Three Steps to Reduce Your Security Risk

Melissa Stevens | May 29, 2014 | tag: Security Risk Management

lightbulbpicIt may sound trite, but it's true; for organizations today, being breached is no longer a question of if, but when. In our recent analysis of security performance in the S&P 500, BitSight saw over 80% of the nation's largest organizations exhibiting signs of compromise at points in 2013. This raises lots of questions for the cyber health of smaller organizations who likely have far less invested in security infrastructure and personnel- if the big guys are struggling, what hope do the rest of us have?  

However, despite the gloom and doom associated with this measure, there are three steps that any company can take to help thwart cyber attacks and measurably reduce their security risk.  

Make security an executive level issue. 

As shown by the performance of the financial services industry in our most recent BItSight Insights report, when security risk becomes a board level concern, performance improves.  Unfortunately, recent studies have shown that many organizations are still not bringing security risk to the board level for review.

A report from the Carnegie Mellon Cylab found “... boards are not actively addressing cyber risk management…There is still a gap in understanding the linkage between IT risks and enterprise risk management. Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, cyber security assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.”

Organizations need to make security a top priority and seek ways of communicating performance and need to the board. To avoid doing so contributes to the dangerous "optimism bias" we have described, and leaves companies unprepared to adequately defend themselves against a breach or respond when a breach occurs.  

Perform a security risk assessment across your entire business ecosystem.

In order to truly manage security risk, organizations need to do a thorough assessment to understand where their risk comes from.  This assessment should consider more than just internal networks though. Any third party who is part of your "information supply chain" − think partners, suppliers, and vendors –should be included in the analysis.  For some industries, this need can even extend to customers using your services (consider retailers and payment card processors), or even organizations you've invested in or insured.

As we saw in the Target data breach, failure to understand the interconnectedness of your systems and your third parties can have devastating effects.  Who would have ever imagined it would be the HVAC vendor that was the key to one of the largest breach incidents in recent history?

Be vigilant about continuously monitoring your network and connected systems.

In business, continuous monitoring is a cornerstone of decision making: Loan officers need up-to-date data on credit history and investment bankers need to have instant access to stock prices and trends. This should also be true for IT security risk. By implementing processes for ecosystem network monitoring into a risk management program, security teams can remediate network threats more efficiently, and gain insight into the security postures of third parties that may have access to your valuable data.

Federal organizations already have such monitoring systems in place, with the Secret Service and the FBI alerting businesses to data loss events. Unfortunately, these warnings are often too late for the breached entity to prevent a costly and embarrassing incident. By implementing a continuous measurement of security posture in both internal and connected networks, organizations can expand visibility into the full scope of threats and mitigate potential losses. After all, it is better to take preventative measures before the government is knocking on your door to inform you of a breach!


Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...


4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...


IoT Cybersecurity: How Your Organization Can Tame the Wild West

From sensors on the factory floor to those that guide autonomous vehicles, the Internet of Things (IoT) is transforming how we live and work. Over the coming years, IoT will continue to change our world, with the number of connected...


Get the Weekly Cybersecurity Newsletter.