5 fundamentals of cyber risk management
Breach prevention can no longer be the sole cornerstone of an effective cyberstrategy
When it comes to cybersecurity, organizations face a future in which it’s best to prepare for worst-case scenarios.
As the number of cyberbreaches top previous records, rampant cybercrime is expected to inflict major losses on the global economy before the close of this decade. That means breach prevention can’t be the sole cornerstone of an effective cyberstrategy.
As outlined in the latest AT&T Cybersecurity Insights report, the question is not if a company is going to be attacked; it’s now a question of when the attack will come.
That shouldn’t be an impediment to your business’s future. But it means finding ways to improve defenses and reduce vulnerabilities to the point where attacks are no more than an acceptable cost of doing business. That’s where cyber risk management enters the picture.
Here are five risk management fundamentals for your business.
1. Risk identification
Figure out what needs to get measured and connect the data points. Find attack patterns or any other traffic trends that might suggest imminent risks.
Identify the greatest threats facing the organization and integrate any of those insights into your incident response strategy. And make sure that effective authentication systems are in place to vet whether the people accessing your organization are who they claim to be and not intruders.
The National Institute of Standards and Technology has pulled together a longer list with specific suggestions about how to prioritize.
2. Get top management on board
Boards need to understand the potential constellation of risks that may threaten their company’s reputation, finances and operational performance. Cyber risk management should be a central plank of any organization’s governance processes.
The senior levels of the company need to know whether their data assets are being protected adequately and when to adjust future budgets to bolster security planning. Only the board’s buy-in will ensure that the organization’s security objectives are fully aligned with the larger goals of the business.
3. CSO-board communication
Set up an effective communications pipeline between the organization’s top security executives and senior management. That means it’s up to the top security executive in the organization to inform the C-suite about looming potential risks as well as the state of current defenses.
Unless they receive up-to-date risk indicators, the C-suite will have no way to judge whether the security situation is improving or getting worse.
4. Update incident response
No matter how well defended an organization may be, anticipate coming under cyberattack at some point in the future. Draw up worst-case scenarios along with an updated incident response plan. This is the road map to identify and prioritize the people, processes and technology issues to mobilize in an emergency.
Don’t let the response plan gather dust. It should undergo frequent testing to remain relevant and ensure that everyone involved in the drill understands their roles when the alarm sounds for real.
5. Preach the gospel
No matter how many times they need reminding, employees can always do a better job when it comes to adhering to best practices. It’s up to management to keep promoting a cyber-aware culture.
At a minimum, make sure that employees are aware of the cyber risks that threaten the organization as well as the likely business implications of a breach. Sometimes, this may not be as self-evident as it might seem at first blush. Success in this case may be measured in inches, rather than yards. But every little advance counts.
AT&T Cybersecurity Insights report
Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."
In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.