This past May, Moody’s downgraded Equifax. The downgrade was the direct result of the credit reporting agency’s 2017 data breach.
“We are treating this with more significance because it is the first time that cyber has been named as a factor in an outlook change,” said a spokesperson for Moody’s. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
The moral of the story: an organization’s cybersecurity posture impacts its bottom line for the foreseeable future. It’s not just about the costs arising from the breach itself — to remain financially viable, organizations need to ensure that they adopt a security-first approach to cybersecurity by continuously monitoring their unique digital footprint across all business lines and subsidiaries.
What is your digital footprint?
An organization’s digital footprint encompasses all its traceable digital activities, actions, contributions, or communications across the internet or on devices.
While the concept of a digital footprint has been around for as long as computers and the internet, the cloud has changed the nature of organizations’ digital footprints.
Back when companies could control their actions with on-premises networks and systems, they only needed to consider their digital footprint in terms of social media or online reviews.
Today, however, as organizations migrate their business-critical operations to the cloud, their digital footprint has exploded exponentially. A company’s Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) IT infrastructure incorporates multiple Software-as-a-Service (SaaS) applications. Each of those enablements increases an organization’s digital footprint by increasing the number of devices connected to the internet.
What activities impact your digital footprint?
In some cases, an organization may not even be aware of the size or scope of its own digital footprint. Below are some examples of digital footprints that may have grown beyond the control of their organizations’ IT departments.
1. Shadow IT
Individual business lines or departments often add SaaS applications unique to their needs—often without going through IT. While organizations recognize the need for digital transformation to streamline operational effectiveness, they also need to find ways to monitor shadow IT. This is another threat vector that increases an organization’s digital footprint while impacting data privacy and security.
2. Organization and subsidiary structure
Subsidiaries may require their own, unique enterprise risk monitoring. While the controlling company may have a robust information security posture, the subsidiary often acts on its own. Thus, the organizational structure and interconnected systems lead to a risk that the enterprise needs to monitor and evaluate. If a subsidiary’s controls are weak, they can impact the overarching enterprise cybersecurity posture.
3. Mergers and Acquisitions (M&A)
Organizations can either merge with or acquire other companies to create value. As part of the mergers and acquisitions process, they engage in due diligence, including cybersecurity posture. Prior to completing an M&A transaction, the deal team typically reviews documentation provided by the target or combs through desperate public information sources as a part of due diligence. Post-merger integration comes with the need to monitor new risks of the combined entity.
4. Vendor risk management
Vendor risk management strategies often focus on the overarching vendor organization. Many vendors, however, are large enterprises that incorporate multiple products. To gain a full understanding of vendor risk, the enterprise needs insight into the risk associated with the product that they use, not all of the vendor’s products or digital footprint.
How can you manage your digital footprint?
You can’t manage what you can’t measure. In order to understand the scope of your digital footprint, you may need to bring in a partner organization that will help you analyze, segment, and make sense of your footprint, including the smaller footprints of vendors, departments, and subsidiaries.
SecurityScorecard, for example, allows you to easily monitor security risk across your entire organization, and segment by lines of business for a customized view of your entire footprint. Our custom scorecards enable portfolio cybersecurity risk monitoring, remediation, and documentation so that the enterprise can secure its systems, networks, software, and data for a robust cybersecurity posture. With custom scorecards, your enterprise can gain more detailed information about how different business lines impact your holistic security score. We also provide suggestions that will allow you to address any issues that are bringing your security score down — no matter where in your digital footprint those issues lie.