Posted on Nov 7, 2019
This past May, Moody’s downgraded Equifax. The downgrade was the direct result of the credit reporting agency’s 2017 data breach.
“We are treating this with more significance because it is the first time that cyber has been named as a factor in an outlook change,” said a spokesperson for Moody’s. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
The moral of the story: an organization’s cybersecurity posture impacts its bottom line for the foreseeable future. It’s not just about the costs arising from the breach itself — to remain financially viable, organizations need to ensure that they adopt a security-first approach to cybersecurity by continuously monitoring their unique digital footprint across all business lines and subsidiaries.
An organization’s digital footprint encompasses all its traceable digital activities, actions, contributions, or communications across the internet or on devices.
While the concept of a digital footprint has been around for as long as computers and the internet, the cloud has changed the nature of organizations’ digital footprints.
Back when companies could control their actions with on-premises networks and systems, they only needed to consider their digital footprint in terms of social media or online reviews.
Today, however, as organizations migrate their business-critical operations to the cloud, their digital footprint has exploded exponentially. A company’s Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) IT infrastructure incorporates multiple Software-as-a-Service (SaaS) applications. Each of those enablements increases an organization’s digital footprint by increasing the number of devices connected to the internet.
In some cases, an organization may not even be aware of the size or scope of its own digital footprint. Below are some examples of digital footprints that may have grown beyond the control of their organizations’ IT departments.
Individual business lines or departments often add SaaS applications unique to their needs—often without going through IT. While organizations recognize the need for digital transformation to streamline operational effectiveness, they also need to find ways to monitor shadow IT. This is another threat vector that increases an organization’s digital footprint, while impacting data privacy and security.
Subsidiaries may require their own, unique enterprise risk monitoring. While the controlling company may have a robust information security posture, the subsidiary often acts on its own. Thus, the organizational structure and interconnected systems lead to a risk that the enterprise needs to monitor and evaluate. If a subsidiary’s controls are weak, they can impact the overarching enterprise cybersecurity posture.
Organizations can either merge with or acquire other companies to create value. As part of mergers and acquisitions process, they engage in due diligence, including cybersecurity posture. Prior to completing a M&A transaction, the deal team typically reviews documentation provided by the target or combs through desperate public information sources as a part of due diligence. Post merger integration comes with the need to monitor new risks of the combined entity.
Vendor risk management strategies often focus on the overarching vendor organization. Many vendors, however, are large enterprises that incorporate multiple products. To gain a full understanding of vendor risk, the enterprise needs insight into the risk associated with the product that they use, not all of the vendor’s products or digital footprint.
You can’t manage what you can’t measure. In order to understand the scope of your digital footprint, you may need to bring in a partner organization that will help you analyze, segment, and make sense of your footprint, including the smaller footprints of vendors, departments, and subsidiaries.
SecurityScorecard, for example, allows you to easily monitor security risk across your entire organization, and segment by lines of business for a customized view of your entire footprint. Our custom scorecards enable portfolio cybersecurity risk monitoring, remediation, and documentation so that the enterprise can secure its systems, networks, software, and data for a robust cybersecurity posture. With custom scorecards, your enterprise can gain more detailed information about how different business lines impact your holistic security score. We also provide suggestions that will allow you to address any issues that are bringing your security score down — no matter where in your digital footprint those issues lie.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.