 stars0 ratingsManaging Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsCybersafe For Humans: A Simple Guide to Keep You and Your Family Safe Online Rating: 0 out of 5 stars0 ratingsCan. Trust. Will.: Hiring for the Human Element in the New Age of Cybersecurity Rating: 5 out of 5 stars5/5IT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsCybersecurity for Small Businesses and Nonprofits Rating: 0 out of 5 stars0 ratingsFortify Your Data: A Guide to the Emerging Technologies Rating: 0 out of 5 stars0 ratingsCSA Guide to Cloud Computing: Implementing Cloud Privacy and Security Rating: 0 out of 5 stars0 ratingsWeb Application Vulnerabilities: Detect, Exploit, Prevent Rating: 0 out of 5 stars0 ratingsData Protection 101: A Beginner's Guide to Digital Security Rating: 0 out of 5 stars0 ratingsInformation Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsHow to Cheat at Managing Information Security Rating: 0 out of 5 stars0 ratingsThe True Cost of Information Security Breaches and Cyber Crime Rating: 0 out of 5 stars0 ratingsFight Fire with Fire: Proactive Cybersecurity Strategies for Today's Leaders Rating: 0 out of 5 stars0 ratingsThe Insider Threat: Combatting the Enemy Within Rating: 0 out of 5 stars0 ratingsCyber Risks for Business Professionals: A Management Guide Rating: 0 out of 5 stars0 ratingsModSecurity 2.5 Rating: 0 out of 5 stars0 ratingsThirdParty Cybersecurity Risk Management A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsSecure Your Network for Free Rating: 0 out of 5 stars0 ratingsPrivileged Access Management Tools Standard Requirements Rating: 0 out of 5 stars0 ratingsInformation Technology Risk A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsQualified Security Assessor Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsVPN Third Edition Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 Guide to the CCSP CBK Rating: 0 out of 5 stars0 ratingsInformation Security Risk Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsInfoSecurity 2008 Threat Analysis Rating: 0 out of 5 stars0 ratingsSecurity Sage's Guide to Hardening the Network Infrastructure Rating: 0 out of 5 stars0 ratingsData Protection Standard Requirements Rating: 0 out of 5 stars0 ratingsGIAC Certified Forensics Examiner A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratings
Business For You
Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5Summary of Eve Rodsky's Fair Play Rating: 2 out of 5 stars2/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5Summary of J.L. Collins's The Simple Path to Wealth Rating: 5 out of 5 stars5/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Nickel and Dimed: On (Not) Getting By in America Rating: 4 out of 5 stars4/5Emotional Intelligence: Exploring the Most Powerful Intelligence Ever Discovered Rating: 5 out of 5 stars5/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5Company Rules: Or Everything I Know About Business I Learned from the CIA Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5Leadership and Self-Deception: Getting out of the Box Rating: 4 out of 5 stars4/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Thank You for Being Late: An Optimist's Guide to Thriving in the Age of Accelerations Rating: 4 out of 5 stars4/5Lying Rating: 4 out of 5 stars4/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Invisible Influence: The Hidden Forces that Shape Behavior Rating: 4 out of 5 stars4/5High Conflict: Why We Get Trapped and How We Get Out Rating: 4 out of 5 stars4/5Red Notice: A True Story of High Finance, Murder, and One Man's Fight for Justice Rating: 4 out of 5 stars4/5
Reviews for Managing Online Risk
0 ratings0 reviews
Book preview
Managing Online Risk - Deborah Gonzalez
Managing Online Risk
Apps, Mobile, and Social Media Security
Deborah Gonzalez
Law2sm, LLC
Table of Contents
Cover image
Title page
Copyright
About the Author
Online Resources
Introduction
Chapter 1. Risk Management Digital Style
Risk management models
Best practices for incident response
BONUS: ten IT security myths
Security/risk management apps
Chapter 2. Internal and External Risks
Internal risks
Internal risk 1: security perception, priority, and budget
Internal risk 2: traditional and shadow IT
Internal risk 3: mobile
Internal risk 4: people
External risks
External risk 1: technology advances
External risk 2: cloud storage
External risk 3: hacking
External risk 4: regulation
External risk 5: natural disasters and squirrels
Chapter 3. Reputation and Identity
Reputation
Reputational risks
Defining identity
Digital identity
Legal identity
Executive identity
Corporate identity: The BRAND
Value and worth of identity
Identity versus reputation
Protecting identity
Protecting reputation
Chapter 4. The New Workforce
Employment cycle
Who is the workforce?
