If you’re even loosely connected to the financial services industry, you’ve no doubt heard about the newest cybersecurity requirements issued by the New York State Department of Financial Services (called 23 NYCRR 500). Though right now these requirements just apply to regulated entities within the jurisdiction of the NYDFS, they’re likely indicative of future regulations to come to industries across the board.
You’ve likely never heard the term “risk surface” before, but it’s an important concept that captures the way modern enterprises must manage risk. To that end, we’re providing an in-depth definition of what risk surface is so you can begin to expand your understanding of cyber risk management in the current landscape.
If there’s a lack of collegiate enthusiasm among today’s high schoolers, it’s not difficult to discover why: community colleges are woefully packed, universities are prohibitively expensive, and students are crippled by loans. And while those factors alone are enough to steer high school graduates away from the college route, there’s another cost that is almost never factored into the price of higher education—data.
Universities have access to their students’ highly sensitive information, ranging from how much money their parents have in savings to how often they experience bouts of depression. Think about the contents of a student record, for instance: contact information, high school records, test scores, academic grades, parents’ names, emergency contacts, social security numbers, detailed financial information, scholarships, and much more. Then there are the health records, which contain immunization dates, health data, and extremely sensitive health information. And since 68 percent of universities have full law enforcement agencies, most universities also have student police records.
We hold banking institutions to a high degree of accountability with regards to safeguarding our personal information, but when it comes to higher learning institutions, our standards are inexplicably lax. Exactly how lax? We decided to find out.
Putting Data Risk in Context
RiskRecon benchmarked the software vulnerability management practices of a wide range of universities against a broad set of banking institutions. In doing so, we risk-contextualized every discovered software vulnerability based on a proprietary mix of issue severity and the sensitivity of the system in which the issue exists.
Systems that required user authentication or that collected sensitive data, such as email addresses or credit card numbers, were considered to be highly sensitive systems. Issue severity was based on the Common Vulnerability Scoring System or CVSS.
Using this method, we not only determined which industries had higher rates of issues, but also measured how each industry performed in protecting the most sensitive systems from the most critical vulnerabilities.
If you were betting that universities performed worse than banking organizations at safeguarding data, pat yourself on the bank: you win.
The alarming part of our study wasn’t that universities perform worse in software patching—it was in discovering by how much they underperform. Analyzing the data without regard to issue severity or system sensitivity, the rate of software vulnerabilities in internet-facing systems at universities is 10.6 times higher than that of banks.
Universities performed even worse in protecting highly sensitive systems that process regulated data such as personal health information, credit card numbers, email addresses, and authentication credentials. For highly sensitive systems, universities have an issue rate 13.5 times higher than banks.
Outdated Software Means Vulnerable Data
In case you thought it wasn’t going to get worse...it does. Besides having dramatically higher rates of vulnerabilities in systems that process sensitive data, universities also have an extraordinary amount of highly critical issues that have been present in systems for a very long time.
For example, 24% of universities have one or more Internet-facing systems that are running OpenSSL 0.9.7, which has not been supported since February 2007 and has had multiple high-severity vulnerabilities since 2010. In a span of 11 years, universities have yet to remove OpenSSL 0.9.7 from their systems.
The table below shows the percent of organizations with one or more of the selected critical severity issues present in their internet-facing systems.
It’s unfair to saddle students with astronomical debt before they’ve even graduated, but it’s downright criminal to also leave their sensitive information exposed. The most frustrating element in all this is that universities just don’t seem to care. After all, they have the resources to do a good job of managing information risk. Many offer courses and degrees in cyber security, staffed with experts in the field and students eager to learn the discipline. Why not use the research being preached in the classrooms and published in academic papers and apply it to protecting their institutions?
Universities are also good at establishing and complying to performance standards. They do it in the areas of academics, student admissions, and athletics, so why not in information risk management?
It’s time for universities to band together as an industry to self-regulate their information risk management practices. In doing so, universities could achieve good information risk management while providing the world some much-needed practical research in managing information risk that universities are uniquely qualified to provide.
If they don’t self-regulate, government regulators will eventually step in and impose regulations that have real consequences. It’s very possible that a federal regulatory framework would condition funding on certification to regulatory requirements.
Now is the time to act. Sensitive data held by universities is at significant risk of compromise; it’s clear that they’re not doing a good job of managing that risk. Further, public disclosure of a major breach of a university is inevitable. When that happens, the regulatory wheels will start turning in Washington, D.C. Universities and their stakeholders will be much better off if they act now as individual institutions and as an industry to manage information risk well.
We owe it to our students to take better care of their information, otherwise we’re setting them up to fail and delivering them into a world that has no regard for their sensitive data or their success.
