GRC Tuesdays: 5 Steps to Effective Cyber Security
In today’s hyper-connected network economy, cyber security is a top-of-mind boardroom discussion topic. Information is the new sinews of war. Your customer information, of course, but also your own financial and strategic plans, your employees’ and contractors’ personal data, and so on. An attack on this data (either for leakage, manipulation, ransom or other malicious intent) could seriously endanger your relationships and trust with these important parties. It could also lead to business disruptions and loss of market share, not to mention potentially hefty fines.
Nevertheless, some businesses have taken this adage somewhat too strictly and decided to protect all their data. Not only does this have a cost, but since they most likely have limited resources, it means they could be running scarce on protecting their real crown jewels.
In this short post, I don’t intend to give you a complete process for attaining a 100% cyber-secure company, but I’ll try to share a few thoughts on what path you can follow to at least get started.
1. Rate and Rank Your Information
As I mentioned, not all information is critical or confidential. In order to prioritize your data protection needs, try first of all to rate the criticality of the information should it be accessed without your consent and then rank it.
Keep in mind that more information will be created every day, so institute a good information classification system ranging from “Public” to “Confidential” that is understood and applied consistently across the organization. This will help you keep this ranking constantly up-to-date and therefore reduce ongoing efforts of identifying critical information.
2. Map Your Assets
Now that you know what data you must protect, you need to know where it sits. This might seem quite trivial, but according to the recent EY Global Information Security Survey 2015, “only 40% hold an accurate inventory of their ecosystem (i.e. all third-party providers, network connections and data)”.
How can you really protect something if you don’t know where it is and how it’s being accessed? Map your assets and how they interact—this will give you a complete picture of the risk context.
3. Identify Your Vulnerabilities
Talking about risk context, identify the threats as you would for any other business risk. Applying a root cause approach is very relevant in this case as it will help you find the weakest link. But, as I already mentioned in a previous post (Why Cybersecurity Should be on Your Risk Map), don’t stop at the IT impacts.
To understand the real exposure of each vulnerability, roll-up the risk chain and assess the business, strategic, and also operational impacts resulting from a data breach.
4. Build a Protective Wall
Since most cyber-attacks still exploit staff-related security breaches, address this issue first— a sound access governance process with policies and tools to enforce it will already start protecting you.
A good way of ensuring that this is regularly reviewed and continuously protects the organization is to include its verification in your internal controls. You should also ask internal audit to add it into its audit plan.
5. The Best Defense Is a Good Offense
Don’t get me wrong, I’m not enticing you to go and attack hacker communities here! But what I am suggesting is that you run attack scenarios yourself to test your own protective barriers.
Thinking and behaving somewhat like the parties you’re trying to defend against might shed some new light on weaknesses in your shell. Also, this will enable you to become more proactive and deter future events before they even unfold.
I realize this is just an abstract of what should be a much more detailed publication, but do you agree with these high-level suggestions? How do you tackle cyber security in your organization?
As always, I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard !