10 Critical Steps to Create a Culture of CybersecurityBusinesses are more vulnerable than they need to be. Here's what you should do about it.
Despite constant headlines about cyber attacks, organizations continue to leave their systems and data unnecessarily vulnerable. Cyber incidents result in the loss of reputation, enterprise value, and jobs, not to mention regulatory fines and civil litigation. According to Kaspersky Labs and the Ponemon Institute, 90% of businesses have experienced a cyber attack, with an average cost per breach of $3.6 million. Ponemon estimates that 27.7% of organizations surveyed will likely suffer another material breach within the next two years.
Although eliminating all cyber incidents is impossible, a "unified governance" approach that combines security with data management and information governance (IG) can help create a business culture that promotes a strong defense. Here are 10 steps you can follow to create a culture of cybersecurity.
1. Bring everyone to the table.
Senior executive engagement is essential. Include your information technology, information security, legal, knowledge management, compliance, privacy, finance, communications, and human resources teams. A lack of participation equals a lack of investment and cooperation required to sustain the effort.
2. Avoid contributing to your own victimization.
Invest in the required technology, training, and business processes to avoid greater long-term costs related to incident response, remediation, fines, lawsuits, and losses to reputation, business, and enterprise value. Be transparent after a breach, and report it to law enforcement. Fear of the consequences causes inaction and exacerbates the harm associated with cyber incidents.
3. Eschew a compliance-only mentality.
Compliance is essential but insufficient to mitigate cyber-risk and improve incident response. Cybersecurity compliance is really about preventing victimization, not internal wrongdoing.
4. Employ Information Governance best practices.
You cannot protect the unknown. To protect data — and successfully manage a breach — you must identify your data, its location, its value, users with access, and applicable legal obligations. Doing so enables you to ensure legal compliance, while deleting data that you don't need. "Defensible disposal" makes it easier to identify and protect what's really valuable. IG best practices have been codified in the latest Information Governance Process Maturity Model (IGPMM), developed by the Compliance, Governance and Oversight Counsel (CGOC), and the Information Governance Reference Model (IGRM) Guide. IG is a journey of continual maturation, not an all-or-nothing proposition.
5. Utilize information resources.
Plenty of resources exist for learning more about cybersecurity and improving your risk profile. You can participate in cyber outreach and information sharing programs sponsored by the FBI, U.S. Secret Service, Department of Homeland Security, and state and local governments, and you can join industry groups, including ISACs and ISAOs.
6. Counter the insider threat.
Too many companies create perfunctory insider threat programs that employees sleep through or easily circumvent. Insider threats — whether intentional (for example, employees stealing sensitive information or damaging systems) or not (employees clicking on bad links or attachments)— should be a top concern for executives and an essential part of employee training. Employee training, though, doesn't ensure security. The realistic goal of training is to reduce, not eliminate, cyber-risk.
7. Manage the third-party threat.
Your company is now part of a global chain of technologically interdependent computer users. Sensitive data is constantly on the move, and any computer can be used to exploit others to which it connects. Your contracts therefore must include all rights and obligations related to handling and securing sensitive information, as well as cooperating in cyber incident response. Technology solutions can now support this.
8. Control your endpoints.
You can protect your sensitive data only if you control the devices that access it. You must be able to manage all devices that connect to your network or access sensitive data. This includes laptops; tablets; mobile, wearable, and Internet of Things devices; portable storage media; and cloud accounts. You must control the types of devices and applications used, the data accessed, and who can access what. Mobile device management solutions allow you to remotely locate, monitor, and delete sensitive data.
9. Adopt the latest security best practices.
Cybersecurity best practices (such as multifactor authentication, encryption, and network segmentation) and tools (such as antivirus, anti-spam, anti-phishing, data loss prevention, intrusion detection/prevention software) are essential. Using them without proper IG practices, though, will leave gaping vulnerabilities in place.
10. Never assume that cybersecurity incidents are over.
Assuming that a cyber incident is isolated or "over" once remediation has begun is dangerous. What was the initial attack vector? What was compromised? Have all vulnerabilities been locked down? Are the attackers still in the network? Who attacked you and why? What other attacks may have been or might be launched? How does the incident fit into your cybersecurity history and profile? Forensic investigations must be thorough, objective, and conducted under legal privilege. The investigation of external attacks should include external incident responders. Poor investigations result in greater technical, reputational, and legal harm when the next incident occurs.
Edward J. McAndrew is a partner and co-chair of the Privacy and Data Security Group at Ballard Spahr LLP. He previously served for nearly a decade as a federal cybercrime prosecutor in Washington, DC, Northern Virginia and Delaware. His work spanned every major area of ... View Full Bio