[BreachExchange] Cyber Resilience Remains Vital to Sustaining Brand Reputation

[Audrey McNeil]

http://infosecisland.com/blogview/24829-Cyber-Resilience-Remains-Vital-to-
Sustaining-Brand-Reputation-.html

Each year, we spend more money and time combatting the evil forces of cyber
space: state-sponsored operatives, organized crime rings, and super-hackers
armed with black-ops tech. The attack methods are mutating constantly,
growing more cancerous and damaging. Massive data breaches and their ripple
effects compel organizations of all sizes to grapple with risk and security
at a more fundamental level.

The harm done to brand reputation can be long lasting and hard to control.
Breached companies are liable for significant restitution to customers and
suppliers, face closer scrutiny and higher fines from regulators, and often
struggle with sudden drop in sales or loss of business.

The appearance of negligence, repeat attacks or unpredictable fallout from
a breach can significantly unravel public goodwill that took decades to
build. The trust dynamic that exists amongst suppliers, customers and
partners is a high profile target for cybercriminals and hacktivists. The
Sony breach is an example of the myriad ways a security breach can damage
even the most established, global brand.

Take it to the Board of Directors

Information risk must be elevated to a board-level issue and given the same
attention afforded to other risk management practices. Organizations face a
daunting array of challenges interconnected with cybersecurity: the
insatiable appetite for speed and agility, the growing dependence on
complex supply chains, and the rapid emergence of new technologies.

Cyber security chiefs must drive collaboration across the entire
enterprise, bringing business and marketing needs into alignment with IT
strategy. IT must transform the security conversation so it will resonate
with leading decision-makers while also supporting the organization’s
business objectives.

Cyber Resilience is Crucial

Every business, no matter the size, must assume they will eventually incur
severe impacts from unpredictable cyber threats. Planning for resilient
incident response in the aftermath of a breach is imperative.

Traditional risk management is insufficient.

It’s important to learn from the cautionary tales of past breaches, not
only to build better defenses, but also better responses. Business,
government, and personal security are now so interconnected, resilience is
important to withstanding direct attacks as well as the ripple effects that
pass through interdependent systems.

I strongly urge organizations to establish a crisis management plan that
includes the formation of a Cyber Resilience Team. This team, made up of
experienced security professionals, should be charged with thoroughly
investigating each incident and ensuring that all relevant players
communicate effectively. This is the only way a comprehensive and
collaborative recovery plan can be implemented in a timely fashion.

Today’s most cyber-resilient organizations are appointing a coordinator
(e.g., Director of Cyber Security or a Chief Digital Officer) to oversee
security operations and to apprise the board of its related
responsibilities.

The new legal aspects of doing business in cyberspace put more pressure on
the board and C-suite. For example, an enterprise that cannot prove
compliance with HIPAA regulations could incur significant damages even in
the absence of a breach, or face more severe penalties after a successful
attack.

Key Steps

We no longer hide behind impenetrable walls, but operate as part of an
interconnected whole. The strength to absorb the blows and forge ahead is
essential to competitive advantage and growth, in cyberspace and beyond.

Here is a quick recap of the next steps that businesses should implement to
better prepare themselves:

Re-assess the risks to your organization and its information from the
inside out. Operate on the assumption thatyour organization is a target and
will be breached.
Revise cyber security arrangements: implement a cyber-resilience team and
rehearse your recovery plan.
Focus on the basics: people and technology
Prepare for the future: to minimize risk and brand damage, be proactive
about security in every business initiative.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161012/19a325fa/attachment.html>