Network breaches have become so commonplace that only the most massive events make headlines. Nonetheless, many businesses fail to implement adequate cybersecurity management plans. PWC’s 2018 Global State of Information Security Survey found that only 56 percent of respondents have an overall information security strategy in place.
How can your organization alleviate this clear and present danger?
Developing a cybersecurity management plan means starting with the basics. You need to thoroughly assess your security risks and then put in place measures to mitigate not only cybersecurity threats, but also related financial, legal and operational exposures.
Perform a risk assessment
Start by performing a thorough IT risk assessment to understand your biggest vulnerabilities with regard to both data storage/access and IT systems overall. Consider threats from both inside and outside your organization, including internal processes, suppliers and contractors, as well as the mobile workforce. Without such an assessment, you’re likely to miss basic IT management mistakes that lead to attacks and accidental breaches.
Pre-existing frameworks are available to help you assess the effectiveness of any existing risk management controls, processes and information systems. Examples include National Institute of Standards and Technology (NIST) 800-53, NIST Cybersecurity Framework (CSF), ISO/IEC 27000 series, and so on.
Whichever framework you choose, be sure to relate it back to your organization’s unique operational structure and business objectives by getting input from your senior management, IT administrators, and other stakeholders.
Once you’re aware of your risks, you’re in a better position to put controls in place to protect your systems and data and to ensure your business will remain operational—and financially viable–in the event of a breach.
Protecting IT systems and data involves putting appropriate policies in place and then auditing and testing these policies to ensure they are accomplishing what they are intended to do. Make sure employees are trained on and understand appropriate protocols for access to and use of data. Have a plan in place to respond to cyber attacks efficiently and effectively.
In addition to implementing cybersecurity measures, take steps to protect your business from financial, legal, and operational risks in the event of an attack.
Make sure you have adequate insurance to cover the costs of any data breach or system interruption, including legal, forensic and notification costs as well as all expenses associated with regulatory investigations and fines.
Designate legal counsel with the right experience before an incident occurs to avoid wasting time during a potential emergency.
Consider the impact
And finally, consider the impact that implementing cybersecurity measures—and inevitable breaches—will have on your business operations.
Any security initiative involves balancing the need to protect customer data and intellectual property with data accessibility and user experience. These tradeoffs can impact the overall customer experience, customer service, and customer retention. For example, if security arbitrarily restricts access to data, you’ll have adequate security at the cost of impeding business operations.
Disaster recovery/business continuity plans are also necessary to ensure that business operations can continue uninterrupted should the worst occur.
Today, cybersecurity breaches are as inevitable as death and taxes. Prepare yourself for the worst by understanding your risks and by creating a comprehensive mitigation plan that covers all your security, financial, legal, and operational bases.