Why a risk assessment should be in your future
Learn why your business should conduct regular cyber risk assessments
Companies that put cyber risk assessments on the backburner will quickly find themselves enmeshed in controversy if their controls are found to be inadequate, or fail to satisfy regulatory requirements.
Recent legislation, such as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley, not only contain references as to how organizations should protect different kinds of data, but also require regular security assessments. What’s more, organizations involved in mergers or acquisitions have extra incentive to stay on top of this.
A recent New York Stock Exchange survey of its members found that the overwhelming majority of respondents agreed that the disclosure of a high-profile data breach would have “serious implications” on a pending transaction.
Regular cyber risk assessments are a critical part of an effective cyberdefense plan, as the results provide clear answers about the risks associated with using particular information systems or types of data.
At the same time, though, it’s unrealistic to include everything in a risk assessment. Indeed, the US Commerce Department’s National Institute of Standards and Technology (NIST) allows that there are no specific requirements and no right way to conduct risk assessments.
So, what’s the right approach?
Actually, there’s not a single answer, as it will vary based on the company and its unique position in the market. Rather, the overarching goal should be to create a framework that includes the areas that process, store and transmit its most important information.
Managing the process
Years ago, this task might have been farmed out to the IT department. But as threat levels rise, the danger of brand and reputational damage from a data breach has elevated the responsibility for cyber risk assessment up the organizational chart.
The C-suite and board of directors are now just as responsible for managing this process as it is for the constellation of considerations affecting other areas.
The exercise should spotlight the various categories of risk that an organization faces. At the same time, it should inform the leadership about the actual location of the company’s assets as well as whether there’s appropriate security to protect its most valuable information.
And once complete, the drill should help management prioritize so it isn’t throwing money wildly at the problem any longer. Instead, managers can adopt more prudent, cost-effective spending and invest in defending the most important, higher-payoff items.
Organizations should also use the process as an opportunity to vet the security worthiness of their third party business partners. In a networked world, a partner company’s security vulnerabilities also become yours. As a precaution, it’s prudent to adopt strict role-based access so that third parties only access specified applications.
At the end of the day, this is about adding to an organization’s muscle memory. Companies that fail to conduct thorough security reviews can’t ever know for sure which data is most likely to be in the crosshairs. But adopting cyber risk assessments into their regular routine will allow organizations to understand what they face and better navigate a threat landscape that gets more dangerous all the time.
Just as important, it will give them a running start when trouble finally knocks on the door.
Visit the AT&T Cybersecurity Consulting page to learn more about risk assessments and other cybersecurity practices that can help protect your business.
AT&T Cybersecurity Insights report
Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."
In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.