Cybersecurity is one of the most high-profile topics for organizations today, and one of their biggest sources of risk. Numerous recent incidents have heightened awareness of and sensitivity to this risk, and have made it even more critical that they assess their cyber readiness. Available data suggest that 84% of corporations have malware on their networks. Advanced persistent threats are becoming more visible and more damaging, resulting in significant brand damage and financial loss. Hackers are able to get in quickly and can remain undetected for months or years, doing immeasurable damage. It is estimated that cybercrime costs over $575 billion dollars annually, a cost that primarily comes out of shareholder value from the Fortune 500.
For most companies, their first instinct after discovering a breach is to assess what happened. These organizations must do forensic analysis in order to assess damage, scope of the attack and opportunities for immediate remediation. However, this only closes a door that has already been opened and exploited.
Beyond the immediate, every company must look to examine the following critical focus areas:
- Reduce the threat of future incidents
- Understand the risks and take steps to mitigate them
- Be prepared to appropriately manage a future incident when it occurs
- Ensure there is timely and appropriate communication to all stakeholders
To effectively address these areas, organizations need to consider:
It is of paramount importance for companies to determine how susceptible they are to cyber risk. Conducting a holistic review of the organization to identify areas of vulnerability and improve network security is a proactive measure that no organization should overlook.
Building a Culture of Security
A continuously improving culture of security based on foundational security principles reduces risks to mission.
- Knowing your data and how to protect it: Organizations need to implement policies and procedures that organize and manage data effectively and provision access to that data to minimize insider threats.
- Consider the human element: In most cases firms need to develop or refresh employee awareness, education and training program to focus on data security policies and procedures.
Communication Strategy and Readiness Plan
A comprehensive incident response plan should outline the steps to take if a data breach is suspected or occurs. Having a detailed and tested plan in place prior to a breach occurring will save time and money, and minimize reputational damage when the inevitable happens. That plan should include:
- Incident Response Team: Organizations need to have a team in place with defined roles and responsibilities for internal and external resources.
- Triage Plan: It is important to develop a response plan that addresses how the organization will notify their insurance carrier, law enforcement, outside forensic investigators, as well as how they will approach crisis and media management.
- Breach Response Plan– Organizations need to develop response procedures such as timing, notice to affected individuals, and government. It is important to control the story and get the right information to the right people at the right time. It should address external communications (press, website, social media) and internal communications
- Mitigation & Remediation Plan – this should cover investigation outcomes to correct vulnerabilities, harden the system from further breaches, and review and improve the incident response team.
Legal and Insurance Implications
There are significant legal implications to organizations within the scope of cyber incident, and planning before, during and after needs to take this into consideration. Key risk areas include:
- Class action lawsuits
- Loss of public confidence
- Loss of share value
- Issues with re-insurance and rates
Many organizations now operate in regulatory environments that require a certain level of Cybersecurity risk mitigation. This includes regulations like the Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard.