For Every Lock, There Is Someone Trying to Pick It: Protecting Yourself from Cyber Risks

In 2015 alone, over 169 million personal records were made public from 781 cyber security breaches across financial, business, education, government, and healthcare sectors¹.

Most large organizations have suffered some form of security breach, putting cybersecurity high on their agenda. The estimated annual cost for cybercrime committed globally is about 100 billion dollars². These numbers are growing exponentially every year, and the stakes are enormously high – loss of intellectual property, confidential information, financial data, and, most importantly, brand reputation. Even though organizations are investing in mitigation programs, most organizations still find it difficult to stay on top of cyber security issues. The concept of cyber fatality where a potential cyber attack can mean an organization going out of business is another key risk for some organizations. A number of small and medium sized organizations who do not have strong cyber security measures in place also have an increasing fear of cyber fatality.

 

Countering Cyber Risk

The cybersecurity market worldwide crossed $75 billion in 2015, and is expected to reach $170 billion by 2020³. Organizations need to have a complete view of their business landscape to know their potential risks. In order to achieve this, they are seeking new ways to manage their security risks. Security consultants are continuously advising governments and organizations to adopt a risk-based approach to beat cyber crimes. However, efforts to seek new ways to manage security risks are directly proportional to the organization’s level of maturity. For instance, a company with limited IT infrastructure might not be able to forecast their future risks as a matured one would.

For many organizations, measures to combat cyber risk begin with creating a culture of security, implementing policies, and allocating resources for policy implementation. A well thought out risk management process tied to specific processes with the organization is easier to execute. Cyber risk management is complex and takes strong people, processes, and technology, and extensive commitment from the organization’s top leaders. Being aware of cyber risks helps in enforcing the right processes, procedures, controls, and policies at the right time.

Automated systems for compliance, risk, policy, and audit management systems can help organizations streamline and standardize these processes across enterprise and help them be aware of their risks and overall compliance status.

 

Encouraging Cybersecurity Governance

High profile cybersecurity attacks have led to the persistent need of a strong cybersecurity governance framework. Standard frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework help provide guidance and control in the field of cybersecurity. It helps organizations define, adopt, and refine their infrastructure to manage cybersecurity related risks. NIST encourages organizations to shift from traditional audit-based standards to more risk-based prevention approaches, and aims at raising the level of cybersecurity across the nations.

 

Ensuring a Policy-driven Culture

Creating strong compliance and policy management programs and investing in best practices have shown significant results in reducing the number of cyber attacks. A policy driven culture that runs centrally across the organization ensures that employees are aware of their do’s and dont’s. Putting together a policy management program with careful consideration to compliance guidelines makes it easier to communicate and implement policies and procedures to a wider employee base. Furthermore, automating policy management systems increases the accessibility and accuracy of policies. These systems help in forming a strong ground for an effective ethics and compliance program.

 

Building Security Awareness

Each employee is responsible for the security of the organization. Although organizations can formulate and implement a number of cyber security policies across the organization, it is the duty of employees to follow them and make sure that they do not unwittingly cause a security breach. According to a recent report “Managing Insider Risk”, by the Ponemon Institute, 66% of the surveyed professionals said their employees are the weakest link in their efforts to create a strong security posture⁴.

Employee engagement is essential for a change in the culture of an organization. The demand for security awareness trainings has recently spiked with a number of governments mandating companies to ensure that all their employees are adequately trained. Organizations need to move towards a culture where continuous engagement with leadership and open conversations with managers and supervisors is possible.

 

Creating Accountability

Linking employees’ performance to certifications and training could be one of the ways to guarantee accountability. Building a culture of collaboration between teams by sharing experience such that teams learn of each others mistakes. Departments can set their own cyber security goals, as well as look for common goals between departments, always ensuring that they are in accordance with organizational goals and aspirations. In addition, understanding cyber threat, including its implications in an organization’s ecosystem and appropriate information sharing with concerned teams, is important.

 

Keeping Abreast of Regulatory Requirements

Transnational cybercrime through online payments and transfers has increased globally⁵. These crimes have virtually no boundaries and may affect any country across the globe, which is why several countries are coming up with their own cyber laws. Severe punishments are given to organizations or individuals attempting to breach these laws in any form. There are several automated systems which can keep organizations abreast of the rules and regulations that are applicable to them as and when they are updated.

 

Detecting Current Risk Patterns to Predict Future Risks

Organizations are continuously changing. The continuous race to stay ahead in the game has led to a number of world changing innovations. However, the down side of innovation is that it brings in new risks and vulnerabilities - such as the Internet of Things (IoT) revolution, which was staggeringly transformational but proved to be highly disruptive to businesses. It is crucial for organizations to understand their cyber risks such that it becomes a part of their risk appetite and gets drilled down to the middle management with the correct guidelines. This helps in getting a better view of the organization’s risks, helping management to predict future risks and find effective ways to mitigate them with stronger controls in place.

With technology advancing at a fast pace, technology breaches are also increasing drastically. Accessibility to information has become easy with the internet, increasing an organization’s vulnerability to cyberattacks. Risk prediction is the new Holy Grail of security. Proactive prevention is required and the need for risk detection technologies has become a key tool in anticipating the next cyber threat.