Millennials
Recruitment
Hiring
Employment
Termination
Other
Chapter 5. Big Data
Data cycle
Data management plans
Data classification
Data access
Data analytics
Protecting data: backup
Losing data
Data recovery
Privacy: to use or not to use data dilemma
Protecting against liability for data/privacy loss
Data surveillance
Dictatorship of data
Chapter 6. Approaches to content
Content marketing versus content management
Different audiences, different content
Myths of content marketing and content management
Benefits of the content approach
Intellectual property rights, risks, and content
IP cycle
Copyrights
Digital Millennium Copyright Act
Fair use doctrine
International IP concerns
Creative Commons license
A couple of digital concerns for copyrights
Trademarks
Trademark and gripe sites
Trademark and reputational risks
Trade secrets
Patents
Technology development
IP other risks
IP valuation
IP legislation
Chapter 7. Compliance
Who needs to be compliant?
General compliance: disclosures
General compliance: disclaimers
General compliance: human resources
Financial Institutions
Health Care and Medical Institutions
Higher education (FERPA)
Professional Trade Oversight and Organizations: Mobile
Other Federal Agencies
Federal legislation
State legislation
Compliance oversight
Compliance training
Chapter 8. Currency and Campaigns
Online banking
E-payments convert to M-payments
Virtual currency
Digital currency
Bitcoin
Beyond bitcoins
Crowdfunding
Online microfinancing
Online charitable donations and fundraising
Future of money
Digital political campaigns
Digital advocacy
Digital lobbying
Risk and security of online politics
Chapter 9. Digital Succession
Succession planning
Information technology security shortage
The next generation of InfoSec Pro
Women in Infosec
Cybersecurity simulations
Digital legacy
Digital assets
Digital afterlife
Digital expiration
Digital immortality
Chapter 10. The Future of Online Security
The future: unpredictable
The future: four scenarios
Monitored Man
Bicentennial man revisited
Credential verification
Big Data
Index
Copyright
Acquiring Editor: Brian Romer
Editorial Project Manager: Keira Bunn
Project Manager: Poulouse Joseph
Designer: Alan Studholme
Butterworth-Heinemann is an imprint of Elsevier
The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK
225 Wyman Street, Waltham, MA 02451, USA
Copyright © 2015 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher
Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333; email: permissions@elsevier.com. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permission to use Elsevier material
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Gonzalez, Deborah.
Managing online risk : apps, mobile, and social media security / Deborah Gonzalez.
pages cm
ISBN 978-0-12-420055-5 (paperback)
1. Computer networks–Security measures. 2. Internet–Security measures. I. Title.
TK5105.59.G67 2015
005.8–dc23
2014031130
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
ISBN: 978-0-12-420055-5
For information on all Butterworth-Heinemann publications visit our web site at http://store.elsevier.com
This book has been manufactured using Print on Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate.
About the Author
Deborah Gonzalez, Esq. is the founder of Law2sm, LLC, a legal consulting firm focusing on helping its clients navigate the security and legal issues relating to the new digital and social media world. Deborah is the co-developer of the Socially Legal Audit® tool that assists a company to ensure that their online activity is in line with state laws, federal laws, and regulatory compliance.
Deborah graduated from New York Law School and is licensed to practice law in New York and Georgia.
Deborah began her career in the corporate arena working in various positions in the information technology area—from network administrator to manager of the IS department for a top-6 CPA firm in New York City. During her tenure she managed day-to-day IT operations; designed and implemented IT-related training for employees, managers, and IT staff; developed policies and protocols for IT-corporate use; and monitored emerging trends for IT business strategies and management including IT security concerns. Deborah used this foundation as a starting point with her legal practice, which is now transporting her beyond the Internet to the social space where the physical and digital dimensions of her clients co-exist and where she can leverage her legal expertise to their benefit.
