For many generations our personal and business records remained private for only those who had permission to have access. Lock and key filing cabinets and banking ledgers were kept from the view of outsiders. Today no longer do we have 100% assurance of total privacy. In a matter of minutes, our positions and perhaps the entire company we helped to build could be compromised. This is not just a topic for the IT staff; it encompasses much more.
So, the board meeting is called, your lead technologist presents the new budget and then leaves the room. The ensuing conversation often goes like this, we have no idea what all that technical jargon meant, but it sounded intelligent and convincing, and we trust him/her. Can we afford this new increase in expenditures?
Is this the right question? We think that the following questions are ones that you should be asking.
- Does your cyber defense strategy follow the National Institute of Standards and Technology (NIST)? As basic as this question is, it is amazing how many executives haven’t heard of this pre-established framework or if they have, they are not using NIST as their template. At a minimum, the NIST Framework should be followed to ensure your organization complies with a number of Federal Regulatory concerns that many organizations are required to follow, and if not required for your organization now, may soon to be required in the future. The NIST Cybersecurity Framework Version 1.1 (Respond – Detect – Protect – Identify – Recover) … it’s a no-brainer.
- How would you be affected by a breach at one of your suppliers/vendors/partners? A breach could put them out of business, even if just for a few days, potentially affecting your ability to do business. Additionally, they could, through network connectivity and file transmission, infect your environment. Make sure that you’re vetting your supply chain through a Third-Party Risk Assessment and ongoing monitoring.
- Are you the weakest link? You’re not going to like this. You, Mr./Ms. Executive, could be the greatest vulnerability of all– due to your password and email habits. If the leadership needs an adjustment in habits, then the staff most likely will too. The hackers love weakness in this area, and let’s face it, we hate changing our habits, and it’s like pulling teeth for us to give it up a password we like, even the really bad On this point it’s a good idea to bring in someone from outside your organization, as we all are challenged by changing old habits and instituting new ones. Many of these vulnerabilities can be addressed with effective staff training and password and email management.
- Are your traditional anti-virus and firewall solutions really protecting your environment? Another common vulnerability is a false reliance on traditional cyber products and anti-virus software with names you’ve seen for many Just because these names are familiar, doesn’t mean that they are effective – the hackers have changed, but these products haven’t. Your organization should be implementing Next Generation Endpoint Protection and Firewall products which focus on the activities that the virus and malware might take and stop them before they can do damage. Everything in your network should be protected and monitored. To that end, make sure all servers, endpoints, networks, and software are monitored by a Security Operations Center (SOC).
- How can we quantify our organization’s cyber risk? Can you and your technology leader answer the following?
- What is the value of your information to the organization? What would it take to replace it?
- Vulnerability (degree of security controls) — where is our organization at risk?
- Threat – what is the likelihood of a cybersecurity attack and where will it come from?
- What is our Annual Risk Carrying Cost (ARCC) and how is that total RISK covered — insured and self-insured? How can we reduce our ARCC?
Risk Identification and Quantification is the term for this category and is an absolute must these days.
Today, organizations must take a holistic approach to cybersecurity and apply solutions in layers to maximize the protection. Improving your cyber strategy can be expensive, and you probably do not have an infinite budget. Let us help you prioritize the implementation of your cyber solutions to maximize the reduction in your Annual Risk Carrying Cost.