With many companies looking at work from home options for employees in response to the Coronavirus pandemic, while still maintaining control over sensitive corporate data, here’s a timely case study on how one technology company chose the most cost-effective option to prevent data leakage through Shadow IT, with an assist from RiskLens quantified cyber risk analytics.
Executive management of a $9B technology company was faced with a challenge: They were losing control of sensitive information in their IT environment. The cause was not an external actor breaching information or even an internal bad apple acting maliciously against the organization. The cause of the data leakage was employees moving sensitive information to their personal cloud solutions in order to perform work at home.
How much risk was the organization truly facing as a result of the use of the Shadow IT? What controls could management put into place that could have a material impact on reducing risk of data loss from employees who have “keys to the kingdom” working from home?
The organization’s conventional approach to risk rankings could not inform executive-level decision-making. In order to answer these questions, the information security team needed to analyze and communicate risk in the terms best understood by business stakeholders: dollars and cents.
They turned to the RiskLens Platform, which combines an intuitive workflow process for scoping and data collection with a sophisticated analytics engine based on Factor Analysis of Information Risk (FAIR™), the industry standard for the quantification of information security risk.
With the assistance of the RiskLens Professional Services team, the organization began by focusing the analysis on the amount of risk associated with an employee inappropriately storing sensitive information a workstation in a personal cloud system.
The simplified scoping capability within RiskLens allowed the analysts to rapidly determine what data points were necessary for the analysis, effectively reducing their workload by removing research into data that did not ultimately support quantifying risk.
The analysis collected data through structured workshop questions on key risk and control factors including
- Number of employees known to have exfiltrated data to their cloud systems
- Likely number of sensitive records a given employee has access to
- Existence of monitoring tools
- Segmentation of the data
- Resources required to respond to the breach
- Potential fines from regulators
- Over the course of a three-day period, analysts were able to efficiently produce both high level reporting and detailed results showing the risk in financial terms.
Fig. 1 Primary Losses
Fig. 2 Secondary Losses
Figures 1 and 2 illustrate the loss exposure materialized across several categories that incorporate incident response efforts, regulatory fines, and response efforts to those affected by the breach; primary losses are incurred directly for a cyber event and secondary losses are generated by the secondary stakeholders, for instance, customers or regulators. Distributions are used as the best way to communicate uncertainty; the tabular data communicates the varying range of probable outcomes.
Analysts then created alternate, future-state scenarios to make “what-if” adjustments to the baseline scenario to model risk in the event that data loss prevention (DLP) controls or additional security blocking the ability for cloud hosting by employees were to be implemented. These comparison reports provided the organization with tangible data to make a decision on the type of control to implement. The results were clear: One type of investment outweighed the other in terms of risk reduction.
Results & Key Benefits
The RiskLens platform allowed the organization to rapidly quantify the loss exposure from employees inappropriately storing sensitive information in their personal cloud system. Additionally, the quantitative inputs and documented rationale provided an opportunity to review and challenge the inputs used during the analysis. More importantly, the analysis empowered management with data to make a strategic decision on the type of control to invest in while maximizing risk reduction.
Fig. 3 Comparing Risk Reduction by Control
Figure 3 compares the loss exposure for the current state environment compared to the loss exposure once either of the two controls were implemented. The current state loss exposure (average) was $2.9M annualized.
Implementing a DLP threshold decreased the loss exposure by $1.4M, which was driven primarily by a reduction in the number of records an employee would be able to exfiltrate, therefore reducing the magnitude of the loss event.
The more significant impact was the $2.6M risk reduction from blocking cloud hosting on employee workstations, which was driven primarily by the reduction of threat event frequency. Disabling access to the cloud would create an additional barrier for the employee to bypass before being in the position to be a threat and exfiltrate the data. This decrease of threat events ultimately reduces the frequency of the loss event (the breach of data to personal cloud systems).
Through the use of the RiskLens platform, for the first time the analyst team could report results to executive management that were actionable, using the financial language commonly understood by all stakeholders.