Deborah is a sought after speaker, content contributor, and news commentator on online security issues and social media legalities. Past audiences include Fortune 500 companies, non-profit organizations, professional associations (ISSA WIS, TAG), college communities (students, faculty, and administration), legal professionals (lawyers and judges), both domestically in the US and abroad. Specific industries include: banking and financial, healthcare and medical, higher education, international trade, governments and politicians, marketing and public relations, and more.
Online Resources
Thank you for selecting Butterworth-Heinemann’s Managing Online Risk. To complement the learning experience, the author has provided a number of online tools to accompany this edition. They can be found at http://managingonlinerisk.com. The tools available include
• Live links to chapter-specific resources and updates to case studies in the book, domestic and international.
• Downloadable handouts and checklists that you can use for your company.
• Useful infographics with additional statistics relating to online risk and security.
• Shareable risk and security funnies and humorous videos that can be used for training or just a quick break to put things in perspective.
• The Managing Online Risk (MORe) monthly blog with discussions on the latest risk management and security issues.
• An event calendar with upcoming risk and security conferences as well as the latest information regarding author tour dates and venues.
• A direct contact link to the author for questions and inquiries.
• Access to the Elsevier eCommerce store for purchases.
• And more.
Introduction
Engagement in online activity (including, but not limited to, social media) is quickly becoming nonnegotiable for many businesses and organizations as consumers continue to expect to be able to connect and interact with them in as many convenient ways as possible. There are many benefits to companies using digital and online technology, but there are many risks as well, the acknowledgment of which has led many an executive to question whether they should be in the space and how far they should go. News reports of companies getting into trouble because of compliance violations, loss of revenue because of reputational loss, and loss of customer trust because of confidentiality breaches bring concern to executives who are trying to balance the benefits of online activity and the potential loss of revenue due to negative public relations, litigation, and so forth.
In this new digital environment, executives need to put into place best practices and measures of security and risk management that address concerns such as data collection, storage, and security; human resource recruitment and employee communications; compliance violations of federal and state laws, as well as professional trade oversight organizations; security of technology devices (mobile, apps, cloud computing, etc.); and more.
This book strives to be a definitive resource by providing an overview of the risk mitigation strategies, solutions, and best practices to address risk, liability, and security concerns arising from corporate online and digital activity. It is a resource that executives and security professionals can turn to more frequently as issues related to risk management and security concerns arise from their corporate online and digital activity.
In addition, in a first-of-its-kind, digital integration, this book has a companion Web site (www.managingonlinerisk.com) that was developed in parallel with the book, offering the latest updates and resources for the issues we discuss. You can imagine with the speed of change in the technology and security areas some of what I wrote in the first chapters were outdated by the time I got to the final chapter. Between when this book is published and when you read it, who knows where that technology will be. So, as online and digital security and risk management continuously evolve, you will find this Web site to be an invaluable tool to ensure that skills and knowledge are kept up-to-date with the latest environmental and technology changes. This book gives the foundations and the Web site provides the nuances based on what is happening now. Use both to reap optimal benefits of the information.
Another interesting structure of this book is that it is based on content aggregation, seeking out the most recent information on the topics and integrating the best of them within the book itself. I took a curation of content
approach to find the most up-to-date, interesting, and credible sources on the issues I discuss in the book. Again, because of the speed of change in the online technology and security area, some of these sources may end up contradicting themselves as technology and events evolve. For example, when I originally wrote about Bitcoin in Chapter 8, it was considered a currency. By the time I finished writing Chapter 10, we had a U.S. regulatory decision that Bitcoin and other virtual currencies are property,
not currency. More on that in Chapter 8. To ensure everyone receives the credit they deserve for their work, Creative Commons Licenses, the Fair Use Doctrine and traditional copyright permissions are relied on to allow the reader to have the most up-to-date analysis of the trends occurring in online and digital security and risk management.
This book presents readers with tools and resources to better understand the security and reputational risks of online and digital activity, as well as tools and resources to mitigate those risks and minimize potential loss for their companies. These tools and resources include case studies; industry and expert profiles; lessons learned; overview of relevant laws, regulations, and professional guidelines by industry; sample policies, disclaimers, and online community guidelines; and more.
