When you think of cybersecurity, do you still think IT? If so, you’re not alone. Even though cyber attacks are increasing in frequency and costing more than ever, many organizations view the problem as one that can only be solved through the introduction of those legacy sensors we commonly associate with traditional cyber security. But as the market is increasingly becoming aware, these “off-the-shelf” tools are only part of the solution.
Relying on data security practices in isolation from non-technical threats leaves gaping holes that undermine an organization’s ability to prevent, detect, correct and recover from intrusions. In a deep dive on cybersecurity at a recent cyber security seminar in Northern Virginia, Secure Halo presented six key areas that public and private organizations should focus on to create awareness of a holistic and proactive threat posture: insider threat, physical security, mobility, external business operations, internal business operations, and yes, data security.
Threats Cross Departmental Borders
Why do these all matter? Because as the news headlines are increasingly reporting, cyber is about more than IT. A traditional organizational chart would likely show each of the domains in a separate vertical, with their own leaders, policies, programs and procedures, and with separate accountability and responsibility mechanisms. From a risk management perspective, a stove-piped and traditional view of security wouldn’t recognize how a business event occurring in one domain could introduce enterprise vulnerability via another. Take a major commercial customer our team recently assessed. For high-risk employee terminations, while we found there to be ‘good’ communication between the HR and IT departments at this client location, our team nonetheless identified priority vulnerabilities associated with access control, change management, and the maturity of existing procedures governing these activities.
To take another example, how about the business traveler in a foreign country who engages in business talk and unwittingly shares proprietary details of an upcoming project during the cab ride from the airport to the hotel. If you don’t think that in certain countries the driver could also be a member of his country’s security apparatus, think again. Armed with that knowledge, the information is eventually passed along to a competitive intelligence rival who is all too eager to erase years of your sweat equity and smash your bottom line.
Insider threat, one of the most underreported as well as most taboo, can take the form of an employee who inadvertently introduces malware through a seemingly innocuous click, to a disgruntled employee who deliberately downloads or erases proprietary information, to a worker who is targeted and paid by competitors to steal information. Training and awareness programs highlighting the personal, behavioral, and organizational precursors that contribute to these events is a responsibility that crosses all departments within the enterprise.
Cost of Cyber Attacks Grow
Those are just a few examples of the many ways in which cyber threats can enter an organization. Any one of them can have a devastating cost. Leaders are forced to resign – most recently the CEO of extramarital dating site Ashley Madison, and in July the Director of the Office of Personnel Management (OPM). Consider the reputation harm suffered by Sony Pictures when unflattering emails were revealed. Or the cost to the taxpayers to cover the OPM breach – $133 million just to pay for victims’ credit and identity theft monitoring.
The Ponemon Institute’s annual Cost of Data Breach Study of 11 countries puts the average cost of a single data breach at $3.8 million, a 23 per cent increase since 2013. The study also found the average cost for each lost or stolen record containing sensitive and confidential information is $154, and double that for healthcare information.
Five Ways to Improve Organizational Cybersecurity
• When you think of cyber, think beyond the IT department. How are your departments working together to identify potential risk, formulate and communicate policy? Consider creating a risk management team.
• Identify your organization’s most valuable intellectual assets. Define and categorize this data according to its level of sensitivity, value to the organization, and when they might be most imperiled.
• Assess risk by reviewing how your organization operates – what physical assets need to be protected, how often do employees travel, do they use personal and/or work devices?
• Consider the potential for not just external, but also internal threats. Does your organization monitor for unintentional or deliberate unauthorized access or inappropriate use of data?
• Foster and communicate a security culture. From the board of directors, to the C-suite, to every level of the organization, each employee has a front line responsibility in securing the enterprise.
In today’s environment, cyber attacks are an eventual certainty for every organization. So take a deep dive on cybersecurity. Thinking about risk holistically will help minimize the potential damage.
