Improve your cybersecurity risk management
Broad attacks using everyday devices in recent weeks highlight the evolution of hacking and the need for increased cybersecurity. In the past, companies focused on keeping the bad guys out of their corporate networks.
Today, the focus has shifted to detecting cyber breaches when they occur and minimizing the associated damage through isolating intruders, blocking access to IT resources, and safeguarding corporate assets. This assumes, of course, that your company has an effective program in place to minimize and manage its cybersecurity risks.
In this blog post, we’ll cover some of the current trends and developments in cybersecurity, evaluate practical steps companies can take to establish and enhance their cybersecurity programs, and discuss how to effectively communicate the importance of a cybersecurity framework across the enterprise.
Breaches trending up
Once infrequent, large-scale corporate cybersecurity breaches have become a commonplace occurrence. An October 2016 attack on DNS provider Dyn used hijacked Internet of Things devices, including DVRs and babycams to effectively choke access to large chunks of the internet. In September 2016, Yahoo confirmed that hackers had stolen more than 500 million email addresses and passwords.
In 2014, a group called Guardians of Peace, believed to be based in North Korea, stole an estimated 100 terabytes of information from Sony Pictures Entertainment, including personal information about employees, emails, information about executive salaries, scripts, and copies of then-unreleased Sony films.
A few months later, health care provider Anthem, Inc. disclosed that hackers had broken into its servers via another phishing attack and had stolen over 37.5 million records that contain personally identifiable information from its servers. They later raised the number to 78.8 million people whose personal information was affected. The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, email addresses, and employment information, and could be sold on the black market for up to $30/record.
In 2013, hackers stole as many as 40 million customer debit and credit card records from Target, along with the names and contact information of additional 70 million customers. The estimated street value of the stolen information was estimated to be as high as $500 million. The subsequent investigation revealed that hackers stole credentials from a small Target supplier using a phishing attack and was subsequently able to enter Target’s network through its partner’s portal.
Each year, attacks are larger and more invasive, and companies struggle against the increasing precision of attacks. As they seek to evolve cybersecurity efforts, there are many factors to consider.
What’s fueling these attacks?
Simply put, connectivity is creating a larger attack surface. There are simply more “things” to attack—more users, more smartphone connections, more IP-connected devices, more data, and more network traffic. In fact, the number of new devices and device types is growing exponentially.
With the Internet of Things now gathering momentum, analysts have estimated that less than 1 percent of the things that could be connected are connected. In addition, the move to cloud computing and storage creates new targets with their own cloud data security risks.
Couple these growing number of targets with the lack of robust privacy regulations globally, and it's a recipe for disaster. Companies are failing at stopping phishing, ransom-ware demands, and getting their employees to pay more attention to cybersecurity best practices. In fact, it’s generally recognized that people are the weakest link in the chain.
What should you do about it?
When it comes to managing cybersecurity risks, experts says there are three things you must do to protect your company:
- Establish a cybersecurity program
- Collaborate and communicate
- Implement proper governance
Though cybersecurity programs may differ among companies, most programs have common elements.
Assess risks: You have to identify and understand the risks that your company faces if you are to protect it. Enterprise risk management is an approach that can help you do this.
Classify data: Identify and understand the types of information and intellectual property that you are trying to protect.
Implement security controls: Who has access, to what, when.
Verification of security control performance: This is a familiar concept to financial professionals—are the cybersecurity controls you’ve put in place working?
Breach preparedness and testing: Plan for the worst, and test to make sure your plans are workable.
Risk acceptance and transfer: Insurance can be used to offset your company’s cyberrisk.
Communication and collaboration among the various stakeholders in the company are a critical element of creating an effective cybersecurity program. Remember, people are generally the weakest link in the cybersecurity risk chain.
Finally, consider how much involvement and oversight of the program by your company’s board of directors is necessary to execute a successful program. Activities may include:
- Evaluate and update board composition
- Redefine board committees
- Establish proper governance and board oversight
- Periodically review management’s cyberrisk assessment
- Understand cybersecurity best practices and governance structure and how it fits into your overall risk management process
- Insist on having a cybersecurity scorecard
- Understand the company's cyber-incident response process
Taking these steps can minimize your company’s exposure when a cybersecurity breach occurs.
About the Author
Jason Wille is Vice President of Information Technology at Workiva. He brings more than 20 years of technical and leadership experience to the role. In his role, he is in charge of information security, IT audit and compliance, IT operations, and all business support systems for Workiva.