Does your organization have a cybersecurity program in place with the primary objective of proactively identifying and managing the cyber threats that you face every day?
Many enterprises harbor cybersecurity blind spots that leave them feeling unprepared amid a cyber incident. As threats continue to mount, organizations are responding by taking action. According to PwC’s 2016 Global State of Information Security, 69 percent use cloud-based cybersecurity services, 59 percent leverage big data, 65 percent collaborate with others, and 54 percent employ a Chief Information Security Officer (CISO).
Investing in advanced technology, new monitoring initiatives, and senior talent is only the beginning of building a fierce arsenal to fend off and respond to cyber attacks. There is a need for organizations to develop and employ a security strategy that reduces risk, improves business performance, and supports the business goals for growth. One that is embedded in the bones of the organization. Here are several places you can look to fortify your defenses:
1. Board Participation: Many Boards are laboring under the false perception that a cyber breach is “an IT Thing.” IT is a tool set. The ultimate responsibility for managing cyber risk through security rests at the feet of the Board. Cyber security is a matter of corporate governance and part of a Board member’s fiduciary responsibility. When the Board is fully engaged, the organization often has the resources it needs to outsmart those who seek to do it harm.
2. Expanded Cyber Risk Dimension: Boards often fail to realize that geopolitics is increasingly instrumental in cyber risk as a result of nation-state economic espionage. Technology exchange agreements between principal and subsidiary nation-states create risk for companies that possess sensitive information in foreign company operations. In some cases, the theft of privileged corporate information by resident employees of the nation-state who work at these U.S. companies is considered obligatory.
3. Incident Response Plan: The lack of a comprehensive, practiced incident response plan often results in chaos when a cyber breach occurs. Who in the organization will manage the breach? Who will be notified and when? What forensics organization should be called? What external legal counsel should be involved? How much budget is there for a breach? What is the average cost of a breach? What tools should be used to investigate the breach? Is there a risk of damaging evidence if the breach is first investigated internally? Who is attacking the organization? What’s an adequate risk tolerance level and what does our risk profile look like? A good incident response plan anticipates these issues and actions, and leads to faster resolution, less confusion, and reduced risk. In virtually every aspect of managing cyber risk, think post-breach, act pre-breach. In other words, think—and simulate—variable breach scenarios, and evaluate potential worst-case outcomes.
4. Office of the General Counsel Involvement: Most major breaches eventually involve either regulator notification and/or litigation. Enterprises should conduct breach investigations under the jurisdiction of the general counsel in an effort to assist in providing attorney-client privilege, preserving evidence, and preparing a legal response in association with external legal counsel and forensic specialists. Make sure you have attorney-client privilege in place before the breach as well. Many organizations are beginning to require the CISO to report directly or indirectly to the general counsel. The general counsel can also be useful in interpreting legal, financial, and regulatory and brand risk for the Board.
5. Breach Indicators: Are cyber criminals lurking on your network right now and you don’t know it? Some companies are in the dark. On average, the gap between intrusion and detection is 200 days. Shockingly, many breaches remain undetected for years. The sooner the breach is ferreted out the more risk is reduced.
6. On-Call Breach Agreement: Sourcing a forensic breach provider in the heat of an attack is emotionally rattling and financially draining, as you’ll pay a premium for last minute notice. To make matters worse, what if every reputable firm you call in is otherwise engaged? Your time should be spent on getting back to business. Inking an “On-Call Breach Agreement” well before a cyber crisis is critical.
7. 2011 U.S. Securities and Exchange Commission Cybersecurity Risk Guidance Compliance: Compliance does not always translate into good security. But the SEC is raising the bar. Created to protect the interests of investor and shareholders, this Guidance involves developing a custom cyber threat assessment. From that assessment, a cyber risk assessment should be conducted, followed by an impact analysis and remediation efforts intended to reduce risk impact. Covered entities should then disclose to investors and shareholders certain cyber risks, and what has been done to address the risks, pre-breach. There are also certain post-breach requirements.
The bottom line is that these blind spots can leave organizations feeling unprepared during their most vulnerable moment. Illuminating these often unseen areas can empower you to test a proactive strategy, save time and resources in the event of a breach, and help move your organization into the future with confidence in your cybersecurity program.