Information technology is not without its risks.
Other threats that follow a reliance on IT include unplanned system downtime, ransomware and distributed denial of service (DDoS) attacks – all of which can lead to lost productivity, regulatory penalties, reputational harm and financial losses.
But facing the possibility of a cyberattack or other failures is far more sensible than the alternative: not using digital technologies. Business decision-makers are right to invest in technology. Risk can be managed, after all.
With that in mind, it’s well worth leadership’s time to understand some of the easiest-to-overlook – but most fundamental – tenets of cybersecurity risk management. These include the following:
A strong company-wide security posture
Cybersecurity posture, or maturity, starts from the top down. While pressure to provide data and dashboards that demonstrate cyber maturity often comes from the audit committee, shareholders, investors and other stakeholders, the onus is on company management to provide those assurances.
Some steps you can take toward demonstrating cyber maturity include:
- Know how your cyber maturity compares to industry peers.
- Set defined goals using industry benchmarks for the cyber maturity of your company.
- Identify and document the people, process and technology gaps within your cybersecurity program.
- Have a plan in place to close those gaps and improve company-wide security hygiene, as well as a strategy for continuous improvement.
- Make sure your IT and/or compliance staff knows what cyber and data privacy regulatory requirements they need to comply with.
Responsiveness to cybersecurity incidents
The NIST Cybersecurity Framework is divided into five functions:
- Identify: Develop an organizational understanding for how to manage cybersecurity risks to systems, assets, data and capabilities.
- Protect: Take measures such as creating cybersecurity policies, implementing controls and administering training to safeguard critical infrastructure services.
- Detect: Implement activities and systems that identify cybersecurity incidents and their potential impact in a timely manner.
- Respond: Develop and execute an organized and well-communicated response plan for cybersecurity incidents.
- Recover: Preemptively take measures to maintain business continuity; implement recovery protocols that ensure timely restoration of systems affected by cybersecurity events.
If yours is like most businesses, identify, protect and perhaps detect are probably on your radar. However, many companies are not ready to accept that a damaging cybersecurity incident will eventually occur at their organization – especially if they’re already spending money on products that are supposed to “prevent” such an event.
This reluctance hinders incident-response preparedness. Slower remediation, in turn, leaves you more exposed to risks such as data loss, downtime and financial damages. To offset those vulnerabilities, businesses need to prioritize several high-level actions:
- Develop a comprehensive cyber-incident response plan that includes tactics for validating the type and scale of the cyberattack.
- Determine how the incident response plan fits into the overall cybersecurity strategy at your organization.
- Identify, document and communicate response protocols throughout the organization so everyone understands roles and responsibilities in identifying, responding to and recovering from an attack.
- Maintain and update the incident response plan to address newly emerging cybersecurity risks.
Business continuity and disaster recovery
Not planning for how you will maintain business continuity in the event of an IT failure leaves you more exposed to the possibility of costly business disruptions. Downtime is expensive – thousands of dollars per minute on average, by some estimates.
Furthermore, if an IT failure does disrupt critical operations, you’ll need a disaster recovery plan to restore the current state back to business as usual.
Remember: Risk management is about preemptively addressing the reasonable possibility that something bad could happen if you fail to act. The rules are no different for cybersecurity. Ask yourself:
- If you had a ransomware attack tomorrow, would you know what to do – would you have to pay the ransom?
- What would be the operational and financial impact if your core applications went down for a day, a week or even longer?
- What types of disasters are you prepared to handle?
- What types of disasters pose the most immediate risk to your business?
These are types of questions that help you get ahead of failures. While you cannot necessarily prevent every possible source of IT downtime, you can have business-continuity and disaster-recovery plans in place to maintain operations or restore them, respectively.
Compliance with data-privacy and cybersecurity laws
Data is the crown jewel of your IT systems. Knowing what data you need to protect, where that data resides and what people and systems have access to it is crucial to managing cybersecurity risks and ensuring data privacy in compliance with regulations.
The two most pressing data privacy regulations facing businesses today include:
- The General Data Protection Regulation (GDPR): Any company offering goods or services to customers or businesses in the EU is required to follow certain data privacy rules, such as getting consent to collect data. EU data subjects also have the right to know what data has been collected, and to request that this data be deleted at any time.
- California Consumer Privacy Act (CCPA): Under CCPA, California consumers have the right to see all information a company has collected on them, including a list of any third parties their data has been shared with. California consumers also have the right to sue if these privacy regulations are violated.
Nuance exists with regards to what businesses these laws apply to, though. As such, it is crucial to know:
- Whether you are on the hook for GDPR and CCPA compliance.
- The full extent of the requirements under the regulations.
- How you will guarantee compliance with these requirements (e.g., do you have the processes and systems in place to support compliance?).
Data privacy relates to what you need to protect and cybersecurity relates to how you do so. They both require circumspect oversight of IT and business risks that exist within your company, in addition to thorough management and mitigation of those risks.
You either have the ability to do that effectively, or you do not. Just make sure you know where you stand before it’s too late.