We’re well-versed in security breaches by now, but there’s still some uncertainty about whom to blame when things go wrong. A solid example of that is the recent Ascension Breach that involved Rocktop Partners, OpticsML, and various financial institutions in the mishandling of mortgage information.
We’ve delved into the Ascension Breach in a recent article published in Information Management. There are three important takeaways from the Ascension Breach:
- Information security matters – Regardless of the size of your organization, you’re responsible for protecting the privacy of your data. Being a small business is no excuse.
- Risk surface is expansive – Your risk surface isn’t limited to your immediate systems; it’s anywhere the confidentiality, integrity, or availability of your data or transactions are at risk. That risk includes your third- and often fourth-party vendors.
- You’re responsible for investigating your partners’ information security – If your customers have given you data—in this case, sensitive mortgage information—you’re responsible for protecting that information even if you sell it.
- Regulations need to expand – While banks are strongly regulated, entities that deal with financial institutions and interact with their data are often not. Regulations need to regulate every organization that deals with consumer information.
And what about the customer? Where do they stand? Read the full article to delve into the details of the breach.
We’re excited to announce RiskRecon’s new partnership with RSA Archer. RSA Archer was last year recognized as a leader in Integrated Risk Management in Gartner’s Magic Quadrant report, and for good reason: the software excels in threat detection and response, fraud prevention, integrated risk management, and identity and access management.
Now, RSA Archer users have access to RiskRecon’s in-depth third-party vendor risk assessments, making enterprise companies’ risk management practices more comprehensive and providing valuable cybersecurity knowledge upon which companies may act with confidence.
The partnership is an ideal marriage of risk management techniques. With RiskRecon, customers will have significant visibility into objectively verified security questionnaire responses, saving analysts significant time and yielding better third-party risk outcomes.
"Given how widespread and impactful issues related to third parties have become, it's clear that organizations must manage third-party risk more actively," said David Walter, Vice President of RSA Archer. "By partnering with RiskRecon, we can better enable customers to minimize risk by establishing continuous, actionable visibility into the security of their third parties."
We’re excited for this opportunity to help more customers significantly manage cyber risk and are honored to be part of RSA Archer’s innovative and impactful integrative risk management approach.
Vendor questionnaires are a vital part of determining the cyber risk of your third- and fourth-party vendors, but they also are risky propositions in and of themselves. After all, administering a vendor questionnaire involves a tremendous amount of trust: it’s a bit like trusting a cook when you have a severe gluten allergy.
In our latest article in Dark Reading, we provide six solutions to ensure you’re getting the most out of your vendor questionnaires. Here’s a rundown of those six solutions:
1. Keep your questionnaires to a reasonable length to keep costs low and engagement high.
2. Trust the answers you’re given, but verify them.
3. Alter the frequency at which you administer questionnaires: less often for high-performing vendors and more frequently for vendors who have difficulty coming into compliance.
4. Customize your questions to fit your vendor, and use the questionnaire to target the data you’re most interested in.
5. Don’t rely on vendor questionnaires alone: make a cybersecurity risk rating platform an integral part of your third-party vendor security investigation.
6. Determine the answers you need and then craft the questions after; don’t use yes/no questions unless they’re very specific.
Of course, that’s all easier said than done. For advice on how to implement our solutions, read the full article.
As vendor risk management becomes a more clear and present danger, the challenge for mitigating vendor risk is twofold:
The mergers and acquisitions process is scary enough, but absorbing another company’s digital assets without full visibility into their entire digital infrastructure is downright harrowing. This is perhaps best evidenced by Marriott’s experience during their Starwood acquisition: after the acquisition had been finalized, Marriott discovered a major data breach. Marriott’s direct losses due to the breach range between $200 million and $600 million. On the high end, that is nearly 5% of the total Starwood acquisition price—a high price to pay for negligence.
Thankfully, there’s a process for mitigating your cyber risk during the M&A process so you can avoid a mistake like Marriott’s. In a recent article published in SC Magazine, the process is outlined in five important steps:
VMblog.com, Virtualization Technology News and Information, recently posted some thought-provoking 2019 cybersecurity predictions from industry veteran Kelly White, CEO and Co-Founder of RiskRecon. In this article, Kelly touches on the growing importance of third-party cyber risk management, how hackers are focusing on third-party vulnerabilities, and provides four well-founded security predictions to help guide your security best practices for 2019 and years to come.
Kelly's full article and predictions can be found in the 11th annual VMblog.com series exclusive, along with other contributions from industry executives and experts. Click here to read more.
RiskRecon is pleased to announce the release of the Portfolio Issue Priority Matrix. The Portfolio Issue Risk Matrix provides you instant visibility into the risk distribution of security issues across your entire vendor portfolio. The interactive matrix enables you to identify the vendors that have issues within each risk priority. This is yet another way that RiskRecon makes it easy for you to understand and act on your third-party risk.