Organizations of all sizes and types generate, store and use vast volumes of digital information that are necessary to their daily operations. It is difficult to imagine any organization being able to function without access to the Internet to conduct its business. Experts estimate that global IP traffic will exceed one zettabyte (roughly one billion gigabytes per month) this year alone and by 2019, we will transmit two zettabytes of data per year through the Internet. See Executive Summary of the Cisco Visual Networking Index (May 2015). However, the Internet was created for sharing, not security! Because digital information and assets are integral to any organization’s ability to accomplish its mission, they are a target of online criminals and other cyber threats. Balancing protection of these digital assets with getting business done in a connected world poses challenges unique to our era.
Cyber Resilience: A Key to Preserving Your Organization’s Value
Protecting the confidentiality, integrity and accessibility of a company’s digital assets is critical to business continuity, maintaining corporate value for shareholders, brand reputation and in many instances, compliance with government regulations. As a result, clients, business partners, regulators and consumers are increasingly holding the C-suite and the board accountable for protection of digital assets, such as business- proprietary information, customer information and personal information. How does an organization protect its assets in what seems like a scary world of daily breaches? By creating and maintaining a cyber-resilience program.
What is cyber resilience? Just as we take precautions to maintain our personal health, organizations need to take certain steps to make the company resilient in the face of the inevitable attempts to steal digital information. By creating a good cyber-resilience program, when a data security incident occurs, an organization will be better prepared to detect the incident, understand what digital information and IT assets are affected, contain the impact and identify and eradicate the threat. Indeed, an incident may never rise to the level of a data “breach” if the organization is wellprepared at all levels, including both human and IT.
One key to achieving cyber resilience is involving the entire organization. Data security is not solely about IT. Just as we cannot rely on vitamins alone to maintain our health, an organization cannot rely on IT alone to maintain its cyber resilience. When it comes to our own physical health, for example, we keep abreast of what illnesses are going around so that we can take precautions to avoid getting sick. Similarly, organizations need to be aware of what threats are active in their industry and what scams their employees are being targeted with. This awareness must permeate the entire organization. The fact of the matter is that over half of all cybersecurity incidents involve insiders and of those, 95 percent are caused by human error. See IBM 2015 Cyber Security Intelligence Index. Many regulators take enforcement action, not because there was an IT failure in the wake of a sophisticated never-before-seen threat, but because processes were not in place to mitigate risks that could have been readily anticipated, known vulnerabilities were never addressed, or basic security measures were not implemented. For those organizations that don’t know where to start or what their obligations are, consulting legal advisers who specialize in understanding legal obligations surrounding data security and privacy, and who know how to work with specialized information security IT experts (InfoSec) is a good start.
What Are Current Trends in Cybersecurity?
No. 1 – Focus On the Human Side.
In 2016, we will see continued and growing emphasis and education around the human side to data security. Data security is not an IT issue, it is a people issue and it spans the entire organization. The overwhelming majority of data breaches involving lost information were caused by misuse of access privileges, theft/loss of devices and human error. See Verizon 2014 Data Breach Investigations Report. In practical terms, this means training the organization’s workforce about threats and vulnerabilities, such as stolen devices, scams to steal login credentials and emails with malicious links or attachments so that they understand the importance of good data security hygiene and can become a “neighborhood watch” for cyber threats and incidents.
No. 2 – Mobile Device Management.
Given the ever-increasing mobility of the workforce, we will see increased focus on mobile device management. These are security policies and measures that organizations can use to secure their remote workforce.
No. 3 – Improved Access to Security Tools.
The quantity and quality of security tools available to organizations, including tools that cloud providers are incorporating into their products, are increasing while the cost is decreasing. This is great news, particularly for small and medium-sized businesses, as well as nonprofit organizations who cannot afford products that costs tens of thousands or even hundreds of thousands of dollars.
No. 4 – Vendor Management Programs.
We will see increasing scrutiny of the cybersecurity training and practices of small and medium-businesses, as larger companies implement vendor management programs because of regulatory requirements or litigation risk. So, if your organization is a vendor to a major retailer, bank, health organization, utility, publicly-traded company or other regulated business, expect to be asked about the measures your firm takes to assure the security of your customer’s information and the continuity of your business operations. Many vendors are being asked to respond to detailed security questionnaires. Too many wrong answers can result in losing a significant customer.
No. 5 – Data Breaches: The New Normal.
There is no end in sight to data breaches and cyber theft. All organizations – small and large – are affected. It is no longer a question of “if,” but “when” any given organization will have a data breach. Those organizations who conduct risk assessments and have processes and cyber-incident plans in place will respond and contain damage more effectively than their less proactive counterparts.
Just as with any other aspect of risk management, business leaders and organizations need to get a handle on the regulatory and industry standards that they will be measured by for data security. They must understand how their organizations measure up to those standards. With this knowledge comes the power to become resilient and mitigate risks in a reasoned and strategic manner. Cyber resilience is not a one-and-done project, but rather an iterative learning process that includes examining the environment (business and legal requirements, as well as threat vectors), assessing risk and prioritizing mitigation strategies. Smart companies will get started now, before their corporate value is extracted by external threats or insiders, including clueless or careless insiders.