Security Risk Management

Three Steps to Reduce Your Security Risk

Melissa Stevens | May 29, 2014

lightbulbpicIt may sound trite, but it's true; for organizations today, being breached is no longer a question of if, but when. In our recent analysis of security performance in the S&P 500, BitSight saw over 80% of the nation's largest organizations exhibiting signs of compromise at points in 2013. This raises lots of questions for the cyber health of smaller organizations who likely have far less invested in security infrastructure and personnel- if the big guys are struggling, what hope do the rest of us have?  

However, despite the gloom and doom associated with this measure, there are three steps that any company can take to help thwart cyber attacks and measurably reduce their security risk.  

Make security an executive level issue. 

As shown by the performance of the financial services industry in our most recent BItSight Insights report, when security risk becomes a board level concern, performance improves.  Unfortunately, recent studies have shown that many organizations are still not bringing security risk to the board level for review.

A report from the Carnegie Mellon Cylab found “... boards are not actively addressing cyber risk management…There is still a gap in understanding the linkage between IT risks and enterprise risk management. Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.”

Organizations need to make security a top priority and seek ways of communicating performance and need to the board. To avoid doing so contributes to the dangerous "optimism bias" we have described, and leaves companies unprepared to adequately defend themselves against a breach or respond when a breach occurs.  

Perform a security risk assessment across your entire business ecosystem.

In order to truly manage security risk, organizations need to do a thorough assessment to understand where their risk comes from.  This assessment should consider more than just internal networks though. Any third party who is part of your "information supply chain" − think partners, suppliers, and vendors –should be included in the analysis.  For some industries, this need can even extend to customers using your services (consider retailers and payment card processors), or even organizations you've invested in or insured.

As we saw in the Target data breach, failure to understand the interconnectedness of your systems and your third parties can have devastating effects.  Who would have ever imagined it would be the HVAC vendor that was the key to one of the largest breach incidents in recent history?

Be vigilant about continuously monitoring your network and connected systems.

In business, continuous monitoring is a cornerstone of decision making: Loan officers need up-to-date data on credit history and investment bankers need to have instant access to stock prices and trends. This should also be true for IT security risk. By implementing processes for ecosystem network monitoring into a risk management program, security teams can remediate network threats more efficiently, and gain insight into the security postures of third parties that may have access to your valuable data.

Federal organizations already have such monitoring systems in place, with the Secret Service and the FBI alerting businesses to data loss events. Unfortunately, these warnings are often too late for the breached entity to prevent a costly and embarrassing incident. By implementing a continuous measurement of security posture in both internal and connected networks, organizations can expand visibiity into the full scope of threats and mitigate potential losses. After all, it is better to take preventative measures before the government is knocking on your door to inform you of a breach!

 

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.