As the cybersecurity landscape evolves, we sat down with CFGI Partner Daniel Shafrir to get his thoughts on the changes he’s seen with his clients — as well as where he believes cybersecurity will continue to move.
What’s been top of mind for boards and senior leadership as it relates to cybersecurity?
In the last few years cybersecurity has continued to be a key focus area in board meetings, the audit committee and conversations with senior leadership.
Although these individuals don’t necessarily need to have the technical knowledge of cybersecurity concepts, they understand that they have a fiduciary responsibility to provide oversight for the cybersecurity program at the organization. This has become especially important in today’s day and age where cyber threats and data breaches have continued to pose significant reputational, financial and competitive risks, as well as the high costs associated with remediation after an incident. With this in mind, I have seen boards, audit committees and senior leadership pose the following questions to their teams:
- What are the top three/five cybersecurity risks that are applicable to our organization?
- How are we managing these risks that have been identified?
- How well do we manage security governance?
- If a serious event were to occur or we were to be breached, has management developed a robust plan to respond and recover from the incident?
What impact has COVID-19 had on cybersecurity?
COVID-19 has been a trying time for many organizations and people. Unfortunately, in times of crisis, an increase in cyber attacks is common as cybercriminals look to take advantage of changes in society and the fear and uncertainty that exists. COVID-19 is no exception.
From the start, as the world was trying to understand the implications of this cyber threat, cybercriminals looked to take advantage of the fear and needs of the global population through phishing campaigns and social engineering attacks based on the spread of misinformation. Additionally, as organizations were forced to adapt to a remote workforce and think through the additional security controls that would need to be put in place, cybercriminals took advantage of this transition period. This resulted in an increase in cyber attacks, including ransomware attacks, phishing scams, business email compromises and fraudulent funds and wire transfer losses.
What changes have you seen in organizations that have been impacted by cybersecurity events or in organizations with a focus on better managing their cybersecurity risks?
As cybersecurity risk continues to be a discussion item at the executive level (and especially after processing the impact of a cybersecurity incident), the first step that I have seen many of our clients take is to reassess their cybersecurity strategy.
Historically, the cyber strategy might have fallen only within the IT department and might have been ad hoc as different solutions would be implemented from different vendors in the hopes of creating the best defense. But this did not consider the enterprise goals and changes, nor make sure the solutions put in place actually addressed the cyber threats and risks that the organization faced, based on the industry, size, data, etc.
As organizations rethink their cybersecurity program, I have seen many companies start from the drawing board, with key stakeholders across both IT and the business making sure that an integrated approach is taken that aligns with enterprise goals. Once an integrated plan is implemented, then it is important to put in controls to continuously monitor, reassess and improve the program as the enterprise evolves and the cybersecurity landscape changes.
How should companies start the process to organize, implement or improve their cybersecurity program?
The goal of a cybersecurity program is to protect the organization’s data. However, in order to understand what needs to be protected, the first step is to understand what data exists within the environment and classifying that data by specific categories in order to support the overall program in a practical way.
In addition to understanding what data needs to be protected, the organization should think through how and where that data needs to be protected. This means understanding the flow of data as well as what safeguard might already be in place at the organization, both preventive and detective.
Once this information has been collected, the organization should think through what cyber risks, threats and vulnerabilities are applicable to the organization based on the information collected, the industry and the size of the company. Once these items are identified, think through the likelihood and impact of these as well as any controls or processes in place to help provide mitigation.
After completing the risk assessment, the organization should have a better understanding of the key areas that are beyond the organization’s risk tolerance and be able to prioritize where the limited resources and budget can go. This, in turn, helps the organization put together solutions that are best for the company and that will provide the best return on investment.
For companies looking to implement a cybersecurity program, how long does it typically take?
Honestly, there is no one timeline that works for every organization. Cybersecurity is an ongoing risk as the threat landscape and the business goals are constantly evolving.
As it relates to performing an initial assessment to understand the current state of cybersecurity at the organization — and identifying as well as prioritizing the top key gaps and remediation items — I would say this can be completed within one to three months.
The range is really dependent on the different stakeholders involved, the scope of the overall program and the goals trying to be achieved. If you’re really starting from scratch, and unsure of your cyber-maturity level, a one to two week cyber-maturity assessment may prove valuable.
Where do you see the cyber landscape and the impact of cybersecurity to organizations in the future?
The truth is that advances in technology provide so many benefits to society and continue to reshape the world in ways that people couldn’t even imagine even 5 years ago.
The other side of that coin is that as technology continues to integrate, improve and reshape our lives, cybercriminals also continue to evolve to adapt to the increasing avenues to exploit new vulnerabilities and weaknesses for their own benefit.
With the increased adoption of Internet of Things, 5G, more movement into the cloud, automation and the growth of data available at companies, these vectors become the forefront of cyber threats.
Additionally, as the government plays catch-up to the rapid changes, more regulations can come down the pipeline that hold organizations accountable to both their cybersecurity and data privacy responsibilities. The truth is that the cyber landscape is going to grow, and so right now is the best time to make sure you are looking at your organization and assessing your current state, making information decisions and implementing appropriate policies to help drive toward a successful future.
How has CFGI adapted and evolved to support their clients with their increased focus on cyber risks?
At CFGI, we have seen cybersecurity come up with our clients, internally from senior leadership and the board and from external auditors as they perform their SOX procedures. In each instance, we have partnered with our clients to come up with a pragmatic solution that works best for the company based on the enterprise goals, the size of the company, the industry and how much investment can be put in.
We understand that there is no one solution that works best and that each client has different focus areas from a short- and long-term cyber strategy. Therefore, we make sure that for any cybersecurity assessments that we perform, we look to understand up front what is important to our clients, what is their desired future state and what have we seen as best practices based on the client’s industry and size.
Additionally, throughout the assessment we stay in constant communication with the client to ensure that any gaps or proposed remediation items are realistic and agreed-upon by all parties before finalization. Finally, we understand that many of our organizations have lean IT teams and so we make sure to partner with our clients to offer resources to help implement solutions to make sure that they are producing the desired results.
Furthermore, as cyber risks continue to evolve, at CFGI we make sure to stay in communication with our clients on industry news that we are seeing as well as making sure that we can be a sounding board as they think through their changing landscape and business. Cybersecurity is something that cannot be ignored and will continue to grow in importance. Right now is the time to ensure that the foundation is appropriate.
If you are struggling with where to start, need assistance implementing your program or would like to ensure that your program is addressing the gaps that your company faces, call CFGI for an introductory discussion today.