In an extension of our previous article on cyber resiliency, let's talk a bit about protecting human decisions as part of your overall cybersecurity strategy.
In the financial world, the value of financial decision data is on par with the account data itself. After shockingly bad decisions in the past the led to economic meltdowns, the minimal amount of government regulations in this area are focused mainly on protecting the data used to make decisions. This is primarily so that we can avoid a similar meltdown in the future.
Other measures to protect cardholder data and private financial data are largely driven by industry governance, although there are a few small government hands in that pot, as well.
Unfortunately, other industries are more heavily focused on protecting the systems over all else. As part of that push for cyber resilience, we should also consider the processes and data that surrounds them.
In healthcare, at least, the HIPAA Security Rule requires that we have provisions for granting emergency access. Unfortunately, many organizations just point at their normal account provisioning and management process. As we've pushed to more centralized identity and access management (IAM) these steady-state processes are likely not the answer as they may either be down or compromised themselves.
Additionally, when working in high-stakes industries, like healthcare, we need to consider the data used to inform operations and provide services. If we are making patient decisions based on old data we may cause more harm than good. Additionally, if we are making financial trading decisions based on data that's even slightly old, we could cause significant losses for clients. Missing opportunities because we don't have data could also cost clients dearly.
And then we must consider data that has been purposefully and maliciously altered. We considered this heavily in the military, an organization well known for deception and subterfuge. However, we struggle with that in the civilian world where we have trouble being skeptical around phishing emails. We need processes built around the idea of untrustworthy data and people who are instinctively skeptical.
So, how do we do that?
- Build emergency process that take outdated, incorrect, and inaccurate data into account. Know where it's okay and not to make decisions based on aged data. Know where we can get better data, if possible. Know when continued operations are just not practical.
- Hire, train, and empower people to recognize when data "just isn't right" or isn't viable for decision making purposes. This is where the steady march to automating away every job screeches to a halt. We need experienced, intelligent people in decision making positions.
- Allow those people to make operational decisions about that data when the stakes are high. Don't just have a "time to make the donuts" or "good enough for government work" mentality. Empower the appropriate people to stop the presses when things aren't right.
- Make sure we have emergency access processes in place and practiced. For example, you never know when an outside doctor will be there to assist during a natural disaster. Have a way to allow them to assist without giving away the keys to the kingdom.
All of this work belongs in your emergency planning scope. That typically includes Incident Response and Disaster Recovery but could also include Business Continuity. While most small businesses ignore these constructs, solid emergency planning is more important for them than large businesses. Larger businesses employ dozens, if not hundreds, of trained professionals in these areas. Small businesses usually have no one dedicated to these functions. With carefully designed plans, though, even if your hair is on fire you'll have calm and thoughtful ways to operate through and successfully exit most emergencies that come your way.
It could mean the difference between the life and death of your company.
References:
https://www.darkreading.com/cyber-risk/wake-up-call-to-protect-human-decisions-not-just-systems