This book contains 10 chapters focusing on particular areas of security and risk management concern in the digital and online environment. Since technology is all about connectivity, you will see that many of the issues discussed overlap and do not just fit in their designated chapters. However, each chapter was written to stand alone and still be comprehensive enough to offer strategic insight for that particular concern, so you as the reader can read the book sequentially or by chapter-topic interest. Except for Chapter 1, that is, which offers an overview of risk management and security concepts—a great place to start if you are new to the field or need a refresher recap—as well as Chapter 10, which focuses on what your company’s future may or may not look like, and relies on previous concepts outlined throughout the book.
With Chapter 2, we begin to explore specific internal and external risks associated with digital and online activity. The internal explores corporate security perception, priority and budget setting, traditional and shadow information technology (IT), mobile and the Bring Your Own Device trend, and people, including employees, vendors, and third parties that can lead to cyber-risks such as computer security, computer viruses, computer fraud, and so forth. The external looks at issues with a lesser element of control for the corporation such as technology advances and new devices, cloud computing, hacking, regulation, and natural disasters and squirrels.
Chapter 3 focuses on different aspects of digital identity in relation to a corporation’s reputation, including executive identity (specific individuals in the corporation) and brand identity (including virtual presence) of the corporation. The chapter defines these two identities and how they differ, explores why they are important in the digital space, and describes how they can be tarnished or lost because of digital activity. In addition, online activism (and hacktivism), social scoring, digital influence, and online credentials are discussed. The chapter offers various lessons learned and best practices to protect the identity and the corporate’s reputation.
Chapter 4 explores the use of digital and online activity as it relates to employee–employer relationships and constructs. The chapter progresses based on the employment cycle: recruitment, hiring, employment, and termination. Specific discussions on social media policies and strategies, the mobile workforce, millennials and other worker generations, monitoring of employee online activity, employee privacy concerns, and so forth.
Chapter 5 focuses on an extremely important area related to online and digital activity—the collection, use, and storage of data—especially as relating to client or potential client information. The debate between enhanced, targeted marketing to meet customer needs and personal privacy concerns will be discussed and will include big data, the social graph, personally identifiable information, recent attempts to control this area (legislation), and best practices.
Chapter 6 looks specifically at data that are created for the digital space, the intellectual property rights and value they provide for a corporation, the risks of theft of intellectual property, the risks the content may create for the corporation (such as defamation, anticompetitive acts, etc.), and best practices to reduce those risks, as well as strategies on what to do if theft occurs.
Chapter 7 focuses on regulated industries (such as banking, health care, transportation, etc.) and the different risks associated with violation of compliance standards for online and digital activity. Discussions will focus on topics such as disclosure, disclaimers, professional trade oversight organizations and guidelines, federal and state legislation, and current best practices. For some, it may read like an alphabet soup—FDA, FTC, HIPAA, PCI DSS, OSHA, COPPA, and so forth.
Chapter 8 looks at the risks associated with financial in the digital and online space by corporations including digital payment systems, digital and cryptocurrency (Bitcoin and others), crowdfunding, online microfinancing, online investments, and so forth. The second part of this chapter focuses on one specific purpose of corporate spending through advocacy and digital campaigns (lobbying, charitable fund-raising, etc.).
Chapter 9 focuses on the emerging concerns of risks related to succession planning and management in the corporate environment. Topics such as succession planning, the IT security shortage, women in security, protection of digital assets, security of assets, continuation of digital activity and content management, digital expiration, and so forth will be discussed, as well as digital legacy, digital immortality, and digital resurrection.
Finally, Chapter 10 takes a look into the future to explore the future of information security and risk management. Four possible future scenarios are presented: growth, transformation, constraint, and collapse. Then particular future concerns regarding specific technologies will be discussed including the Internet of Things, drones, health and medical sensors, big data analysis systems for security intelligence, and privacy evolution.
Lastly, fear not: Although this book is written by an attorney, it is not written in legalese. Its perspective is from a practical standpoint—business, strategy, and management—and its purpose is to be referred to and used again and again. I acknowledge that legal aspects will always be part of security and risk management, especially within the context of compliance, but this book is a not a legal treatise. You will learn enough to understand why the risks exist and why certain solutions and best practices are proposed—and enough to know when to pass it on to the attorney. If you are an attorney reading this book, this book can serve as a starting point for some legal principles and how they apply in the overall business setting, but do not stop here.
