Three steps that any company can take to help thwart cyber attacks and measurably reduce their security risk.
Make security an executive level issue.
When security risk becomes a board level concern, performance improves. Unfortunately, recent studies have shown that many organizations are still not bringing security risk to the board level for review.
A report from the Carnegie Mellon Cylab found “… boards are not actively addressing cyber risk management…There is still a gap in understanding the linkage between IT risks and enterprise risk management. Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.”
Organizations need to make security a top priority and seek ways of communicating performance and need to the board. To avoid doing so contributes to the dangerous “optimism bias” we have described, and leaves companies unprepared to adequately defend themselves against a breach or respond when a breach occurs.
Perform a security risk assessment across your entire business ecosystem.
In order to truly manage security risk, organizations need to do a thorough assessment to understand where their risk comes from. This assessment should consider more than just internal networks though. Any third party who is part of your “information supply chain” − think partners, suppliers, and vendors –should be included in the analysis. For some industries, this need can even extend to customers using your services (consider retailers and payment card processors), or even organizations you’ve invested in or insured.
As we saw in the Target data breach, failure to understand the interconnectedness of your systems and your third parties can have devastating effects. Who would have ever imagined it would be the HVAC vendor that was the key to one of the largest breach incidents in recent history?
Be vigilant about continuously monitoring your network and connected systems.
In business, continuous monitoring is a cornerstone of decision making: Loan officers need up-to-date data on credit history and investment bankers need to have instant access to stock prices and trends. This should also be true for IT security risk. By implementing processes for ecosystem network monitoring into a risk management program, security teams can remediate network threats more efficiently, and gain insight into the security postures of third parties that may have access to your valuable data.
Federal organizations already have such monitoring systems in place, with the Secret Service and the FBI alerting businesses to data loss events. Unfortunately, these warnings are often too late for the breached entity to prevent a costly and embarrassing incident. By implementing a continuous measurement of security posture in both internal and connected networks, organizations can expand visibility into the full scope of threats and mitigate potential losses.
Contact Us Today To Discuss Protection Strategies For Your Company