Target. Adobe. AOL. eBay. What do these companies all have in common? These are all large companies that have been the victims of big security attacks over the last year. Over 145 million records were compromised in the case of online auction site eBay and Target dealt with more than 70 million breaches of their customer base. Unfortunately, all too often, organisations react to this type of event rather than proactively protect against it. Although some may argue, it’s hard to ‘get ahead’ of the hackers, there are steps you can take to reduce your vulnerability. Presented below are thoughts around the challenges of cybersecurity and managing your risk.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]For an effective cybersecurity program, an organization needs to coordinate its efforts throughout its entire information system. The most difficult challenge in cybersecurity is the ever-evolving nature of security risks themselves. Traditionally, organizations have focused cybersecurity resources on perimeter security to protect only their most crucial system components and defend against known threats. Today, this approach is insufficient, as the threats advance and change more quickly than organizations can keep up. As a result, advisory organizations promote more proactive and adaptive approaches to cybersecurity. Similarly, the National Institute of Standards and Technology (“NIST”) issued the Cybersecurity framework in February 2014 that recommend a shift toward detection (continuous monitoring and real-time assessments), response and recovery based on a data-focused approach to security as opposed to the traditional perimeter-based model.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_custom_heading text=”MANAGING CYBER RISK” use_theme_fonts=”yes”][vc_column_text]The National Cyber Security Alliance (“NCSA”), through SafeOnline.org, recommends a top-down approach to cybersecurity in which corporate management leads the charge in prioritizing cybersecurity management across all business practices. NCSA advises that companies must be prepared to “respond to the inevitable cyber incident, restore normal operations, and ensure that company assets and the company’s reputation[/vc_column_text][vc_separator color=”sky” border_width=”3″][vc_column_text]are protected.” NCSA’s guidelines for conducting cyber-risk assessments focus on five key areas:[/vc_column_text][vc_column_text]
- Identifying your organization’s “crown jewels” or your most valuable information requiring protection;
- Identifying the threats and risks facing that information and their likelihood of occurrence;
- Assessing the impact of the damage your organization would incur should that data be lost or wrongfully exposed;
- Assessing the organization’s ability to recover from such an event and planning for timely and appropriate response; and
- Detecting any nefarious activities (i.e. breach) on your network.
Cyber risk assessments should also consider operations and any regulations that impact the manner in which your organization collects, stores and secures data. Assessing processes and technologies will help to establish the requirements of a mature cybersecurity program, but an organization must also focus on the people who touch those processes and technologies. The most robust cybersecurity program involving technology solutions will be limited without a high level of user adoption. Your employees need to understand the risks, embrace their responsibilities and act accordingly. Proper change management can aim to improve or create a governance framework, communication plans, job impact analysis and appropriate training/education to help ensure the success of the cybersecurity efforts[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_custom_heading text=”THINKMARBLE CAN HELP” use_theme_fonts=”yes”][vc_column_text]In conclusion, many organisations have not appropriately identified the risks and vulnerabilities of their environment, and therefore are failing to adequately safeguard customer, employee and other sensitive data. Unfortunately, the sentiment is often dismissive as they incorrectly assume ‘criminals don’t care about my small company’. That said, the metrics are alarming:[/vc_column_text][vc_column_text]
- 60% of small to midsize businesses (SMBs) that experience a data breach will fail within 12 months; the statistic grows to 72% within 24 months;
- 62% of attacks target SMBs;
- 36% of SMBs have data security policies;
- 26% of SMBs believe they have necessary in-house expertise;
- £128,242 is the average cost of a cyber event for a SMB.