Every year, we spend more money and time combatting the dark forces of cyber space: state-sponsored operatives, organized crime rings, and super-hackers armed with black-ops tech. The attack methods mutate constantly, growing more cancerous and damaging. Massive data breaches and their ripple effects compel organizations of every kind to grapple with risk and security at a more fundamental level.
The harm done to brand reputation can be long lasting and hard to control. Breached companies are liable for significant restitution to customers and suppliers, face closer scrutiny and higher fines from regulators, and often struggle with sudden drop in sales or loss of business. The appearance of negligence, repeat attacks or unpredictable fallout from a breach can significantly unravel public goodwill that took decades to build. The trust dynamic that exists amongst suppliers, customers and partners is a high-profile target for cybercriminals and hacktivists.
Board Involvement
Information risk must be elevated to a board-level issue and given the same attention afforded to other risk management practices. Organizations face a daunting array of challenges interconnected with cybersecurity: the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies. Cybersecurity chiefs must drive collaboration across the entire enterprise, bringing business and marketing needs into alignment with IT strategy. IT must transform the security conversation so it will resonate with leading decision-makers while also supporting the organization’s business objectives.
Resilience is Vital
Every organization must assume they will eventually incur severe impacts from unpredictable cyber threats. Planning for resilient incident response in the aftermath of a breach is imperative. Traditional risk management is insufficient. It’s important to learn from the cautionary tales of past breaches, not only to build better defenses, but also better responses. Business, government and personal security are now so interconnected, resilience is important to withstanding direct attacks as well as the ripple effects that pass through interdependent systems.
I strongly urge organizations to establish a crisis management plan that includes the formation of a Cyber Resilience Team. This team, made up of experienced security professionals, should be charged with thoroughly investigating each incident and ensuring that all relevant players communicate effectively. This is the only way a comprehensive and collaborative recovery plan can be implemented in a timely fashion.
Today’s most cyber-resilient organizations are appointing a coordinator (e.g., Director of Cybersecurity or a Chief Digital Officer) to oversee security operations and to apprise the board of its related responsibilities. The new legal aspects of doing business in cyberspace put more pressure on the board and C-suite. For example, an enterprise that cannot prove compliance with HIPAA regulations could incur significant damages even in the absence of a breach, or face more severe penalties after a successful attack.
Next Steps
We no longer hide behind impenetrable walls, but operate as part of an interconnected whole. The strength to absorb the blows and forge ahead is essential to competitive advantage and growth, in cyberspace and beyond.
Here is a quick recap of the next steps that businesses should implement to better prepare themselves:
- Re-assess the risks to your organization and its information from the inside out. Operate on the assumption that your organization is a target and will be breached.
- Revise cybersecurity arrangements: implement a cyber-resilience team and rehearse your recovery plan.
- Focus on the basics: people and technology
- Prepare for the future: to minimize risk and brand damage, be proactive about security in every business initiative.