So we begin with defining risk management and security in the context of the digital environment. Are they different because of this new context or have they just been expanded?
Chapter 1
Risk Management Digital Style
Abstract
This introductory chapter lays out the context of the book by giving an overview of risk management concepts and how they apply in a digital environment. It goes over risk management models and the risk management process.
Keywords
BlueWave computing; Critical security controls; Incident response; Models; Risk analysis; Risk assessment; Risk identification; Risk level; Risk management; Risk management apps; Risk mitigation; Risk remediation; Risk response; SANS; Security; Socially legal audit; Threat
Which risks are relevant? Those that impact business goals.
Which risks impact business goals? They all do.
Did you hear the one about the IT security officer who resigned
after it was discovered that a data breach at its retail operations headquarters that affected millions of customers could have been avoided if only one of over 60,000 alerts had been heeded?¹ Or the one about a security consultant who leaked information about a government surveillance program, bringing world leaders to the defense, who ended up exiled in Russia but had a great turnout at South by Southwest?² Or how about the one of computer engineers who lost their life savings and their jobs in the misplacement of digital currency?³ Or the one about the employee who left a company laptop connected to public Wi-Fi at the coffee shop that led to insider trading violations and criminal penalties?⁴ Or the one…
I think you get the point. There have been a lot of ones
in the news and even more not in the spotlight. In 2011, Verizon reported 855 incidents and 174 million compromised records.
⁵ To update that, the Online Trust Alliance (OTA) released their report in January 2014, which indicated that of over 500 data breaches in the first half of 2013 31 percent of incidents were due to insider threats or mistakes; 21 percent resulted from the loss of computers, hard drives, and paper documents; 76 percent were due to weak or stolen account logins and passwords; and 29 percent of compromises resulted from social engineering.
⁶ What do these have in common? They all dealt with information technology in the online digital environment.
As we begin our exploration of online risk and security, it is useful to make sure we are on the same page. Defining the lexicon of the landscape allows us to define risk management and security in the context of the digital environment and determine whether they are different because of this new context or because they have they just been expanded. Therefore, we begin with standard definitions of risk management, risk, security, and threat. You may have your own favorite you use, but we will stick with these as we head out.
Risk management
The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks.⁷
Risk
A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.⁸
Security
The prevention of and protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action; the extent to which a computer system is protected from data corruption, destruction, interception, loss, or unauthorized access.⁹
Threat
Indication of an approaching or imminent menace; negative event that can cause a risk to become a loss, expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event. A threat may be a natural phenomenon such as an earthquake, flood, or storm, or a man-made incident such as fire, power failure, sabotage, etc.; action or potential occurrence (whether or not malicious) to breach the security of the system by exploiting its known or unknown vulnerabilities.¹⁰
Most of those definitions should seem familiar to you. However, there are some key words within them that bear special consideration as we look at online security and risk management. First, risk management brings up the issue that there are acceptable and unacceptable risks—what would be an acceptable risk has long been debated by security professionals. One school of thought is that any risk is unacceptable. The other believes it is a return-on-investment (ROI) question—how much does it cost to mitigate the risk versus how much will the risk impact cost if left alone?
Second, notice that the definitions of risk and threat are symbiotic with two main differences: a threat is indicated as something that can be foreseen and is imminent; a risk is just a probability. But both indicate that they can be avoided to a certain extent—excluding natural disasters.
Third, security is presented to offer a safety net around property—whether tangible or intangible, such as online data. And last, risk management is about looking at risk and threats and setting up procedures to answer some specific questions to give a sense of security:
1. What are the real, material risks and threats?
2. What are we doing about them?
3. Is what we are doing actually working?
Risk management models
Companies cannot eliminate all risks for two reasons. First the internal and external threats that cause risk are very dynamic. Second, control investments eventually result in diminishing returns.¹¹
There are quite a few risk management models out there. Just Google risk management
and you will have, as I did in July 2013, over 388,000,000 results come up. But most of the models concur on a series of steps that make the process viable and effective.
