As many of today's enterprises are struggling to get their arms around cybersecurity, our world has seen an explosion in the number of solutions, providers and recommended steps to take to secure a company’s environment and protect it against cyber incidents. With so many options and no standardized solution, it is difficult to know where to begin. However, one place to start is to establish the core elements for a solid cyber security risk mitigation plan – including proven elements that have been used by private and public sector players alike for some time. Let’s review a four-stage roadmap that will help companies prepare for a strong cybersecurity foundation.
The first step is to take a thorough inventory. What data assets do you have and how are they accessible or vulnerable (both from external attacks and from insider threats)? What information does your company have that would attract hackers or outsiders? Personally identifiable information? Financial data? Customer or client information? Transaction-related data? Which of your assets would your company consider “crown jewels” versus less concerning or important data assets? Which assets might outsiders find attractive, regardless of whether they may be important to you? How much of the data is segmented or separate (physically and virtually) such that a single attack or penetration would allow for a complete loss of critical information, etc.? This information will be critical to helping your organization determine what is most important (and warrants the highest level of protection) and in determining where and how to focus your efforts as you move into the evaluation of existing protections (and identifying necessary augmentations your organization may need).
Evaluate Existing Protections
Next, establish what tools, processes and resources your organization already has in place to protect cyber and data assets, e.g., “CISO in a box” or other third-party provided solutions. Catalogue your resources’ skills and determine if more training is needed to address the current threat landscape. And check the retention steps you are taking to make sure you are keeping your staff happy and engaged – the labor market for tech, and cyber in particular, is red-hot and people are leaving their current employers in droves for 2, 3, 4 or more job offers at a time. Also, determine what you have on paper relative to individual, team and corporate requirements for compliance with cyber standards, and refresh if these are older than 12-18 months old or if your business needs or requirements have changed.
Take the time to evaluate the internal and third-party provided services and tools in use, including how the tools align with the cyber landscape and how third-party providers have differentiated themselves in demonstrating consistent value and thought leadership to your organization. From a process perspective, confirm that your data is backed-up comprehensively and regularly (doing so can help defray the potential impact of a cyber-attack). Additionally, determine what relationships are already in place with law enforcement resources, as having an understanding of who to call and how they will respond before a breach happens is important.
Create (and Test) Your Cyber Forecast
Third, create a forecasted view of the future, utilizing sources of cyber threat intelligence combined with expertise to parse that intelligence and identify the “so what” relative to your company’s operations. There are multiple threat intelligence sources, coming from a variety of providers – some paid, some free, some from private sector sources, and some more public or broadly available. Obtaining threat intelligence is one step, but being able to analyze and understand what is actually important and meaningful for any organization (and should in turn inform that organization’s efforts) can be challenging, so having a formalized methodology for both is critical.
Companies should develop and manage test runs for cyber breaches to provide practice opportunities to determine what happens – and how parties should act – if and when a cyber breach occurs. Such test runs can include performing red team exercises at least annually, including all key company players, from the CEO down. Such red team or “tabletop” exercises are often where the real story is told. You wouldn’t want to learn that you have no way to contact key resources in your organization because all contact lists are “on the network” at a time that your network is effectively shut-down due to a hack or cyber-attack. The tabletop exercise breathes life into the concepts and concerns and makes it real for the C-suite (and can help underscore shortcomings you may have been speaking about for some time).
Consider Risk Transfer Options
Lastly, consider developing financial risk transfer options, such as securing a cyber insurance policy, which can provide cost relief and support that result from a real-world attack or breach. A number of industry sources indicate that the average cost for a cyber breach exceeds $1M, and it is highly unlikely that most companies will have a line item of any material amount in their budget to cover such costs. Cyber insurance programs can provide a cost-effective means to deliver a safety net in the event a breach does happen. While in years prior many cyber insurance policies contained a significant number of carve-outs, exclusions and general loopholes that were favorable to the underwriter (but not the insured), such programs have come a long way toward providing more meaningful risk transfer options.
That said, being wary of what is covered and what isn’t is still important to ensure cyber coverage does actually provide a realistic and reasonable risk transfer option. If you have a good handle on your data assets, your processes and tools, etc., the premium for a cyber insurance policy should be reasonable. Make sure to utilize knowledgeable resources when evaluating coverage offerings to confirm that the insurance will provide coverage for both the most obvious and the more esoteric costs and damages associated with a cyber-attack.
Following these steps doesn’t guarantee that a cyber-attack won’t happen – general wisdom is not “if” a company will be attacked but rather “when.” Given that an attack of some kind is more than likely to occur at some point, focusing on both prevention and recovery can help make sure that a company minimizes the opportunities for an attack and is prepared to recover from an attack as quickly (and painlessly) as possible.