[BreachExchange] Why Cyber-Security Is Central to Your Reputation
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Dec 14 19:04:15 EST 2017
https://www.cioinsight.com/it-management/expert-voices/why-
cyber-security-is-central-to-your-reputation.html
Every year, we spend more money and time combating the dark forces of
cyberspace: state-sponsored operatives, organized crime rings and
super-hackers armed with black-ops tech. The attack methods mutate
constantly, growing more cancerous and damaging. Massive data breaches and
their ripple effects compel organizations of every kind to grapple with
risk and security at a more fundamental level.
Recently discovered attacks on government agencies around the world,
including a reported breach of the NSA’s own spy-and-hacker unit, have
security experts despairing—will we ever catch up to the bad guys? Even
more routine intrusions are rarely detected quickly. On average, it takes
companies almost 150 days to detect a breach, long enough for significant
damage to be done—millions of records collected and sold to the highest
bidder, government and trade secrets exposed, passwords stockpiled to be
leveraged in future attacks.
The harm done to brand reputation can be long lasting and hard to control.
Breached companies are liable for significant restitution to customers and
suppliers, face closer scrutiny and higher fines from regulators, and often
struggle with a sudden drop in sales or loss of business. The appearance of
negligence, repeat attacks or unpredictable fallout from a breach can
significantly unravel public goodwill that took decades to build. The trust
dynamic that exists amongst suppliers, customers and partners is a
high-profile target for cyber-criminals and hacktivists. The Sony breach is
a fascinating example of the myriad ways a breach can turn nasty for even
the most established brand. The 2016 election season has been similarly
tainted by hacktivists and leaked emails.
Take It to the Board
Information risk must be elevated to a board-level issue and given the same
attention afforded to other risk management practices. Organizations face a
daunting array of challenges interconnected with cyber-security: the
insatiable appetite for speed and agility, the growing dependence on
complex supply chains, and the rapid emergence of new technologies.
Cyber-security chiefs must drive collaboration across the entire
enterprise, bringing business and marketing needs into alignment with IT
strategy. IT must transform the security conversation so it will resonate
with leading decision-makers while also supporting the organization’s
business objectives.
Cyber-Resilience Is Crucial
Every organization must assume they will eventually incur severe impacts
from unpredictable cyber-threats. Planning for resilient incident response
in the aftermath of a breach is imperative. Traditional risk management is
insufficient. It’s important to learn from the cautionary tales of past
breaches, not only to build better defenses, but also better responses.
Business, government and personal security are now so interconnected,
resilience is important to withstanding direct attacks as well as the
ripple effects that pass through interdependent systems (e.g., supply
chains, social and healthcare services, and customer cohorts).
I strongly urge organizations to establish a crisis management plan that
includes the formation of a Cyber Resilience Team. This team, made up of
experienced security professionals (employees, investors, customers and
others), should be charged with thoroughly investigating each incident and
ensuring that all relevant players communicate effectively. This is the
only way a comprehensive and collaborative recovery plan can be implemented
in a timely fashion.
Today’s most cyber-resilient organizations are appointing a coordinator
(e.g., Director of Cyber Security or a Chief Digital Officer) to oversee
security operations and to apprise the board of its related
responsibilities. The new legal aspects of doing business in cyberspace put
more pressure on the board and C-suite. For example, an enterprise that
cannot prove compliance with HIPAA regulations could incur significant
damages even in the absence of a breach, or face more severe penalties
after a successful attack.
Cyber Insurance for Privacy and Compliance Protection
Data breach liabilities are spreading swiftly. As a result, more
organizations are purchasing cyber insurance, which has become a viable
option for a wide range of organizations and industry sectors.
Growing concerns about privacy and regulatory exposure are key motivators
for acquiring cyber insurance. Healthcare and financial institutions
commonly acquire cyber insurance due to the enormous volumes of highly
sensitive customer data they handle. Recently, I have seen players in a
number of new industries, such as manufacturing and supply chain,
purchasing cyber insurance due to regulatory concerns.
It’s important to remember that insurance is no replacement for sound
cyber-security and cyber resilience practices. In fact, robust practices
that are compliant with industry standards can often reduce insurance
premiums. Examine the fine print—many policies do not cover state-sponsored
attacks and may not provide you with the full financial cover you seek.
Each class action lawsuit over data breach damages prompts changes in case
law precedents insurance policies.
Supply Chain Security
The supply chain continues to stand out as an arena where information
security is lacking. Supply chains are the backbone of today’s global
economy, and businesses are justifiably alarmed about managing major supply
chain disruptions. A World Economic Forum report, “Building Resilience in
Supply Chains,” indicates that significant supply chain disruptions reduce
the share price of affected companies by as much as seven percent on
average.
Businesses must focus on the weakest spots in their supply chains now. Not
every security compromise can be prevented beforehand, but being proactive
now means that you— and your suppliers—will be better able to react quickly
and intelligently when something does happen. This readiness may determine
competitiveness, financial health, share price, or even business survival
in the aftermath of a breach.
Key Steps
We no longer hide behind impenetrable walls, but operate as part of an
interconnected whole. The strength to absorb the blows and forge ahead is
essential to competitive advantage and growth, in cyberspace and beyond.
Here is a quick recap of the next steps that businesses should implement to
better prepare themselves:
*Re-assess the risks to your organization and its information from the
inside out. Operate on the assumption that your organization is a target
and will be breached.
*Revise cyber security arrangements: implement a cyber-resilience team and
rehearse your recovery plan.
*Focus on the basics: people and technology
*Prepare for the future: to minimize risk and brand damage, be proactive
about security in every business initiative.
ISF Resources
The ISF offers organizations of all sizes an “out of the box” approach to
help assess cyber risk versus reward through strategic, compliance-driven,
and process-related approaches.
The ISF’s Standard of Good Practice for Information Security (the Standard)
is a comprehensive and current source of information security controls,
used by many organizations as their primary reference for information
security. The Standard is updated annually to reflect the latest findings
from the ISF’s Research Program, input from global member organizations,
trends from the ISF Benchmark, and major external developments including
new legislation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171214/87a0e2d9/attachment.html>
More information about the BreachExchange
mailing list