Step 1: risk identification
Identifying what risks may actually exist in a company’s online infrastructure and digital activity is where it all begins. There are a number of tools to assist the internal risk management professional to complete this on their own, as well as a number of third-party companies that offer auditing and risk assessment services for a price.
The gathering and compilation of this information should go beyond a report. It should be looked at as a dynamic and changing set of factors that need to be understood and dealt with in a strategic way, meaning in the best interests of the company (legally of course).
Many companies use a series of security and risk management questions to help guide their collection of the needed data. One good resource is a paperback called The Ultimate Security Survey by James L. Schaub and Ken D. Biery. It is in its second edition and a bit on the expensive side ranging from $625 to over $1000 on Amazon.com.¹² But it is very comprehensive.
At a minimum, an audit to gather risk information relating to online and digital activity security should include:
• The mission and demographics of the company
• Inventory of the current online footprint of the company (social media platforms, Web sites, intra and internets, blogs, etc.)
• Inventory of digital and mobile devices accessing company data (laptops, tablets, smartphones, etc.)
• Inventory of access points into and out of company data systems
• Review of current online and digital activity security and risk management strategies and plans
• Review of online/digital employee roles, responsibilities, and liabilities (social media managers, mobile directors, app developers, etc.)
• Review of current IT-related policies and procedures (including social media, IT, privacy, passwords, e-mail, etc.)
• Review of online digital disclaimers and disclosures
• Review of online digital assets (including copyrights, trademarks, trade secrets, content contracts, development contracts, etc.)
• Review of company terms of use and service agreements with third-party vendors
• Review of online and digital content/document retention policies and procedures (including cloud-related legal concerns)
• Review of data collection, data security, authentication, and access
• Review of online crisis and reputation management
• Review of federal and state laws, and industry regulations and compliances that the company is subject to regarding online and digital activity
• Review of human resources’ use of online data for the employment cycle (including recruitment, interviewing, performance evaluation, and termination)
• Review of marketing’s use of online and digital resources to ensure compliance with specific regulations (such as contest and promotion rules, gaming laws, truth-in-advertising requirements, etc.)
• Review of cyber-risk insurance and coverage
For an example of an audit specifically focused on social media risk and liability, see the Socially Legal Audit sidebar.
SOCIALLY LEGAL AUDIT®
http://sociallylegalaudit.com
The Socially Legal Audit™ (SLA) tool is an instrument developed by Law2sm, LLC (www.law2sm.com) and Avax Consulting (www.avaxusa.com) to assist a company to ensure that their social media presence and activity is in line with state and federal laws, as well as regulatory compliance.
The audit includes taking an inventory of the organization’s social media/digital footprint, interviews with key staff members about social media usage in the firm, comprehensive assessment of legal risks associated with that footprint, and recommended strategies for protection of digital assets and reduction of liability. Components of the audit include:
• Inventory of social media footprint
• Comprehensive report of legal risks/liabilities
• Recommended legal strategies
Audits function as invaluable strategic tool for a company to ensure an ROI in regard to online and digital activity security and risk management. An Ernst & Young commissioned Forbes Insights Global Survey (2012) found that 75% of the respondents indicated that their internal audit function has a positive impact on their overall risk management efforts.¹³ In an earlier 2010 survey, 96% of respondents indicate that their internal audit function has an important role to play in their overall risk management efforts.¹⁴
By asking the right questions, the SLA leads a company to:
• Strategic business insights
• Increased subject matter expertise (specialized knowledge)
• Compliance with laws and regulations
• Decreased liability and risk, including reduction in litigation expenses
• Improved employee–employer relations
• Enhanced customer and brand advocacy relations
Audits are conducted by SLA-certified auditors¹⁵ and reviewed by SLA-trained attorneys who prepare recommendation reports for clients. Training and certification are provided various times throughout the year in various locations around the world.
¹³ The Future of Internal Audit is Now,
Insights on Risk, July, 2012.
¹⁴ Unlocking the Strategic Value of Internal Audit,
2010.
¹⁵ Certified Auditors—Socially Legal Audit,
http://sociallylegalaudit.com/certified-auditors/ (accessed 2/8/2014).
