The Challenge
As a financial company with over $17.5B in total assets it is important to not only have clarity into its cyber security risk landscape, but also to perform effective cost-based decision making to justify investments and budgets, including:
In this case study, this company identified a high degree of risk exposure tied to a malicious actor possibly gaining access to their shared storage, affecting the confidentiality of sensitive data.
Post author Christina Dulovich is a RiskLens Senior Risk Consultant
Management needed to know what control(s) to put into place to halt external actors from exfiltrating sensitive information: data purge, role-based access segmentation or drive encryption?
The organization’s conventional approach to risk rankings could not support executive management’s decision directly. The organization turned to the RiskLens platform to understand the risk in terms best understood by business stakeholders: return on investment (ROI).
The Solution
The RiskLens platform features an intuitive workflow process for:
The analyst team began by focussing on the amount of risk associated with an external actor breaching sensitive information held on their workstation shared storage, putting the data at risk of exfiltration
They used the simple scoping capability within RiskLens to rapidly determine what data points were necessary for the analysis. Analysts then collected data through the guided workshop questions on the platform, covering key risk and control factors including:
Figure 1
Based on the collected data, the team ran an analysis using the Monte Carlo functionality of the platform to establish the current state of risk as loss exposure in dollars. Figure 1 illustrates the ranges of probable loss exposure across several categories that incorporate incident response efforts, regulatory fines, and response efforts to those affected by the breach and reputation (loss of customers).
The comparison capability of RiskLens also allows future state, “what-if” analyses to be rapidly performed. In this scenario, analysts leveraged the tool’s comparison capability to model and compare the risk exposure reduction from performing a data purge, implementing drive encryption, or further enhancing their role-based access to their drives.
Additionally, they captured the investment cost needed for each of the three potential future states, to identify the return on investment (ROI). These comparison reports provided the organization with tangible data to decide on the type of control to implement. The results were telling – one type of investment clearly outweighed the others in terms of risk reduction.
Key Benefits
The RiskLens platform allowed the organization to rapidly quantify the loss exposure of an external actor accessing shared storage via compromised credentials. Additionally, the quantitative inputs a documented rationale provided an opportunity for stakeholders to review and challenge the inputs used during the analysis. More importantly, it equipped management with data to make a strategic decision on the type of control to invest in while maximizing their risk reduction.
Risk Reduction Driver of Data Purge Decrease in impact of the loss event via less exposed records |
---|
Risk Reduction Driver of Drive Encryption Decrease in impact of the loss event via sensitive information exposed not being plain text |
Risk Reduction Driver of Role-Based Access Decrease in impact of the loss event via less records accessed and exposed via compromised credential |
Figure 2
Figure 2 compares the loss exposure for the current state environment compared to the loss exposure if each of the three controls were implemented. Current state loss exposure (average) was $6M annualized.
Implementing drive level encryption had the largest risk reduction impact, $5.8M, driven by the reduction of external costs associated with the data exposure, as the data being exposed is encrypted and not plain text, resulting is drastically different levels of fines and judgements, notification requirements, and potential reputation damage from this loss event.
This control implementation had an investment cost of roughly $1M. Demonstrating a $5.80 return for every dollar spent in this investment, clearly justifying the effort to implement this control, and supporting the budget necessary. Using the RiskLens platform, for the first time, the analyst team could report results to executive management that were actionable, using the financial terms all stakeholders could understand.