While the inter-connectivity of business entities grows, attack techniques evolve, making them increasingly more difficult to predict. What to do?
By Sunti Wathanacharoen
Cyber security questions are imminent in the workplace due to the recent increase of large-scale cyber crimes in the United States. Big-name companies like T-Mobile, BBC, Target and the Federal Election Commission were among more than 50 entities that experienced highly publicized cyber security issues within the last two weeks of 2013.
Cyber attacks have become a common reality for businesses as the costs and frequency of breaches continuously rise. While the inter-connectivity of business entities grows, attack techniques evolve, making them increasingly sophisticated, innovative and more difficult to predict.
Modern security threats influence various industries and all stages of business, compromising technology, financials, reputations and stakeholder value, and impact all aspects of business from the supply chain to the vendor and customer.
No business is too large or too small for concern. All businesses and their subsidies are at risk, and it’s no longer a question of “if” but rather “when” your business will be a victim of a cyber security issue. CNN reports nearly half of the data breaches identified by Verizon in 2012 took place in businesses with less than 1,000 employees.
Similarly, a leading computer security firm, Symantec, recently reported 31 percent of all attacks in 2012 targeted businesses with less than 250 employees, and attacks were up 81 percent from 2011.
With the Poneman Institute reporting the average loss per incident exceeds 28,000 records and $5 million, let’s be clear: Even if your business is small, it is time to address cyber security concerns and mitigate exposure to this large-scale risk on a regular basis.
Establish a Plan
Many traditional cyber security protocols consist of various preventative efforts such as firewalls and virus protection software, but it’s just as important to employ detective and reactive controls as a company links its investment in cyber security to the vast potential consequences.
For entities of all sizes, a solid plan incorporates an understanding of modern attacks, a plan for defending and defeating attacks and potential responses to them. By moving the emphasis away from traditional defensive strategies, businesses can effectively manage the risk and reduce their exposure to cyber security issues by initiating a solid cyber resiliency plan.
The four essential components a company needs to consider include: security, preservation of reputation, customer impact and consequences.
Here are five key steps to consider when building a cyber resiliency plan:
- Assess the risk to your entity.
- Identify the systems, data and hardware requiring protection.
- Define responsibility in maintaining security and the response plan when an attack occurs.
- Communicate the plan to executives and management.
- Monitor and report the plan’s effectiveness.
Step One: Assess The Risks
The first step is to consider the business risks. Because budgetary spending on security is often limited, entities must identify the risks they face and prioritize to pinpoint the greatest concerns.
It’s important to note the greatest risk may be reputation and not the dollars directly associated with an individual attack. In this stage, the thought process evolves from determining the company’s most important assets to considering what types of protection to provide.
Entities progress when they define the inputs needed for a security plan and recognize the livable outcomes or consequences. Next, the company evaluates and balances its risks and resources.
Step Two: Identify What Needs Protection
Once the priority assets are identified, the plan shifts to implementing protection against threats. The mindset during this step should focus on moving beyond the minimal preventive and defensive controls needed for compliance standards to how resources can effectively align to protect assets.
The effects of a cyber attack may impact all aspects of the supply chain, increasing the importance of a plan that strikes a balance between addressing security concerns while not unnecessarily constraining the day-to-day workflow. The plan must be flexible to allow quick responses to attacks as well as the consequences.
To be most efficient, cross-functional teams from varying business disciplines should develop and test the plans. This team should ensure the entire company is prepared to respond quickly and communicate with all stakeholders who could be affected in the event of a cyber attack.
Step Three: Define Responsibility for Maintaining Security and Responding
A recovery plan must be flexible in order to successfully adapt to a variety of potential threats and attacks. It must also be specific, comprehensive, and most importantly, achievable.
Within the plan, two primary responsibilities – maintaining security and leading responses – should be assigned to leaders with authority and support. They should initiate the testing of the plan and accommodate regular re-evaluation of both the prioritized assets and the actions needed to protect them as the security landscape evolves. Their proactivity will help validate the security and responsiveness associated with the resiliency plan.
Step Four: Communicate the Plan – Executive Level
With many details of the plan requiring a great deal of attention, executive level direction and support is essential. Cyber resiliency plans require executive buy-in, collaboration from different levels within the entity, and coordination with vendors and customers.
When preparing your cyber resilience plan, remember:
- It is not a question of “if” an attack or incident will occur, but a question of “when.”
- There are no answers that provide 100 percent assurance.
- There is a direct relationship between response time and the exposure to operations, finances and reputation.
- Communication of the plan, relevant updates (as well as the information and support driving these updates) should be delivered to leadership and board members regularly, plus vendors, clients and customers, when needed.
Step Five: Monitor and Report
It’s important to employ ongoing monitoring of all security strategies and plans, whether recently introduced or not. While monitoring the evolution of the cyber resilience plan, report on successes and areas for improvements. Ongoing communication should exist with stakeholders, both internally and externally, to guide the direction of the plan through its evolution.
Sunti Wathanacharoen is a Partner in RubinBrown’s Business Advisory Services Group. He has broad-based business experience working with a variety of organizations in enhancing their business performance.