Cyber-attacks continue to become more advanced and sophisticated than ever before. In today’s cyber age, a company’s reputation – and the trust dynamic that exists amongst suppliers, customers and partners – has become a real target for cybercriminals and hacktivists.
The commercial, reputational and financial risks that go with cyberspace are real and growing. Organizations need to extend their risk management focus from pure information confidentiality, integrity and availability to include other risks, such as those to reputation and customer channels. They must also recognize the unintended business consequences from activity in cyberspace.
Preparation for Increasing Legislation and Regulation
As pressure from regulatory compliance increases, Chief Information Security Officers (CISOs) must take an increasingly integrated and holistic approach to information risk management. By implementing strong information security measures, the CISO is more likely to stay ahead of increasing regulatory mandates.
There is no way to get around data privacy laws and regulations. Businesses must either comply or pay a stiff penalty. Few jurisdictions, if any, are alike in their regulations, privacy legislation, fraud and breach prevention. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the cloud. Unless you are incessantly monitoring the rules, and put mechanisms in place to do so, you might not only be compromising your data, but also your corporate responsibility.
Most governments have created, or are in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, businesses need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.
Managing Information Risk
Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organizations must extend risk management to include risk resilience, in order to manage, respond and alleviate any negative impacts of cyberspace activity.
Cyber resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.
Protecting Your Sensitive Information
It goes without saying that business leaders recognize the enormous benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, many have trouble assessing the risks versus the rewards.
One thing that organizations must do is ensure they have standard security measures in place. One example of guidelines would be the Information Security Forum (ISF) Standard of Good Practice (The Standard). The Standard is used by many global organizations as their primary reference for information security. It addresses the rapid pace at which threats and risks evolve and an organization’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, BYOD, the Cloud, insiders and espionage. As a result, The Standard helps the ISF and our members maintain their position at the leading edge of good practice in information security.
Focus on Cyber Resilience
Organizations operate in an increasingly cyber-enabled world today and traditional risk management just isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling.
In preparation for making your organization more able to manage the security minefield, here are a few steps that businesses should implement to better prepare themselves:
- Re-assess the Risks to Your Organization and its Information from the Inside Out
- Change your Thinking About Threats
- Adopt a risk vs. reward mindset
- Embed security in business unit plans
- Define an approach for managing data accessed on mobile devices and in the cloud
- Revise Cyber Security Arrangements
- Focus on the Basics
- People and technology
- Be ready to provide proactive support to business initiatives in order to
- Think resilience not security
- Help your organization understand how to respond to regulators and data subjects
- Prepare for the Future
Businesses have fluctuating degrees of control over today’s ever-evolving security threats. With the speed and sophistication of the threat landscape changing on a daily basis, far too often businesses are being left behind in the wake of both financial and reputational damage. Organizations of all sizes need to take stock now to make certain they are fully prepared and engaged to deal with these ever-emerging information security challenges.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.