On July 2017, one of the most devastating incidents in the history of cyber attacks took place when a group of elite hackers hacked into Equifax, one of the largest credit bureaus in the globe and stole private data including social security numbers, credit card numbers etc of around 145 million clients.
Such information on the wrong hands can be used for misrepresentation or identity theft. This example, therefore, serves to show you the importance of taking cybersecurity seriously since a cyber attack can terribly damage an organization’s reputation and even lower the quality of the service or product it offers. This spills over to the financial side as revenues dwindle and losses are incurred.
Cybersecurity: A Business Strategic Risk
For many organizations, cybersecurity is a long way from being a core competency. Most IT specialists, board directors, and C-suite executives aren’t too familiar with matters to do with information security. This means that if an attack were to take place, they would be helpless in their attempts to protect crucial data from being stolen. It’s this lack of adequate information that brings about evasion or irresolution when it comes to cybersecurity, and in a more serious scenario, a resigned acknowledgment that cyber attacks are inevitable.
In the past, the security of a company’s information was something that was delegated to the IT department and the subject was seldom brought up in board meetings. That was the period when the internet was still in its infancy. This does not happen anymore because, over the years, cybercrime has become more and more rampant.
In board meetings nowadays, one of the most important agendas that is given priority in the discussion is cybersecurity. Why? Board directors and CEOs are interested now more than ever to understand how threats posed by cybercrimes can affect their line of business.
Now, more and more businesses are elevating their cybersecurity from a mere IT issue to a strategic business risk. This increased interest in securing information has led to the growing demand for the newest member to the executive suite; CISO (Chief Information Security Officer). This is a senior-level executive within an organization whose job is to maintain and establish the enterprise program, strategy and vision to make sure that all information technologies and assets are sufficiently protected from hackers and crackers.
This new development will go a long way to improve the business profile of the information security operations. In addition, the mindset among stakeholders and employees that information security is an IT issue is slowly dying off.
Practices That Should Be Implemented In Organizations To Ensure Effective Cyber Risk Management
The following guidelines are meant to reinforce the security programs of an organization, in the form of a business continuity plan (BCP), a disaster recovery plan (DRP), and employee awareness program by pointing out the core cybersecurity competencies and assigning each to the proper management level. As a member of the C-suite executive, it is up to you to include all of the following:
- Suppose that your company’s information system may be breached at some point in the future. With that in mind, you should assess your ability to identify and react to threats within the network. This means that the security initiatives that should be put in place must focus on how to decrease the time it takes to realize, contain and remediate suspicious activity on the information system. To do this, companies have to consider using new and additional threat detection methods. For instance, cybercriminals often establish control and command channels so that they may initiate attacks. If you were to find these channels early enough, it would be easy to identify and stop such attacks before they even begin.
- A ransomware attack is a form of cyber attack that involves targeting a computer’s operating system by encrypting data into it and then demanding ransom payments in form of cryptocurrency. Such are increasingly becoming common and the WannaCry ransomware attack that happened in May 2017 is a classic example. To counter this ransomware problem, IT specialists must have a proper backup strategy to help take the edge off the impact of such attacks. If in the event of such an attack some valuable data is lost, then the backups would help restore what was lost without having to pay the criminals any ransom. The backup data should be stored in a secure location (usually, outside the physical premises) to make sure that it is also not encrypted in the event of a ransomware attack. The backup strategy, therefore, has to be part of the Incident Response Plan of a company and has to describe in detail what should be done to “arrest” the data and then recover from a ransomware attack.
- Automation is also another strategy that can be used in operational processes so that security teams can maximize on what they can do with resources at their disposal. Security professionals need as much context as possible to determine whether a threat is genuine or not. The context can be either external or internal data with a good example being ‘threat intelligence’ that is used to provide a broader context on the procedures, tactics, and tools of the attack group.
- Organizations must come up with a strategic approach to implement a cyber defense that enables them to deal with the possibility of cyber attacks. This strategy should strike the appropriate balance between processes, people, and tools. There is no simple solution when it comes to shielding important assets. While it is very much okay to have the latest and best technology, your information system will still be vulnerable if you don’t have people equipped with the skill set to operate such technology. Additionally, you have to clearly define and express the operating procedures to utilize that particular technology to its maximum. In the case of security professionals, they must be equipped with the necessary bandwidth to increase the alerting threshold and investigate alerts.
- Educate the IT professionals, members of the C-suite and all employees on why they should understand the cyber exposure of their company and how cybercriminals exploit data that is collected from reconnaissance to mastermind targeted attacks. This exercise should be as practical as possible rather than using a completely theoretical approach. You can use real-life examples such as account information and credentials of a customer sign-in. It is this kind of information that can be leveraged by cybercriminals to falsify identity cards and/or system credentials, which are used in carrying out cyber crimes. Read “How to Create a Culture of Cybersecurity Awareness” for more information and a real example of how I implemented an awareness program for all level of employees.
- All members of the C-suite should be included in tabletop exercises for incident response so they may all completely learn their respective roles and the probable costs that a cyber attack may cost. If the C-suite were to experience what an attack feels like even if it is through simulation, this would ensure that they are made aware of the grave consequences of an attack and they would, therefore, have no choice but to instill a top-down kind of security-driven culture. Instilling this kind of culture in any organization is crucial to putting cybersecurity into effect over time. It is the job of the boards to make sure that C-suite executives are encouraging and exemplifying this culture. If the top leaders in the organization set a good precedent, it will no doubt seep into the rest of the organization.
- In addition, boards should not only make clear but they also need to promote the incentives of compliance as far as cybersecurity is concerned. This can be done by retaining and recruiting high performing staff, entering new markets, enhancing the service quality, reducing operation costs and increasing top-line revenue etc.
- Colleges and universities offering major MBA (Master of Business Administration) programs ought to include cybersecurity in their curriculum. This would ensure that freshly graduated C-suite executives would spend less time trying to master the technical details of cybersecurity as they begin their careers in marketing or sales. Currently, very few MBA programs have that cybersecurity curriculum and that is partly why many attempts to implement proper IT practices in many organizations have failed miserably.
- Governance is a critical component in any organization whose task is to come up with the parameters needed for the organization to stay compliant and secure. Such parameters should be well prioritized, measurable, consistent and clearly stated. Furthermore, they should be defined in a manner that aims to guard what the organization perceives as its most sensitive assets. It is up to the C-suite executives to define such parameters so that they may be evaluated and approved by the board.
It is important to keep bringing cybersecurity recommendations and conversations into the boardroom to ensure that each board member is role-based, risk-focused and relevant; this will make cybersecurity management relatively easy because the top executives are involved in the process. In my experience, it is also important to remember that C-suite executives respond well to case studies. Whenever you are advising them on any matter, remember to contextualize the information you are presenting using relevant case studies and news stories. The guidelines above have also touched on the responsibilities of the board and management to provide the company with the foundation for a security-centric and strong organization.
by Edgar Vera, MS Cybersecurity