Authored by: Jeff Krull
Cybersecurity is one of the most common topics on the agendas of company leaders and boards of directors. Almost every week, there are new stories about data breaches affecting millions of customer records, health data, payment card data and loss of trade secrets. The sources of cyber threats are growing in sophistication and nefarious intent. Professionals dealing with cybersecurity not only need to focus on thwarting hackers that intend to disrupt your business or deface your website, but must also be prepared to address threats from professional cyber-espionage groups or sponsored foreign government intrusion. The latter are often organizations with sustained intent and the capability to cause real harm to your organization.
The most significant risk from a cybersecurity perspective has traditionally been reputational. Customers, business partners and investors may shy away from companies with a poor cyber track record. However, there is an increasingly troublesome threat to operations that is arising from ransomware. Ransomware is malicious software that encrypts the target system. Typically, unless a ransom is paid, the data is permanently encrypted. Since these ransomware threats can occur at any time, some organizations feel forced to pay the ransom to keep their operations going. As a result, the organizations behind the ransomware are making a profit. This likely leads to those same organizations finding new and innovative ways to attack companies. To date, many of the ransomware attacks are targeted towards older, unpatched systems. That may be quickly changing, however, as attack strategies evolve with the funding they have gotten from the success of their past attacks.
Also increasing the risk is the significant increase in devices and access points that are being introduced to corporate networks and environments. The newer technologies and “internet of things” are bringing great advances in functionality, but at the same time often open up new security vulnerabilities.
Good cybersecurity resources are at a premium. As a result, many organizations have struggled to attract and retain qualified and effective cybersecurity personnel. One particular struggle for many organizations has been identifying personnel that have the skills to present to executive and board level audiences. Personnel who have the ability to translate complex security risks and threats into straightforward business language are in high demand in the marketplace and in some cases are almost impossible to find.
All of these factors mean that effective cybersecurity is likely to get more difficult for the foreseeable future. Attacks have been so common in recent years that the conventional wisdom within the cybersecurity community has shifted from a mindset of if we are hacked to when we are hacked. The best prepared companies are shifting their cybersecurity strategies from focusing on outright prevention to implementing techniques to quickly detect breaches and limit the damage once a breach has been confirmed.
The following are the steps organizations should consider taking to mitigate cybersecurity risks.
1) Cyber risk assessment, data classification and mapping
The first step in understanding your cyber risk is understanding what data you have and what protections it needs. Not all data is created equally and have the same regulatory requirements. By understanding what data you have, where it comes from, how it is stored, how it is processed and where it goes, you should be able to understand what risks exist with regard to your overall environment and your cyber profile. Using that information, organizations can perform a thoughtful cyber risk assessment by IT asset to understand what your threats and vulnerabilities are and what processes and controls need to be implemented to mitigate those risks. Many organizations start by trying to close “known technical vulnerabilities” versus taking a holistic view of the environment to understand what IT assets present the most risk and therefore deserve the most attention in control remediation and implementation activities. Often organizations do not perform a thorough cyber risk analysis to help “take a step back” and understand how to best prioritize efforts to best minimize their risks. For example, an organization may identify as part of its scanning efforts that it has a number of outdated servers that need to be upgraded. However, that doesn’t get to the root cause of the problem (patch management) and may lead to efforts to upgrade servers that instead would make more sense to retire and virtualize.
2) Security control implementation
Once the cyber risk assessment is complete, the next step is to implement controls. There are a number of frameworks available that help identify the necessary controls to secure different environments. There is no one “right” framework – it is important to choose the IT controls framework that best fits your environment and industry.
3) Regular verification of security control performance
While most leading cybersecurity control frameworks include verification controls, we call special attention to this as part of the process of managing cybersecurity. Periodically, organizations should evaluate their security controls to obtain assurance over cybersecurity control effectiveness and determine whether the cybersecurity controls are operating as intended within the organizations. Evaluating cybersecurity controls (through a combination of control testing and penetration testing) is also a great way for internal audit departments to continue to add value by enhancing the overall security posture of the organization.
4) Breach preparedness planning and testing
Based on the premise that cybersecurity and IT professionals now expect their organizations to be hacked, it logically follows that the organizations should have breach response procedures in place. Breach preparedness begins with defining the activities an organization should follow when invoking the plan and periodically testing those plans.
5) Risk acceptance and risk transfer
As recent, high-profile breaches demonstrate, even with robust security processes in place, organizations can suffer from a breach. When security measures fail, financial impacts (e.g., credit monitoring for affected customers, increased transaction processing costs or fines assessed by regulatory agencies) may occur. Organizations must understand their financial exposure relative to a compromised dataset. At that point, the organization can evaluate the overall effectiveness of its cybersecurity process and decide whether to accept that risk or transfer that risk through a cyber-liability policy. Insurance carriers are quickly evolving cyber policies and coverage. Underwriters are taking closer looks at how companies assess and manage their cybersecurity risks. By implementing effective cybersecurity management programs, organizations may be able to receive reduced premiums or more favorable policy limits.
Cybersecurity management is a complex topic that requires substantial organizational attention to be effective. This is not solely the responsibility of the IT department. By working collaboratively across an organization, it is possible to more effectively manage cybersecurity risks to reduce the likelihood of an exposure, limit the extent and impact of an exposure and be prepared to recover from the damages of a breach.