Plan Ahead & Get Your Organisation Cyber-Ready
Most of us will be familiar with the old adage “Failing to plan is planning to fail”. Nowhere is this more pertinent than when it comes to protecting a business from cyber-attacks.
Assuming that your organisation will be targeted sooner rather than later, and then putting a plan in place to deal with that attack, will ensure that not only is the risk of being a victim minimised, a more swift and thorough response can be rolled out should the worst happen. Here, Jan van Vliet, VP and GM EMEA at Digital Guardian, explains the ins and outs of preparing for cyber-readiness.
However, there are still some senior executives who think cybersecurity is aimed only at making an IT system impregnable to hacking attacks, and nothing more. The reality is no system is completely safe and therefore cybersecurity should also be focused on managing risks and keeping these at an acceptable level.
The fact of the matter is if an organisation falls victim to a cyber attack, it’s often the CEO that ends up in the firing line. But it doesn’t have to be this way. In this blog, Tom Scholtz, research vice president and Gartner Fellow sums up an alternative outcome. His view is that: “While you can’t control if you get attacked, you can control your organisation’s readiness to respond and weather the storm.”
The reality is no system is completely safe and therefore cybersecurity should also be focused on managing risks and keeping these at an acceptable level.
So, here are a number of questions a CEO should ask to make sure his or her company is cyber-ready:
What risk management framework are we using?
There are several risk management frameworks that can be used to benchmark and assess your risk profile and cybersecurity approaches. For instance, you can use the NSCS’ guideline here. This is a set of best practices that helps organisations detect, respond to, and prevent cyberattacks. It can also help recovery after an attack. Other guidelines can be sourced from organisations such as the Cloud Security Alliance or ISACA.
What are we currently doing to prevent cyberattacks?
What’s our security baseline? What protections, policies, and processes are already in place? This will help identify what still need to be done and what controls are missing. It could also be worth considering implementing a defence in depth strategy that uses multiple layers of defence throughout the IT system. This would include overlapping security processes, such as using an intrusion prevention system, a firewall, and anti-virus software.
Is cybersecurity risk included in our enterprise risk management?
Every business should have enterprise risk management, and ideally, cybersecurity should be part of that process. Cybersecurity should be measured the same way that other business risks are measured. Managing cybersecurity risk should not be a question of returns on investment – but asking what is at risk losing if cybersecurity measures are not implemented properly. For example, Hilton was fined £525,000 for a data breach, but under the new GDPR compliance laws, that fine could exceed £323 million – and that doesn’t account for reputation damage and other costs.
Cybersecurity should be measured the same way that other business risks are measured.
Have we trained our employees to have a cybersecurity mindset?
Most data breaches are caused by people. A breach could be malicious in origin, like a disgruntled employee stealing files, or it could be unintentional, like an employee who left his or her phone at the local bar. To mitigate this risk – known as the insider threat – organisations should spend time educating employees on the different cybersecurity risks. For instance, how to recognise phishing e-mails and other criminal communications.
Do we have a strong incident response plan?
A solid incident response plan should include all possible attack scenarios – no matter how implausible. It should include the typical cyberattacks and a range of possible responses to each situation. It should aso include guidelines on areas such as when to contact the ICO (Information Commissioner’s Office), how to inform employees, customers and partners about a breach, how to limit damage, and so on. And because new threats can show up at any time, the plan should be continually tested and updated.
Ultimately, in today’s digital landscape, suffering a cyberattack is almost an inevitability.
How protected are we from new cyberthreats?
It’s vital to understand how well your organisation can protect itself against new vulnerabilities and exploits as they come up. This includes implementing a threat monitoring program that enables new cybersecurity threats to be tracked, as they emerge.
Ultimately, in today’s digital landscape, suffering a cyberattack is almost an inevitability. However, the data loss and reputational damage that often accompany these attacks can be avoidable. By preparing for a cyberattack, and having the right protections and processes in place, the CEO can ensure that his – or her – organisation responds quickly to a breach, mitigates potential damages – and hopefully keeps his job!