Cybersecurity is one of the most complex issues company leadership must address. Executives know they must act, but the question is: How? The following can help senior executives and company officers determine how prepared their firms are to defend against cyber threats. This list is not exhaustive, but it touches upon some of the more common issues Stroz Friedberg has identified when responding to data breaches:
- Does the organization have an incident response plan? Even if the answer is “yes,” don’t stop there. You need to know if your plan is solid state. Simply adopting a boilerplate found online won’t improve your security posture. Your organization needs to be able to execute the plan quickly and effectively in the event of an incident. The plan has to be tailored to the organization’s culture and processes. And don’t let it sit on a shelf collecting dust! It should be reviewed regularly to stay in line with changes in your environment. It should also be rehearsed so you can spot and remediate weaknesses and give key players an opportunity to learn through simulation. When an attacker strikes, seconds count. The longer an intruder is in the network, the greater the damage he can do. An updated and well-rehearsed response plan can make all the difference.
- Has a cybersecurity awareness program been established? The weakest link in your cyber defense system is often the people. Employees unknowingly open and respond to phishing emails from attackers. Employees choose easy-to-guess passwords. A cybersecurity awareness program involves training employees to recognize cyber risks, and to do the right thing when risks are identified. This is often accomplished through mock phishing campaigns, role-appropriate workshops, all company computer-based training, and inclusion of cybersecurity as a topic during new hire onboarding.
- What specific threats does the organization face? Know and understand your enemy! An energy company faces different threats than a casino. Different groups of attackers target retailers than those that target a bank. A threat intelligence initiative focused on gathering information about relevant threat actors and their motives, as well as industry-specific malware and malicious domains or IP addresses can better prepare internal security teams to identify and respond to potential threats. It’s also essential in deciding where best to apply the company’s limited resources.
- Where is the company’s critical and sensitive information stored, and how is it secured? Organizations should expect to be attacked. As trite as it’s beginning to sound, it’s not if, but when. In this high-risk environment, it’s essential that organizations ensure their most valuable data is well protected. The first step is to identify this critical data—a task that should involve the business and IT. After all, IT may know how to protect personally identifiable information, but they may not know where trade secrets are stored. Management should establish a process, which can be regularly repeated, to identify, classify, and assign ownership of the company’s data repositories. Once critical data assets have been identified, management can then take steps to monitor and secure this data with the appropriate rigor.
- Is information security addressed in agreements with third-party vendors? Most organizations rely on third parties for services such as payroll, accounting, legal counsel, etc. Typically, these third parties have some level of remote access to company data and/or systems. Attackers recognize that third parties may not apply the same security controls as the company itself, and can be an easier way into a primary target’s network. Establishing minimum security requirements and controls for partners and requiring them to demonstrate their compliance as a condition of your contracts with them is one important way to reduce third party risk.
Cybersecurity is an organization-wide imperative. Putting sole responsibility on IT and security professionals sets a company up for failure. Management must evangelize the importance of cybersecurity to all employees, and lead the charge to engage all parts of the company in securing the enterprise against cyber threats.