There are many questions a CEO must answer, one of the biggest being, “How prepared are you to fend off a cyber attack?” According to the 2015 Global Cybersecurity Status Report from ISACA, only 38 percent of global organizations feel they are prepared for a sophisticated cyber attack. Companies need to be more proactive in their cybersecurity defenses, preparing for possible future issues.
In this slideshow, BitSight Technologies offers five critical steps every company should take to be proactive in their approach to cybersecurity.
Five Critical Steps for Cybersecurity
Click through for five steps organizations should take to proactively manage their cybersecurity risks, as identified by BitSight Technologies.
Prioritize Riskiest Assets
Every organization has a ton of important data, but not all of it is prioritized as being “material data” — a.k.a. the “crown jewels” of your organization. Depending on your line of business, this could be a number of different things — customer data, intellectual property or trade secrets.
Examining your cyber risk — or the cyber incidents that could have a significant economic impact on your organization — is the key first step to proactive cyber risk management. So if you agree that your material data is the most important thing to protect in your organization, you need to decide how you’re going to fend off anyone who tries to compromise it. If you start from this point and work backward, you can put together a solid cyber risk management program.
Develop a Strategy for Approaching Risks
In order to properly develop a strong security strategy, you must keep in mind that cybersecurity is all about people and process.
People: It is critical to ensure that the people in your organization are aligned with the company’s cybersecurity strategy and are responsible for implementing their piece of the strategy. Every individual within an organization should understand how to manage their electronic equipment and what to do in particular web-based scenarios. For example, companies today often send spearphishing emails out to their employees for training purposes, just to see who clicks on the links or attachments.
Process: It is absolutely critical for every organization to implement an acceptable-use policy. For instance, having guidelines on using technology while travelling, categorizing and tiering data based on importance and limiting accessibility and a set process on how a breach incident is escalated.
Understand the Supply Chain Is a Risk as Well
Third parties of any sort — including any and all software providers, business associates, contractors and subcontractors — may expose you to cyber risk that could be potentially harmful or even catastrophic for your organization. But you can put a number of controls in place to help soften the potential fallout such as:
- Identify all critical third parties
- Assess the risk of each critical vendor
- Write detailed security expectations into each vendor contract
- Continuously monitor third parties
Exercise a Security Incident
One should assume a “when” not “if” mentality when thinking about a security incident occurring. There are plenty of steps that can be taken to prepare for a data breach, including running a security incident exercise. This will help an organization show the management team that it is prepared for a cyber attack, be it large or small. It is important that everyone knows how to respond, and that plans are in place for notifying customers, investors, law enforcement and forensics firms. After walking through the different scenarios the tech team and upper management will feel better prepared.
Communicate Program Effectiveness to the Board
A final critical step to addressing cyber risk in your organization is ensuring that your board of directors is brought up to speed on the effectiveness of your cybersecurity program. The board is more involved in cybersecurity today than ever before, and they need to know how the current program is working.
CISOs and security professionals should focus on presenting insightful metrics and speaking in a language the board members can understand and appreciate so they can make the right decisions for the organization.