With another major data breach hitting the headlines, it’s time to take action.
“…the data was sitting in an Amazon Web Services storage “bucket,” left open to anyone with an account, which are free to obtain.”
Threats are growing daily, from new IoT devices to employee and business partner exposures.
Last year was terrible for corporate victims of cyberattacks, with many large organizations making headlines over reports of major breaches. Ransomware attacks quadrupled to 4,000 per day from 2015 to 2016, according to the U.S. Department of Justice.
But confusion, complexity, and ignorance seem to be creating a state of paralysis.
- Is it the constant stream of new cybersecurity technologies?
- Is it all the security acronyms (DLP, APT, GRC, EDR, EUBA, etc.)?
- Or something else?
Whatever the reason, a high percentage of companies are not doing the basics.
The top 10 external vulnerabilities accounted for nearly 52 percent of all identified external vulnerabilities. Thousands of vulnerabilities account for the other 48 percent. All 10 internal vulnerabilities are directly related to outdated patch levels on the target systems.
However, good cybersecurity hygiene is now a fundamental business need. So don’t wait.
Follow these four simple steps to get started.
1. Start With Your Business Risks
You understand your business goals and objectives.
So what will prevent you from achieving your goals? What’s the likelihood of the occurrence? The potential impact?
You manage these business risks everyday. Cyber risks are no different. They all involve some level of people, process, and technology.
According to Allianz, the top three business risks are:
- Business interruption (including supply chain disruption and vulnerability)
- Market developments (volatility, intensified competition/new entrants, M&A, market stagnation, market fluctuation)
- Cyber incidents (cyber crime, IT failure, data breaches, etc.)
2. Identify Your Technology Risks
You may have a long list of information technology (IT) and operational technology (OT) risks. Or you may have no list at all. Don’t worry. Your list does not need to be perfect. And there is no right way to create such a list.
Ask a friend, colleague or business partner for advice. Your accountant, insurance provider or lawyer can also be a good source of information. Remember, what might be “newsworthy” may or may not actually be important or applicable to your business.
News flashes and sound bites are constantly calling our attention to the latest hacks or threats to our cybersecurity that seem to be filling our social media news feeds and television reporting circuits.
Start with a simple exercise. Look to companies such as Cyber Risk Opportunities. Through a series of surveys, they provide executives cyber risk insights similar to how you manage other areas of your businesses.
3. Establish Quantitative Measures
Given your cybersecurity maturity, the level of preciseness will vary so don’t worry about it being perfect to start. Even if such measure is subjective, it will help you focus.
There are also resources to help you. There is a new cyber equivalent of a FICO credit score. NIST has also published a framework to capture cybersecurity-related risk. FIFEC has a self-assessment tool for financial institutions.
In this respect, companies such as Tenable can help you capture, prioritize and manage your “Cyber Exposure”.
4. Create and Implement a Plan
Your analysis will likely have more than one prioritized action. Pick a few. Start small and get some wins under your belt. Track your progress.
Remember cybersecurity is as much as management issue as a technology one. So don’t just focus solely on buying news products or services.
Integrate cybersecurity into your culture. Create a new board level committee on cybersecurity (just like compensation or audit). Or add cyber security responsibilities to your HR processes (job descriptions, on-boarding, training, performance reviews).
No matter where you start, it’s better than not starting at all. Your plan can and should evolve as you learn.
Your Cybersecurity Priorities & Plan
- Rank a limited number of cybersecurity risks based on your IT/OT/IoT deployments
- Design, deliver and manage a plan (people, process and technology)
It would be great to hear about your best practices.
- How do you capture cyber risk?
- How do you quantify it?
- What tools do you use?
- What organizational changes have you made?
- What have been your biggest challenges?