Cyber Board Training: Commercial Property Company

Increasing continuity and clinical care services by executing an effective cyber risk management strategy

Challenge

The board of directors of private commercial property company needed a better understanding of what and how to provide cyber risk oversight. The company operated digital services within their commercial real estate properties that were leased to high-end malls. The independent board chair, in a proactive move, wanted to elevate the effectiveness of the full board’s cyber risk oversight and cyber risk awareness. Most cyber training that was available was either too technical or not engaging and standardized off-the-shelf. The chair wanted something that was engaging at the board level and customized for their needs.

Outcomes - Strategic Value

Working with the independent board chair, we executed on the following:

  • Increased confidence in asking the right cyber risk oversight questions

  • Improved guidance offered to management focused on cyber risk related to business strategy

  • Third-Party cyber risk governance model

  • Director cyber hygiene

  • Actionable awareness of cyber risks and their business impacts

Background - Context: Re-evaluating Cyber Risk Posture

Healthcare organizations are seeking to focus on patient care and service delivery quality and Information Technology (IT) and cyber security are a critical part of that equation. Our client is a healthcare organization that prioritized cyber security as part of their operations. They had implemented what they believed was sufficient cyber risk controls and a strategy that included prevention, detection and response capabilities.

They experienced a close call when a cyber intrusion into their systems disrupted their operations and caused all available personnel to activate containment procedures. Fortunately, the intrusion didn’t compromise patient health records. After the incident, the organization decided to re-evaluate their cyber security to answer some key questions: Why didn’t we detect the intrusion proactively? How do we know if we have the right solutions and strategy in place? Where are our significant risk areas? What should our future cyber security strategy look like given our growth trajectory? How will our cloud migration and adoption change our risk profile?

The organization decided to seek answers to these questions and potentially re-evaluate their cyber security strategy and we were engaged to help.

Role of the CEO

The CEO played a pivotal role during this engagement, especially at the beginning, by:

  • Prioritizing proactive engagement

  • Establishing/securing board support

  • Modeling cyber-priority behaviors and culture for the rest of the organization

  • Learning about cyber risks

CEO Cyber Risk Guide

How We Helped

Our engagement with this client was meaningful in three board categories or dimensions:

Uncovering Unknown Cyber Risks

Defining and Developing a Cyber Risk Mitigation Strategy

Executing the Cyber Risk Strategy

Uncovering Unknown Cyber Risks - Before the client engaged us, they didn’t have clarity about their cyber risks and solutions. They really didn’t know what they didn’t know. They had outsourced their cyber security to an external service provider and had been told repeatedly that they had effective cyber security technology and controls. They also had seen some proof of this statement such as the deployment of EDR, firewalls and patch management reports. We completed a comprehensive assessment and analysis of the functional areas and their operations including interviews with their third-party service provider. To our surprise and the surprise of our client, we discovered that a critical cyber function (proactive security monitoring) was missing. In other words, if a threat actor compromised their systems and exfiltrated PHI or other sensitive data, the intrusion would go undetected until some external party (e.g. affected customers, FBI, etc.) notified our client. That was a significant problem, especially since their understanding was that they did have this capability already.

Defining and Developing a Cyber Risk Strategy - In addition to the security operations’ cyber risks of proactive security monitoring, our priority findings also included other gaps in the following areas of asset management, cloud adoption/migration, cyber governance, threat/vulnerability management, data protection, cyber and user awareness training. We developed a strategy with specific recommendations to help close these gaps in order of priority and in accordance with the organizations risk profile and business objectives. In essence, we helped them define what good cyber risk management looks like and how to get there and stay there.

Executing the cyber risk strategy - Upon completion of the risk strategy engagement, our client requested a follow up engagement to execute the priority recommendations we had proposed. The CEO and COO wanted our assistance in executing critical elements of the strategy. These included significant items such as the sourcing, comparative evaluation and selection of a best-fit service provider for them. We also delivered additional cyber risk services such cyber learning clinics, penetration testing, architecture reviews and contract reviews

We’re very glad that you’re here. We’re getting way more value than we expected
— CEO: Healthcare Organization

Lessons Learned

Trust but verify what your MSP tells you on a periodic basis

Understand the options available to you

Establish/determine what level of cyber insurance is required

Make it

Outcomes - Business Value Added

Our engagement with this client was meaningful in three board categories or dimensions:

Cost Savings - 10% monthly, positioned for future cloud-related savings

Service Quality - now measured with focus on NPS

Risk Reduction

Cost Savings - Before the client engaged us, they didn’t have clarity about their cyber risks and solutions. They really didn’t know what they didn’t know. They had outsourced their cyber security to an external service provider and had been told repeatedly that they had effective cyber security technology and controls. They also had seen some proof of this statement such as the deployment of EDR, firewalls and patch management reports. We completed a comprehensive assessment and analysis of the functional areas and their operations including interviews with their third-party service provider. To our surprise and the surprise of our client, we discovered that a critical cyber function (proactive security monitoring) was missing. In other words, if a threat actor compromised their systems and exfiltrated PHI or other sensitive data, the intrusion would go undetected until some external party (e.g. affected customers, FBI, etc.) notified our client. That was a significant problem, especially since their understanding was that they did have this capability already.

Risk Reduction - It’s difficult to accurately estimate the amount of risk reduced as a result of the strategy execution. However, we can provide conservative benchmarks based on industry standards and reports. For example, according to the Mandiant report, the median dwell time (i.e. the time attackers go undetected) for non-ransomware intrusions in the Americas is 12 days. Our client was able to reduce this time to less than 4 hours in during our pilot testing. For ransomware intrusions it’s 5 days.

More than 10 critical strategic and operational gaps in our client’s cyber security posture were remediated, thus reducing the risk associated with these structural elements. These all included significant vulnerabilities that could all lead to material intrusions or data breaches.

Human error drives most cyber incidents as cited by the Harvard Business Review article.

https://hbr.org/2023/05/human-error-drives-most-cyber-incidents-could-ai-help

Approx 88% of data breaches are caused by employee mistakes - we executed cyber learning clinics focused on employees to help reduce the risk associated with the human element of cyber.

A proof point for the effectiveness of our learning clinic is qualitative feedback from employees describing how they stopped potential cyber incidents within the organization but also helping family members avoid falling victim to cyber attacks.

Qualititative feedback and extending to their home life and families with user awareness

vulnerabilities that would have gone undetected were identified and remediated.

Human element contribution to cyber risks; 80% and credentials;

Corrective actions that would have gone unmitigated

but we believe a conservative estimate is 50% given that proactive security monitoring, detection and response.

70% of intrusions are detected in one week or less

According to the Mandiant report, 55% of incidents are detected by external sources as opposed to internal an indication of whether incident detection is reactive or proactive.

SIEM numbers; other contributions to user awareness, number of vulns, critical systems with default configurations and passwords. Process for on-going risk management. Qualititative feedback and extending to their home life and families with user awareness

Service Quality - Going from no NPS measurements to actually being intentional about quality. The strategy focused on balancing security and risk management with user experience

Contact Us