Technology is constantly changing, and so are cyber risks and cyber criminals. To be sure your organization is always in the strongest position possible it’s important to make sure your organization maintains a strong cybersecurity posture, and that you know how to evaluate it properly.
The cost of not doing so is considerable, according to the Ponemon Institute’s Cost of a Data Breach Report, the average cost of a data breach is $3.92 million, a cost that stretches over several years, and may not include other losses, like the loss of your customers’ trust.
A strong, well-evaluated security posture is your best defense against cyber criminals, mistakes, and other issues that can result in a breach.
What is cybersecurity posture and how is it evaluated?
Cybersecurity posture is an organization’s overall defense against cyber-attacks and bad actors. A company’s cybersecurity posture includes all its controls, including everything from policies, to cybersecurity solutions it may have purchased. In other words, cybersecurity posture is the collective security status of all an organization’s software and hardware, services, networks, and information. It also represents how secure an organization is as a result of all of those tools and processes.
Typically, an organization evaluates its cybersecurity posture by deciding what its specific security goals are — what specific business goals an organization has, and what particular requirements need to be met – and choosing a specific risk management framework so that all assets can be prioritized from most to least vulnerable. This will let the security team more easily evaluate the organization’s security posture going forward. That’s a thumbnail sketch, however. There’s a lot more that goes into evaluating security posture, and many mistakes that can be made.
1. Not tying security goals to business goals
Cybersecurity isn’t one-size-fits-all. Your cybersecurity goals should align with your organization’s business goals and objectives. If you’re a healthcare organization, for example, your cybersecurity goals should reflect that, protecting patient information, and adhering to the regulations set forth in the Healthcare Information Portability and Accountability Act (HIPAA).
Even if your organization isn’t in a tightly regulated industry, you should be certain that your mission-critical data, networks and systems are prioritized and protected, along with the most sensitive information your company handles.
If you’re simply trying to evaluate your cybersecurity posture based on what works for other organizations, you may leave some of your own most important information and systems unprotected.
2. You aren’t protecting your extended enterprise
Your organization is more than just your company. It stretches beyond your company itself and into your extended enterprise, an ecosystem that includes your third (and sometimes fourth and fifth) parties. Third parties are your partners, your vendors, and your contractors. They’re the supply chain that helps you fulfill your mission, and they often have access to your data and networks. They can also deepen your risk; according to Ponemon’s Cost of a Data Breach Report, if a third party is involved in a data breach, the cost of the breach increases by more than $370,000. If you’re not evaluating their cybersecurity posture as well as your company’s, your evaluation is incomplete.
3. You aren’t monitoring continuously
Cybercriminals are constantly evolving and changing. They change how they attack, the tools they use to attack, and they also change their targets. For example, a report from Ponemon and Keeper found that over the past three years, the number of small businesses that have suffered a cyberattack has increased. Social engineering scams are also on the rise. In order to keep up with bad actors, you need to continuously monitor your organization’s security posture, so that as soon as there’s a problem you’re aware and ready to respond.
4. Your commitment to security doesn’t start at the top
Security is not something that you can be outsourced to the Chief Security Officer and the security team. Security should be a core value at your organization, and the best way to achieve that is buy-in from leadership. Once your CEO and board show that security is important to them, the rest of the organization will follow suit.
5. There’s not a strong security culture at your organization
Security is everyone’s job. Everyone at your organization should be trained in cyber-hygiene, and that training should be ongoing. Everyone should know what phishing is, what social engineering is, and how to avoid both. They should also know who your security team is, and who to contact if they suspect they’re being targeted. If your company doesn’t have a strong security culture, the job of your CSO and security team will be twice as difficult as it would be otherwise.
How SecurityScorecard can help
The simplest way to understand your security posture is often by using a self-assessment.
SecurityScorecard can help you easily evaluate your cybersecurity posture, as well as those of your vendors and others in your extended enterprise.
Our simple A-F rating system gives you a quick snapshot of your organization’s security performance across our 10 groups of risk factors, and makes it easy to demonstrate your cyber health to your company’s leadership at a glance. We then offer step by step remediations for any vulnerabilities that turn up during the evaluation process.