Some information gathering techniques include:
• Brainstorming—a process whereby an individual or a group thinks about a topic or issue and comes up with ideas to solve the problem without filtering them first. The key to this technique is spontaneity. Ideas are reviewed for feasibility later.
• Delphi Technique—a group of experts respond to a questionnaire, their answers are reported back to them anonymously, and they are encouraged to revise their previous answers based on the group’s answers. This can be repeated a number of rounds
or until a consensus is achieved, thereby producing the most correct
answer.
• Interviewing—a process of asking a specific individual specific questions regarding a specific issue or matter. In the case of online risk management and security, the interviews are usually conducted on key personnel related to the area such as the security director, IT director, as well as some regular staff to understand the breadth of online activity and mobile use throughout the company. In addition, some security and risk management professionals from outside the company may be interviewed to get some insight into the trends and best practices of the industry.
• Root Cause Analysis—a process of evaluating what caused a specific breach or security incident to occur. This takes place after the event but can be used to prevent the event from repeating in the future.
• Checklist Analysis—a tool that lists specific risks that may occur for a specific project or are known to have occurred in other security/risk management systems. The lists can be developed from historical information (prior incidents) and/or knowledge and expertise of current staff.
• Assumption Analysis—a process in which the individual or team documents all the presumptions that they have regarding the issue at hand. These assumptions
can include things the team believes to be true, which may or may not be true.
• Diagramming Techniques—different processes to visualize data and its relationships by showing them in a sketch, drawing, and/or outline.
• SWOT Analysis—the process of evaluating the strengths, weaknesses, opportunities, and threats of a company’s particular security and/or risk management system.
• Expert Judgment—the seeking and use of a decision made by an individual with wide-ranging and authoritative knowledge and/or skill in a particular area after he or she has reviewed and evaluated certain evidence and/or data.
We will be discussing specific risks throughout the rest of the book; however, most online and digital activity risks fall within the following categories:
• IP/Sensitive Data Loss—disclosure or leakage of data that the company defines as proprietary information or confidential information that relates to clients, company strategies, competitive intelligence, etc.
• Compliance Violations—disclosure of information or inappropriate communication of information that violates regulations set forth by federal and state laws and/or regulatory agencies.
• Reputational Loss—one key to successful online activity with clients and the public is transparency of who is communicating and the assurance to the public that it is the company speaking through official company channels. Misperceptions, damaging perceptions, and misinformed assumptions can generate a loss of good will and tarnish a company’s name in a matter of characters or minutes due to the prolific and exponential nature of content sharing in the online environment.
• Financial Loss—security and risk incidents can be expensive between the breach itself, the investigation, and remediation strategies put into place, and notification requirements specifically related to leaked data, etc. There have been circumstances where stock prices went down because of a Twitter Tweet. All of the losses on this list can have a monetary consequence.
• Safety Loss—online and digital activity not only leave footprints of where an individual has been but also can provide information as to where an individual can be, whether that is a person or a corporation. This can lead to a physical safety concern for traveling executives and key members of a company’s management team, including the board of directors.
• Personal Reputation Loss—online postings may take on a personal nature, indicating specific traits of an individual or describing specific behavior of that individual that may be judged as negative by a company’s client base. Concerns here can lead to claims of defamation or damage to a person’s character leading to a loss of their livelihood.
Step 2: risk analysis/assessment
When asked to name the top three challenges (in regards to risk management) the largest proportion of executives (47 percent) cite difficulty of understanding the entire risk exposure on a global enterprise basis, and nearly as many (44 percent) see the same problem at the business unit level.¹⁶
A phrase I like to share with clients is data that is formatted is information; information that is processed is knowledge; knowledge that is applied is wisdom; and wisdom that is shared leads to success.
A company’s list of identified risks must then be put into a risk analysis process to help evaluate the risks in terms of the company’s risk aptitude. Greg Chevalier from BlueWave Computing (see BlueWave Computing) calls it a company’s risk appetite.
The overall susceptible risk environment is the elephant in the room for many companies, and their key question is how does one eat an elephant?
According to Chevalier, one bite at a time.
This then leads to the second question, how much of the elephant does the company want to eat?
