Posted on Mar 28, 2018
Network breaches have become so commonplace that only the most massive events make headlines. Nonetheless, many businesses fail to implement adequate cyber security management plans. PWC’s 2018 Global State of Information Security Survey found that only 56 percent of respondents have an overall information security strategy in place.
How can your organization alleviate this clear and present danger?
Developing a cyber security management plan means starting with the basics. You need to thoroughly assess your security risks and then put in place measures to mitigate not only cyber security threats, but also related financial, legal and operational exposures.
Start by performing a thorough IT risk assessment to understand your biggest vulnerabilities with regard to both data storage/access and IT systems overall. Consider threats from both inside and outside your organization, including internal processes, suppliers and contractors, as well as the mobile workforce. Without such an assessment, you’re likely to miss basic IT management mistakes that lead to attacks and accidental breaches.
Pre-existing frameworks are available to help you assess the effectiveness of any existing risk management controls, processes and information systems. Examples include National Institute of Standards and Technology (NIST) 800-53, NIST Cybersecurity Framework (CSF), ISO/IEC 27000 series, and so on.
Whichever framework you choose, be sure to relate it back to your organization’s unique operational structure and business objectives by getting input from your senior management, IT administrators, and other stakeholders.
Once you’re aware of your risks, you’re in a better position to put controls in place to protect your systems and data and to ensure your business will remain operational—and financially viable--in the event of a breach.
Protecting IT systems and data involves putting appropriate policies in place and then auditing and testing these policies to ensure they are accomplishing what they are intended to do. Make sure employees are trained on and understand appropriate protocols for access to and use of data. Have a plan in place to respond to cyber attacks efficiently and effectively.
In addition to implementing cyber security measures, take steps to protect your business from financial, legal, and operational risks in the event of an attack.
Make sure you have adequate insurance to cover the costs of any data breach or system interruption, including legal, forensic and notification costs as well as all expenses associated with regulatory investigations and fines.
Designate legal counsel with the right experience before an incident occurs to avoid wasting time during a potential emergency.
And finally, consider the impact that implementing cyber security measures—and inevitable breaches—will have on your business operations.
Any security initiative involves balancing the need to protect customer data and intellectual property with data accessibility and user experience. These tradeoffs can impact the overall customer experience, customer service, and customer retention. For example, if security arbitrarily restricts access to data, you’ll have adequate security at the cost of impeding business operations.
Disaster recovery/business continuity plans are also necessary to ensure that business operations can continue uninterrupted should the worst occur.
Today, cyber security breaches are as inevitable as death and taxes. Prepare yourself for the worst by understanding your risks and by creating a comprehensive mitigation plan that covers all your security, financial, legal, and operational bases.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.