Can you differentiate between your actual and perceived security? These metrics can give you a hand.
According to Merriam-Webster, proactivity is defined as “controlling a situation by making things happen or by preparing for possible future problems.
Its antonym, reactivity, is defined as “reacting to problems when they occur instead of doing something to prevent them.”
Now, if you were asked whether your organization is “making things happen” and “preparing for possible future problems” with cyber risk management, would you be able to say yes? Many organizations would not be able to, if they were answering truthfully.
In light of these facts, we’ve outlined four cyber risk management best practices. The best part is that they aren’t at all complicated, and you can get started with them right away! (Bear in mind that if you are attempting to come up with your own construct, you’re going to confuse yourself and the upper management team examining your strategy.)
So, take a look at these important steps and make them an integral part of your strategy—it’ll get everyone on your team on the same wavelength.
1. Prioritize your “riskiest” assets.
By definition, material risk does not include a run-of-the-mill cyber incident where a few records are compromised. This is unfortunate, but it wouldn’t impact the core of your organization or market. The data you care most about is your material (or critical) data; so, you can think of your material data as the “crown jewels” of your organization. Depending on your line of business, this could be a number of different things—sensitive customer information, customer data, intellectual property, or trade secrets. It could even be the reliable operations of your IT systems or manufacturing capabilities.
So if you agree that your material data is the most important thing to protect in your organization, you need to decide how you’re going to fend off anyone who tries to compromise it. If you start from this point and work backward, you can put together a solid cyber risk management program. When you work this way, everyone in upper management will be able to identify that funding a program that protects this vital data is the most important proactive step that can be taken.
2. Develop a comprehensive strategy for approaching these risks.
You’ve decided that guarding your material data is the most important step for proactive cyber risk management. So your next step must be to develop a strategy to approach these risks correctly.
It is commonly said that cybersecurity is about people, processes, and technology. Below, we’ve outlined how you should develop your strategy keeping each of these tenets in mind:
Ensuring that people in your organization are aligned with your cybersecurity strategy—and are responsible for implementing their piece of the strategy—is critical. Everyone needs to understand that cybersecurity is a company-wide issue, and everyone shares in the responsibility of making the organization more secure.
Part of this includes training employees on good computer and internet security practices and ensuring that they follow through with what they’ve learned. Every individual within an organization should understand how to manage their electronic equipment and what to do in particular web-based scenarios. For example, companies today often send spear phishing emails out to their employees for training purposes, just to see who clicks on the links or attachments. Clicking on attachments from bad actors is one of the primary ways that malware ends up on a company’s network, so it’s critical to make sure employees are following protocol on this issue.
On the process side of things, it’s absolutely critical for every organization to implement an acceptable use policy. It may include the following:
- Traveling: Can you use hotel Wi-Fi, or should you be tethered to a personal wireless device for internet usage?
- Critical data: Are their tiers of data importance? How should an employee categorize data and treat it differently based on its categorization?
- Security incidents: How is a breach or incident escalated? Perhaps an incident should be escalated from the IT staff, to the business unit, to the CEO, and possibly up to the board, depending on its severity.
Deploying the right technology to aid in your cyber risk management is crucial.
You may want to put certain technologies in place to monitor (and possibly reduce) access. The problem lies in that there are many companies that are creating cybersecurity technology. If you’re in the IT department, you’re probably receiving loads of sales materials, and determining which software can actually help you can be confusing. So, before you decide, you need to find software that is in line with your strategy.
For example, let’s say you decide to buy a data loss prevention system to keep your sensitive data from leaving your network. So, if this data consists of social security numbers (SSNs), you’d want to make sure that the system is configured to recognize SSNs, flag them, and prevent them from leaving the network. The problem is, some organizations will implement a piece of software and won’t tailor it to their environment. So while it may flag some preconfigured pieces of data—like credit card numbers—from leaving the network, it won’t actually protect the thing that is most important to your organization.
Some organizations, however, will find that they don’t need to implement new technology—they just need to better utilize what they already have in place.
For instance, maybe you already have a firewall in place, but you haven’t necessarily configured it to block all traffic originating in an area notorious for hacking (like eastern Europe). If your organization doesn’t have an international market—and knows that anyone from eastern Europe that is trying to communicate with the network is likely ill-intentioned—it is a smart and simple firewall configuration.
The moral here is to ensure that your organization is selecting software carefully—whether it’s software to bolster your firewalls, help with data loss prevention, or continuously monitor your vendors—to ensure that the solutions you purchase are flexible enough to answer your concerns.
3. Exercise a security incident.
You’ve now agreed that protecting your critical data is priority number one and that finding flexible, strategy-focused software will allow you to keep that data safe. But you should assume a “not if, but when” mentality. You simply have to acknowledge that security incidents will happen, even if you aren’t certain when they’ll happen.
There are plenty of steps that can be taken to prepare for a data breach. Some of the most important steps—and something you can do right away to mitigate cyber risk—is to run a security incident exercise. This will help you show the management team that the organization is prepared for a cyberattack, be it large or small. It’s important that everyone knows how to respond, and that plans are in place for notifying customers, investors, law enforcement, and forensics firms. When you walk through possible scenarios, you (and your upper management) will feel ready for what comes your way.
4. Communicate the effectiveness of your program to the board.
A final and critical step to addressing cyber risk in your organization is ensuring that your board of directors is brought up to speed on the effectiveness of your cybersecurity program. The board is more involved in cybersecurity today than ever before, and they need to know how the current program is working.
CISOs and security professionals should focus on presenting insightful metrics and speaking in a language the board members can understand and appreciate so they can make the right decisions for the organization.
Are you being proactive with your cyber risk management?
In summary, here are the questions you should be asking:
- Have we accurately assessed our material cyber risk so we’re protecting the right data and assets in our organization?
- Are we confident that our people, processes, and technology are all designed to stop the bad things we think could happen to our organization?
- Have we run through a security incident exercise that shows what our response would look like if we happened to experience a cyberincident?
- Is our board aware of what is and isn’t working in our cyber risk management program?
You should align your cyber risk management program with commonly accepted best practices. This is vital because if your organization is targeted—which you have to assume that, at some point, it will be—and your data is compromised, you want to be assured that you’ve taken the appropriate steps. If you do this, you’ll feel far more confident in your legal and fiduciary duties.