BLUEWAVE COMPUTING
http://www.bluewave-computing.com/
BlueWave Computing (BWC) was established in 1997 by Steven Vicinanza to provide comprehensive information technology services to small-to-mid-sized companies. Its mission statement reads:
BlueWave Computing is the IT management partner of choice for small and mid-size organizations that require the highest reliability and performance from their computing systems but for whom IT is not the core business. We deliver a comprehensive set of IT services that enables them to better achieve their objectives. We do this through highly educated, disciplined, and skilled employees, who aspire to be recognized as the best, and who are passionate about both the technology and the welfare of our clients.
BWC’s business strategy is to have laser-focused solution disciplines within the company to ensure that they can attract the right kind of expertise and build integrity in the market place. One of those focused areas is information security and management, and in 2009 it started the BlueWave Computing Information Security Group. By doing so, BWC expanded its offerings to include information security risk and vulnerability assessments, penetration testing and vulnerability scanning, 7 × 24 × 365 managed security and monitoring that includes intrusion detection and prevention, information security education and training, and implementation of information security technologies. It is also set up to become a leader in information security education with a state-of-the-art training facility and Certified Information Systems Security Professional (CISSP)-compliant curriculum that will allow students to qualify for continuing education (CE) credits.
BWC is a nationally recognized managed service provider (MSP) that has won hundreds of awards and recognition by its peers and security industry associations. They currently have 140 employees, of whom 80% are engineers. They run both on-site and off-site operations for clients and in the security arena offer a Chief Information Security Officer (CISO) In a Box
that provides the client a comprehensive turnkey solution—risk/compliance, security analysis, network security monitoring—and various complex analytical tools.
This is BWC’s competitive edge—offering a one-stop shop for clients from audit to monitoring to compliance. This edge allows the BlueWave client to look at information security in business terms and not just technical terms.
INDUSTRY EXPERT: GREG CHEVALIER
President, BlueWave Computing Information Security Group
http://www.bluewave-computing.com/BlueWaveServices.aspx?id=security
Greg Chevalier is currently the president of BlueWave Computing’s Information Security Group.
Greg has more than 25 years of experience in the technology field including: 10 years within the IBM Company running a $250 million business unit; 7 years providing executive leadership in growth-stage companies in the $5 million to $100 million revenue range; and 9 years in biometric identification and information security markets including authentication technologies, encryption technologies, and network and wireless access technologies delivered throughout the world.
During an interview, Greg outlined some specific trends he saw in the future regarding information security:
1. Information security risk/advantage must become a front and center strategic decision for companies.
2. Information security and risk management is no longer a percentage of the IT budget but now its own budget with a number of line items, emphasizing its increased importance to the company.¹⁷
3. Cyber-security insurance is now an option weighed against potential data breaches to offset risk, but will become a standard offering to companies.
4. Within the next decade or so, self-policing of data will regulate privacy concerns as consumers will dictate to companies what data access they find acceptable and companies will adapt to these consumer demands.
5. Wall Street and Financial Analysts will increase their scrutiny of a company’s IT security to determine the value of the company’s stock and overall value of the company itself.
6. Advanced persistent threats (APTs) will become more evasive and more frequent requiring constant monitoring to detect and remediate these benign but sophisticated data breach attack methods and risks.
7. Mobile makes everything more complex and less controllable as it provides new entry points into a company’s data environment. Standards, policies, and controls, and enhanced training will be developed to address mobile risks.
8. Education: it is my belief that information security awareness and education training, along with high-level information security degrees will grow into a national curriculum being pushed down to all levels of our education system—from elementary school to graduate programs.
¹⁷ However, a 2013 Oracle Report found that for 35% of organizations, their security spend was influenced by sensational informational sources rather than real organizational risks.
Brian Pennington, IT Security Still Not Protecting the Right Assets Despite Increased Spending,
http://brianpennington.co.uk/2013/07/17/it-security-still-not-protecting-the-right-assets-despite-increased-spending-2/ (accessed 2/11/2014).
For many companies the answer depends on the risk analysis and the assessment of each risk in terms of:
1. What is the actual risk?
2. What is the probability of the risk occurring?
3. What is the likely impact the risk would have on the company should the risk occur?
4. What will it cost to minimize the risk?
5. What