Key Areas for Assessing Your Cybersecurity Risk
Often, when you click on an article regarding cybersecurity, the first thing you will see is some scary statistic about how vulnerable your organization is to cyberattacks. You’ve clicked on this article, so you are obviously concerned with your organizational cybersecurity. So, let’s skip the scary statistics. I think anyone who spends any time paying attention to the news is well aware of mounting vulnerabilities when it comes to information security.
In short, the more information we migrate from a physical form to a digital form means the more vulnerable we are. When we lock information in a file cabinet, we only need to secure it from people who could potentially break into the cabinet and steal it. When we toss this information up into the cloud, a whole lot more people have access and opportunity for larceny or defacement.
Technology is a constant dance between convenience and security. Ignoring digital tools would leave an organization far behind the competition who are using these tools to increase efficiency and experience. However, as we’ve seen, ignoring or incorrectly aligning organizational cybersecurity can have devastating consequences. It’s a dance, a balance. You want not to be afraid to use digital tools to advance but you must also be appropriately considerate of the risks you face.
The bottom line is you can’t remediate risks until you effectively understand your risks. That’s why a cybersecurity risk analysis is fundamental. During a risk analysis, we work with an organization to assess the following critical areas of risk. We do so by interviewing a wide diversity of team members from across the organization while also examining relevant processes and procedures. Understanding and remediating your risks in the following areas is critical to effective cybersecurity.
- Data Criticality: You likely are collecting some sort of information about your customers. Would this information be valuable to outside actors? Absolutely. This may be in the aim of identity or financial theft or to hold this information hostage to force you to pay ransom.
To adequately protect your data, you must first understand the data that you possess. Then, you must understand where this data is located (both in transit and at rest). You also have to understand who has access to this data (both in-house employees and third-party vendors). Understanding the data you possess, and then ranking your available data by value can help you prioritize what pieces of data require the most protection, so you know where best to channel resources.
- Employees: Cyber breaches are not that complicated, although it often can seem like it when we start talking about routers, switches, firewalls, and intrusion detection systems. The vast majority of cyber breaches occur because of two things. The first is bad passwords. Attackers are able to breach a network because people use weak passwords or reuse passwords, and they do not have a second factor of authentication.
The second way is when a team member clicks on a link or downloads an attachment in an email that contains malware, or inadvertently gives out sensitive information to a “spoofed” account or person. That’s it. The majority of cyberattacks come from these vulnerabilities. Like a white shirt and blue suit, these attacks are simple, classic, and timeless.
The “human firewall” is an organization’s greatest vulnerability. It consists of the human team members who have access to your network. Remediation in this area involves monitoring employees, constantly training them on cybersecurity best practices, and assuring they have access to only the data they need to complete their jobs.
- Physical Security: How hard would it be for someone to sneak into your building? What if the person was dressed up like a maintenance worker? Would they be able to gain access to the network without someone asking questions? Do your employees hold open the door for people they don’t know? Might someone have the ability to stick a USB drive into a computer and download data? How secure are your servers? When people consider cybersecurity, they often don’t consider physical security. But it is a big part of keeping an organization’s digital fortress safe.
- Product/Services: Do your products or services possess risks if they were compromised digitally? What if critical intellectual property was stolen? Could an employee run off with an important customer list or blueprints? While guarding customer personal information is imperative because of the regulatory and reputational risks, guarding important intellectual property may be, in some ways, just as critical, because losing this could mean a loss of competitive advantage and market share.
- Vendors: Do your vendors have information that could put you at risk? Third-party breaches are a huge concern. When Target suffered a cyber breach in 2013, affecting 41 million payment cards, the cause was, in part, due to credentials given to a third-party HVAC vendor.
An organization is only as secure as the weakest vendor that has access to its network. It is important for organizations to employ the practice of “least privilege.” This means only giving vendors access to the information that they need to complete the task you have engaged them for.
- Competitors: You might think it’s not a possibility but consider a scenario. Would a competitor recruit one of your employees or hire one of your employees if that employee could offer them a look at critical intellectual property or a customer list? It happens, and it happens more than you might think.
- Infrastructure: Your network is vast and needs constant oversight. We recommend frequent penetration testing, network audits, and vulnerability monitoring. These things will help you quickly identify and remediate holes in the network that can be exploited.
- Regulatory: From HIPAA to OSHA, they’re acronyms that can cause heartburn. What regulations are you responsible for, how do digital tools alter that responsibility, and what are the ramifications if you fail to meet your regulatory burdens?
New regulations such as the European Union’s General Data Protection Regulation (GDPR) and the recently enacted California Consumer Privacy Act (CCPA) place a greater penalty on organizations that misuse or misplace consumer data. People, as well, are becoming increasingly savvy about their personal information. They want to do business with organizations that treat this data with appropriate significance. A high-profile data breach can be devastating in both financial AND reputational costs.
- Cybersecurity Insurance: Cybersecurity insurance is a burgeoning field that is ripe with pitfalls for organizations. A leader may ask, am I properly covered? What are my liabilities if I get breached, what about if a vendor is breached and my information is compromised? Will I be covered in the event of any breach that may occur? These are important questions that need to be assessed.
Cybersecurity insurance can be murky. For instance, we’ve recently seen insurance companies deny claims for cyber breaches because they argued the breaches came from a foreign government, and therefore the breach was an act of war and excluded from coverage. It is important to have your cybersecurity insurance vetted to ensure you’re properly covered if the worst occurs.
When we conduct a cybersecurity risk analysis, we meet with leaders and others throughout an organization to learn everything we can about its vulnerabilities and cyber practices. Then we are able to develop a current state (where an organization currently stands) and its desired future state (the level of cybersecurity risk it hopes to achieve). After this, we able to plot out a roadmap that allows the organization to get from its current state to its desired future state. This can help an organization strategically plan to deploy resources in specific areas to best protect itself from the growing menace of cyber risk.