Author: Erik Rasmussen and Andy Jabbour
FM Issue: September/October 2018
Attach “cyber” in front of any concept, and it sounds futuristic, savvy, but ominous. With the headlines overflowing with news about data breaches, the word is also fatiguing, overused (“cyber thought leader,” “cyber strategist,” “cyber guru…” really?), and has led to tuning out the messages behind those concepts. To understand if it is even appropriate to plug in to any discussion, one must first define it.
In common use, “cyber” refers to the world’s computer networked systems – from endpoints, like the cameras, smart phones, and laptops ever present at venues – to the servers, data centers, people, and processes supporting the use and ensuring the security of those systems. As we see story after story of data breaches, ransomware incidents, and other threats, venue leaders may wonder what the real threats are and risks their facilities and people are facing today, and where are those going as we move into the near future.
At VenueConnect 2018 in Toronto, our two panels discussed exactly that, as well as some of the things venue leaders can consider doing to enhance their preparedness and reduce their risk. Building off the efforts of IAVM’s Venue Safety and Security Committee, the panels were designed to help provide awareness on some of the threats venues are exposed to today, from social media, point-of-sale terminals, to Internet of Things / connected devices, and common – almost now classic – threats like the business email compromise – recently identified by the U.S. Federal Bureau of Investigation as a $12.5 billion global issue – data theft, website defacement, and now increasingly to include emerging and likely enduring issues like cryptomining, supply chain, and third-party vendors, there is no shortage of opportunities for cybercriminals and other threat actors to potentially threaten a venue. With an eye towards emerging threats – from blended threats that can impact cyber-physical systems, the blended threat actor masking their motives and backers to confuse the victim, to the innovative ways actors are refining their approaches to distributing malware, leaders need to be on guard, constantly vigilant, and innovative to protect their organizations, their operations, their patrons, and staff.
Understanding the threats is important, but leaders cannot do everything and so they need to assess their risks and take appropriate actions to mitigate those greatest concerns. Venue risk management may include some level of risk transfer – such as through insurance or shifting to vendors or other possible entities – and some level of risk acceptance, which the U.S. Department of Homeland Security defines as, “explicit or implicit decision not to take an action that would affect all or part of a particular risk.” However, as with other common threats with serious risks, some level of preparedness is increasingly important. As most venues have emergency exit signs, sprinklers, alarms, fire drills, safety training, and other common equipment and activities to prepare for common threats, increasingly, it is important to similarly prepare for the most common cyber threats.
What does basic preparedness look like, and what can it look like when things go wrong?
Before implementing the controls desired to effectively minimize risk, the venue risk manager must learn what is valuable, what it costs to lose or suffer damage to those valuables – those “crown jewels” -, and what is an acceptable level of loss. The venue risk manager, or an independent, qualified body, must carefully assess the environment before committing to protecting it. The range here is limitless – loss of data, loss of business, systems downtime, reputational loss, loss of client trust, etc.
The approach to preparedness can be framework-centric, the equivalent of a lawyer arguing a point based on statutory authority. This involves mapping the venue computer network to concepts authored by reputable organizations such as the National Institute for Standards and Technology (NIST) or the Center for Internet Security Critical Security Controls (CSCs), or a mandated set of regulations such as the Payment Card Industry Data Security Standard (PCI DSS) if the venue processes, stores or transmits cardholder data. These frameworks provide a structured way to approach addressing risk.
The approach can also be process-centric, the equivalent of a lawyer invoking “common law” to persuade a judge or jury. An acronym used in the security space is “PPT” – People, Process, and Technology. The three elements are equally weighted and heavily intertwined. Assessing and maturing “People” – the employee, the executive, the vendors, the adversary – is invaluable. By ensuring “People” are properly trained, educated on cyber risk, held accountable, made aware of the principles of information security, the venue risk manager is empowering the workforce.
Working hand-in-hand with this is the “Process” prong, which is the creation and enforcement of policies and procedures. Incident response planning, acceptable use policy creation, information security governance, and business continuity planning are all foundational components to preparedness.
Lastly, a “Technology” overlay is also needed, whereby inner, middle, and outer perimeter concepts match up with the appropriate hardware and software. If the relevant administrator is not aware of firewalls rules or up to speed on the latest vulnerabilities tied to their domain controller, or the security camera infrastructure is not included in the scope of endpoint monitoring because of a failure to recognize the particular tool available supports that infrastructure’s operating system, the preparedness fails.
Whatever approach is taken, as a framework is applied, leaders need to properly apply a deliberate process to develop, validate, and continually improve organizational readiness. Choosing a framework – an approach – is critical, as is following through on it and ensuring the organization understands how to execute in accordance with that framework. For this, there is a common process encouraged by the U.S. Department of Homeland Security – the application of the Preparedness Cycle.
Preparedness can be defined as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response. As venues contend with what can be a very fast paced, frequently changing threat environment, one could be overwhelmed trying to determine how to prepare for and respond to the attacks and incidents that could arise and it seems many organizations are choosing to put off really addressing cyber risk or are struggling to determine how to mitigate the array of cyber threats and associated risks they are facing. While the Preparedness Cycle is often thought of in relation to “traditional” threats – natural hazards and hostile events, for example – it is just as valid an approach to take in confronting cyber threats and works just as well to reduce the associated risks and impacts of such events.
Leaders need to understand the ever-changing threat environment and then assess their organization’s risks. From there, applying an established framework or process, and ensuring readiness via the Preparedness Cycle, leaders can minimize risk and ensure their organizations are best positioned to protect their “crown jewels.”
The VenueConnect 2018 panels, “Understanding the Current and Evolving Cyber Threats and Risks at Venues,” and “Venue Cybersecurity & Venue Preparedness,” included cyber experts Erik Rasmussen, Principal at Grobstein Teeple LLP, and Travis Farral, the Director of Security Strategy at Anomali, and were facilitated by IAVM Allied Partner, Andy Jabbour, with Gate 15.