Cybersecurity calls for resiliency
The World Economic Forum struck the right tone in its assessment of cybersecurity:
“Although cyber-risk management is improving, business and governments need to invest far more in resilience efforts.”
It’s an admission that we’re not going to eradicate cybercrime. Instead, we need to develop our personal and organizational resiliency to relentless cyberattacks. Reading about cybersecurity being a major challenge or citing the latest brands victimized by data breaches won’t help your organization. You need to take actions beyond using scanners to detect cyber threats. Here are our five recommendations:
Focus on managing your vulnerabilities
Managing vulnerabilities is easier said than done, especially if your organization has countless ports of entry for cybercriminals. These ports of entry connect to public networks and encompass digital assets like servers, laptops, workstations and mobile phones.
With vulnerabilities, focus on identification and prioritization. Identify the areas where you’re most vulnerable to cyberattacks and prioritize remediation efforts. For example, a major social game developer prioritizes vulnerabilities to its critical assets, so they address what’s most urgent first. Analyzing the findings enables the developer to make data-driven decisions that better manage risk.
Build and refine your incident response plan
All organizations encounter incidents. Most are easy to address, and the impact on operations is minor or nil. Some incidents interrupt operations and require investigation and remediation. Crises are the most disruptive type of incident with operations coming to a standstill and resulting in organizations engaging business continuity/disaster recovery plans.
Whether an incident or crisis relates to IT, a third party, operations, employees or another aspect of the organization, it benefits from proactive management. That’s why it’s smart to create incident response plans for likely incidents, and then continually test and update the plans. Preparation and procedures are critical to having people and processes ready for when incidents occur.
Encourage security vigilance company-wide
According to CIO magazine, humans are still the weakest link in cybersecurity. Phishing and ransomware are the two biggest tactics favored by hackers. Perpetrators are clever and compelling. Employees can be easily duped into clicking on a link that tricks them into giving away private information or the click-thru freezes their computer with a message demanding a ransom.
There are software solutions that act as a deterrent, but many cause workplace interruptions, like hurting productivity by delaying email delivery or blocking important emails altogether. Even so, how do you protect other types of human error like the employee whose laptop storing protected health information is stolen from their car.
What seems to work best for security vigilance is never-ending education and training. Some basics: with e-mail, don’t click on any links from unknown users. Think twice before clicking on any hyperlink within an email. If it’s your bank, for example, open your browser and visit the site. Be wary of subject lines that grab your attention like password changes and online orders but are part of phishing attempts. Stop Think Connect has a plethora of security education materials for individuals and organizations.
Communicate and collaborate across the organization
Teams and departments are more likely to excel with communication and collaboration. Perhaps it’s the human tendency toward tribalism. It’s great for what McKinsey sees as the agile organization with its autonomous squads accountable for outcomes and decision-making.
This approach doesn’t work as well for cybersecurity, which is an all-hands, enterprise-wide initiative. Cyberattacks can come from anywhere in the world and hit individual workspaces, IT, departments and third parties located off-site.
The solution is to think global and act local. Use a multi-department approach to review and update your incident response process, focusing on likely scenarios, doing procedure test runs, and rechecking the crisis management plan. Form a cross-functional team of HR and IT security personnel to deliver ongoing cybersecurity education to employees. Also, assess third parties on their cybersecurity programs with the goal of mitigating risk to your organization.
Invest in technology that contributes to resilience
Vulnerability management, incident/crisis response, education, and communication can all be managed using existing tools like spreadsheets and shared drives. It’s just a lot slower and less effective. In 2019, and with more companies going digital and using automation, your company needs to get on board with an integrated risk management platform that can make existing processes more effective and efficient.
Here are a few ways that technology can contribute to organizational resilience. Imagine having a single view of all system scans so critical findings can be addressed first. How about that mountain of scanner results? The right technology can deduplicate scanner results, so you only see what’s changed. Manage incidents proactively and thoroughly rather than reactively and haphazardly. Or, leverage the technology’s ability to automate alerts, notifications and reminders to increase the effectiveness of cybersecurity training or escalate issues to management.
As the World Economic Forum noted, “exposure to risks from cyber is growing as firms become more dependent on technology.” That means cyberattacks will continue unabated. It’s a new normal for companies and resiliency helps keep your business moving forward.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.