[BreachExchange] 7 Considerations for a Strong Cybersecurity Strategy

[Destry Winant]

https://www.corporatecomplianceinsights.com/7-considerations-cybersecurity-strategy/

A cybersecurity risk management program (CRMP), or formal
cybersecurity strategy document, is key in an organization’s ability
to weather a cybersecurity incident. Kral Ussery’s Ron Kral discusses
what to take into account when drafting one.

No topic has likely garnered more attention in boardrooms over the
last couple of years than cybersecurity. And rightfully so when the
full extent of direct and indirect costs of a data breach are
considered. Direct costs include legal fees, forensic experts, public
relations, remediation efforts, potential fines and regulatory
compliance expenses. However, it is the indirect costs of operational
disruption, increased insurance premiums, brand reputational damage,
loss of future revenue streams, etc. that can lead to business ruin.

There is no shortage of specific cost estimates and articles on this
important topic, and one research study pegs the total average cost of
a data breach at $3.92 million.[1] Considering what is at stake, is
your organization truly prepared to address cyber risks? This article
offers some practical considerations to enhance cybersecurity.

The risk of a cyber incident, defined as a cybersecurity event that
puts sensitive data at risk and requires action to protect associated
assets, applies to all industries and companies of all sizes. No
company is too big or too small, and smaller organizations tend to
have higher costs relative to their size, thus hampering their ability
to financially recover from the incident.[2] However, it tends to be
the larger ones that dominate press coverage, and the lessons learned
can be insightful. For example, the table below highlights five
notorious cyber incidents and their respective causes.

Organization &
Year of BreachImpactCause
Equifax (2017)145-150 million peopleFailure to patch one of its
internet servers against a pervasive software flaw.
Verizon (2017)6 million customersContractor failed to secure a large
batch of customer information.
Boeing (2017)36,000 employeesEmployee data left control of the company
when a worker emailed a spreadsheet to a significant other.
Target (2013)70 million customersHackers gained access to Target’s POS
systems using login credentials belonging to an HVAC company.
Yahoo (2013)3 billion usersThe hack came from a single user in Yahoo’s
corporate office. An employee was sent a spear-phishing email with a
link that, as soon as they clicked on it, downloaded malware on the
network.

Examining the causes for these five high-profile breaches draws
attention to the risks associated with:

not understanding vulnerabilities, nor taking timely action to address them;
lack of vendor oversight; and
lack of employee education.

There is no shortage of security and IT control frameworks to help
formulate a cybersecurity strategy. One of the more prominent
cybersecurity frameworks is the NIST Cybersecurity Framework (CSF)
published by the U.S. government. The NIST CSF consists of five
concurrent and continuous functions:

Identify cybersecurity risk to systems, assets, data and capabilities.
Protect the organization from identified risks through controls to
limit or contain the impact of a potential cybersecurity event.
Detect potential cybersecurity events in a timely manner.[3]
Respond to cybersecurity events, including having a response plan and
performing activities to eradicate the incident and incorporate
lessons learned into new strategies.
Recover from cybersecurity events through actions to restore impaired
capabilities or services.

At a minimum, all organizations should have these five functions
addressed in a formal cybersecurity strategy document, sometimes
referred to as a cybersecurity risk management program (CRMP). Many
frameworks are daunting in terms of their terminology and
complexities; it is easy to get lost in the details. Here are some
considerations for developing and deploying a cybersecurity strategy:

Utilize common language that is accessible and can be understood by
all employees and relevant vendors.
Don’t fall into the mindset that outsourcing to the cloud (i.e.,
electronic outsourcing) relieves management and the board from their
accountability and oversight. While you can outsource the controls and
process elements, the objectives, risks and ultimate control oversight
resides with the procuring organization.
Formalize cybersecurity objectives, risk considerations and associated
processes in writing through a CRMP. The AICPA’s Description Criteria
for Management’s Description of an Entity’s Cybersecurity Risk
Management Program is a great place to start.
Leverage control criteria to evaluate the suitability of design and
operating effectiveness of controls pertaining to a CRMP. The AICPA’s
Trust Services Criteria for Security, Availability, Processing
Integrity, Confidentiality and Privacy forwards robust control
criteria that utilizes COSO’s 2013 Internal Control – Integrated
Framework. The COSO Internal Control – Integrated Framework is widely
used by U.S. public companies and other organizations, thus reducing
the learning curve for this control criteria.
Keep a sharp focus on the process and people (i.e., control owners),
as these elements can matter more than the technology. A strong IT
infrastructure will not be successful without healthy control
processes and competent people.
Understand that the CRMP must be a living document that is
continuously updated to address evolving risks. Cyber criminals are
always trying to stay a step ahead of legitimate businesses, thus
posing new risks.
Assign a clear governance role at the board level to provide oversight
of management’s CRMP.

Remember that cyber readiness, including implementing a robust CRMP,
does not happen overnight. It will take time and resources to build
and maintain, but an important objective is to strive for continuous
improvement to address changing risk landscapes.

Do not procrastinate when it comes to cybersecurity, as the risks are
real. While a goal of developing a CRMP leveraging security and IT
control framework(s) should be of interest for all organizations,
initial steps can be difficult. It begins with education and acquiring
the expertise to assess the current state of cybersecurity objectives,
risks and controls. An independent perspective can be an efficient and
effective route for evaluating the current landscape. In addition,
establishing roles and accountabilities at both the board and
management levels is an important early step. Finally, for
organizations with cloud computing, vendor management control also
needs to be an early focus.

In conclusion, we must remember that hope is not a strategy.
Cyberattacks and data breaches are rapidly growing with greater
sophistication. It is likely only a matter of time before your
organization is thrust into a serious cyber incident. If you have
already been subject to one, be prepared for another. Don’t be caught
off guard, as an entity-wide CRMP is essential in protecting
shareholder value. A strong cybersecurity posture allows organizations
to be more creative and proactive in the never-ending search for ways
to strengthen revenue streams and profitability.