[BreachExchange] 5 Steps to Better Cyber Risk Management

Destry Winant destry at riskbasedsecurity.com
Thu Jan 17 00:58:02 EST 2019


https://www.commercialintegrator.com/security/5-steps-better-cyber-risk-management/

Does your company accept credit card payments? Does your human
resource department keep records of the employees’ personal data? What
about third-party vendors that handle payroll, or even the folks who
take the garbage out? Nearly everyone has a camera on their smart
phone these days.

So, before you can protect the data of your clients and design secure
audiovisual systems, you should look first at your own company’s cyber
risk management framework.

There is no single cyber risk management approach that will stop all
cyber crime; it varies per industry. But generally speaking, there are
five elements that are common in successful cyber risk management:

1. Start with a proper cybersecurity framework, which provides a
structure for ensuring your “CIA”

- Confidentiality of sensitive data – restricting access to who can
view the data
- Integrity of the systems – controlling who can write or change or delete data
- Availability – ensuring that systems are up and running when they are needed

There are a number of cybersecurity frameworks readily available; the
most relevant to audiovisual systems contractors are the ISO/IEC
Security Control Standards, the FCC Cyber Security Planning Guide, and
the NIST (National Institute of Standards and Technology)
Cybersecurity Framework, which has been widely adopted across many
industries.

2. Implement a balanced distribution of responsibility

Many users think that cybersecurity is the responsibility of the IT
department, but it is really everyone’s responsibility. Anyone with
email access can be susceptible to a “phishing” scam where they
inadvertently click a malicious link or attachment.

Executives must understand the risks and their responsibilities.

3. Take a ‘holistic approach’ to security

Consider not only technical factors, but human and physical factors.

It is important that companies equip their employees with the right
tools to recognize phishing email and malware, or even bad actors
within their organization. Develop a company culture of
cyber-awareness, and provide adequate training to all users.

Reward users for raising security concerns. Minimize physical access
to equipment using access controls.

4. Develop a thorough and ongoing risk assessment process

The first step is to identify and categorize your assets, including
digital assets and intellectual property (IP).

Next, identify the threats to your organization, which could be
external, like a hacker locking up your systems using ransom ware, or
someone stealing credit card or personal informational, or a
hacktivist who doesn’t agree with your company’s values.

Maybe a competitor wants to shut you down for a week and ruin your reputation?

But there could also be internal threats: users who might accidentally
delete files, or malicious employees who try to steal your trade
secrets. Assume you just hired the next Edward Snowden.

Consider a third party who can test and assess your systems and
vulnerabilities. Like humans, most companies cannot recognize their
own faults.

5. Last but not least: Develop an Incident Response Plan & Incident
Response Team

Everyone in the organization needs to know what to do when a threat
has been detected. We talked about Incident Response Plans in greater
detail last month, see this link to that article.

By developing and maintaining a cyber risk management approach for
technicians, you can minimize the cyber threats and resulting impacts
to your organization. You will also be prepared when your clients ask
you for a copy of your cybersecurity policy or risk mitigation plan
(and they will!)


More information about the BreachExchange mailing list