Why you need to go beyond compliance.
Businesses will continue to face a ton of cyber threats, some of which will impact organizations severely enough to require security measures that will reach far beyond compliance. A Ponemon Institute study showed that the average compromised record cost approximately $194 per record. Loss of business due to cyber breaches were estimated to be approximately $3 million.
As you can see, it’s important to make sure that the risk of cyber breaches is taken seriously.
Compliance standards will enable your organization to establish a solid baseline to deal with known risks, but this does nothing to address new and changing threats. Also, more sophisticated threats and vulnerabilities aren’t always known or covered in compliance. You need to have a risk-based approach to this, so that your organization will have a more cost-effective and comprehensive management of these risks.
One of the most common problems involving cybersecurity is the constantly and rapidly changing landscape of security risks. The ever-evolving business environment is changing faster than we’re able to keep up. The traditional way to approach this problem was to focus the majority of resources on the most important parts and create protection against those threats that are the biggest known. This of course, left some lesser important parts of the system vulnerable. In other words, there were some less dangerous risks that were left unprotected, that could possibly cause lost business and still make life hard. This approach is no longer sufficient in our current day and age.
To approach this problem in the best way possible, advisory organizations have been promoting a different approach.
The National Institute of Standards and Technology (NIST) and the U.S. government have both issued some updated guidelines. (You can learn more about what NIST’s Cybersecurity Framework can do for you here.) While both involve recommendations to business organizations to make a shift towards real-time assessments and continuous monitoring of cyber risks, let’s consider what Homeland Security says are the five key questions to ask your CEO.
1. How specifically is the executive body of leaders kept up to date on the current level of cyber risks and impact to the business?
2. What currently is the level and impact of cyber risks to the business? What key plans or strategies exist to deal with risks that have been identified?
3. How specifically is our current cybersecurity program applying industry standards and best practices?
4. Throughout the course of a week, how many and what types of incidents are detected within the company? What threshold standard is used to alert the executive body of leaders?
5. Just how thorough is our cyber incident response plan? How many times a week or a month is it tested?
As you can see, these questions all lead you to a risk-based approach. With this approach, you’re not just adhering to compliance standards. You’re using a comprehensive approach that leverages best practices and industry standards to identify possible problems, along with processes in place to keep everyone informed. This will enable you to increase the chances of a fast and timely response to possible cybersecurity threats. It will also increase the chance of a quick and easy recovery, when and if such an event should occur.
Time is crucial in this matter. Early response actions can decrease the amount of negative impact to your organization and even possibly eliminate it altogether. They key to this is planning. This is more than just having a checklist in place and then going down the list, checking off each task. It will involve continuous comprehensive, risk-based preparation in conjunction with your business leadership, public affairs, general counsel, system operators, continuity planners, CEO and your Chief Security Officers.