5 Tips to Add Value to Your Cybersecurity Defense Programs
Security breaches, malicious software (malware) and other forms of cyber-attacks affect individuals, companies, industries, and governments every minute of every day. Now more than ever, cybersecurity awareness and actions to address these challenges need to be a top-of-mind focus for executives in the C-suite. As companies find ways to mitigate cybersecurity threats, here are some tips that may help organizations add value to their cybersecurity defense programs.
1. Good cybersecurity = good business = adding value to the bottom line
We know from reading the frequent headlines that financial loss, intellectual property theft and, often, damage to shareholder value or brand reputation are just some of the negative ways data breaches can impact an organization’s bottom line. For those companies taking the right steps to protect privacy and security – from credit card data to sensitive customer information – there is more support from shareholders and partners. At the end of the day, customers tend to remain loyal to companies they trust.
Due to the nature of the information they process, highly regulated industries such as financial services and healthcare are the number-one target of cyber-attacks perpetrated by a variety of attackers, including other competitors, organized crime and foreign intelligence agencies. For example, most large international banks are more proactive in protecting the financial and personal information of their clients. Some banks have gone beyond protecting their systems and have worked with their marketing departments to educate consumers on cyber risks and, in some cases, even empowering their clients by providing licensed copies of anti-virus software for home computers or for mobile smartphones. When a bank educates its clients on cybersecurity threats, they make an investment in helping the bank protect its online based banking websites and systems. If you educate your customers on cybersecurity risks and how they as consumers can protect their personal information, that may help your organization to build trust with your customer. Customers who trust their bank or their healthcare provider organization remain customers for many years.
While organizations may be afraid of the reputational impact of disclosing a cybersecurity data breach, organizations may be better off addressing the challenges quickly and publicly. For some companies, keeping a cybersecurity data breach confidential is no longer an option. In the U.S., public companies are now required by the U.S. Securities and Exchange Commission (SEC) to disclose any material impact of cyber breaches.
2. Understand your threat ecosystem.
In the midst of evolving threats and risks posed by insiders, business associates and external bad actors, the hardest concept for most organizations to grasp is identifying what actually needs to be protected. This should be the very first question: What am I protecting? Once you know what you must protect, you can then define HOW you will protect that information. The next step is to understand what specific threats your organization may face in protecting specific information such as financial data.
3. Develop a security strategy for the Internet of Things (IoT).
IoT is unique because companies are just learning the unintended consequences of the instrumentation of “non-standard” devices. In a home environment, a good example of IoT is the commonly used Nest thermostat along with Wi-Fi enabled coffeemakers, refrigerators that alert you when it’s time to buy eggs or milk and other “smart” devices.
We’re now seeing the unintended consequences which can result when these unmanaged and untrusted wireless devices are online. From a security perspective, these devices create additional pathways for cybersecurity threats and increase the cybersecurity risks for your IT environments. IoT is the next evolution of bring your own device (BYOD) — IoT is BYOD on a much larger scale.
Most organizations are still trying to understand how to adequately protect environments with the explosion of IoT devices. How are you approaching the cybersecurity challenges of IoT?
4. Adopt a risk-based cybersecurity framework.
Many organizations don’t understand the value of having a cybersecurity framework in place to ensure that defined processes and plans are followed. Certification with the global framework ISO 27001, for example, gives customers at the international level a better assurance that your organization is following well-established procedures and that you have internal governance for security.
Organizations should begin now to think about and address a security framework to help effectively communicate within their organizations to other executives, the board and IT groups.
5. Know the geopolitical impact on cybersecurity.
While geopolitical implications on cybersecurity are difficult to keep up with, it is increasingly important for organizations to be aware of what is happening with cybersecurity on a global level.
The president of China visited President Obama to sign a cybersecurity cooperation agreement. The same day, China was hacking critical U.S. government and military installations. News headlines also point to Russia ramping up cyber-attacks against western countries.
The global conversation on cybersecurity is quickly becoming more complex due to international laws and regulations. The trend on increased government and international laws on cybersecurity and privacy protections are increasing due to governments perceiving these threats as material – not only to their economic health but also to their national security. These new laws and regulations have unintended consequences, including financial costs not planned by organizations. We live in a new global economy where cybersecurity will be a determining factor in the financial performance of companies, regardless of industry.
What are your thoughts and best practices on how to approach cybersecurity? I look forward to your questions and comments.