Become a cyber-resilient organization

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.biztimes.com/article/20150522/BLOGS/150529914/-1/Technology_telecom

Change, complexity and confusion. This seems to be the status quo in the
world of cybersecurity today. The frequency and impact of cyber attacks and
data breaches have spiked in recent months, forcing companies to grapple
with a business threat that has grown significantly in seriousness and
scale, yet has only existed in its current form for a few years. This
leaves lingering questions about how to deal with the threat.

To compound this challenge, according to Ernst & Young LLP's most recent
Global Information Security Survey, while 67 percent of respondents see
threats rising in their information security risk environment, more than
half said it is ”unlikely” or ”highly unlikely” that they would be able to
detect a sophisticated attack.

Whether it's for political gain or proprietary information, hackers may
have different motivations for their activities, but they share key
commonalities. They are more persistent, more resourceful, better funded
and better organized than ever before, and they target vulnerabilities in
people and processes beyond the traditional technology gaps. To mitigate
these risks, organizations must acknowledge that cybersecurity has evolved
from a technical IT issue to a boardroom priority — and they must take a
business risk approach to combat the threats.

A business-focused approach

The best prepared companies aim for cyber resilience — the ability to
resist, react to and recover from potentially devastating cybersecurity
threats. Getting started requires two key components. As a foundation,
companies must have an effective IT infrastructure that can detect and
protect against ongoing threats. And, equally important, companies must
take a business risk-focused approach to cybersecurity that regularly
examines key information assets and develops a strategy to protect them.

This approach begins by developing a thorough understanding of your
company's cyber ecosystem, a complex community of interacting devices,
networks, people and organizations, and the supporting processes and
technologies. A cyber ecosystem inventories the locations where critical
information assets may reside, ranging from your internal data center to
external vendors and suppliers. The system also encompasses the key factors
that can affect how these assets are protected and how they can be accessed
or impacted, including current economic conditions and world events.

Managing risk in the cyber ecosystem requires companies to understand that,
unlike with traditional information security, it is no longer enough just
to think about your own security. Companies must consider a wider range of
unknown or unknowable security threats to these key information assets
given the interconnectivity of people, organizations and devices, including
variable factors (e.g., PR and employment agencies, software developers)
and uncontrollable factors (e.g., economy and governmental regulations).

Protect your critical business information assets

Cyber-resilient companies know what assets are most at risk and could pose
the largest impact if compromised. What is determined to be most valuable
varies from company to company and across sectors. It may be information
about your business, intellectual property or employee and financial data.
Asking the following five questions will help make this important
determination.

Do you know what you have that others may want?
Do you know how your business plans, such as key vendor outsourcing
relationships or a planned business transaction, could make these assets
more vulnerable?
Do you understand how these assets could be accessed or disrupted?
Would you know if you were being attacked and if the assets have been
compromised?
Do you have a plan to react to an attack and minimize the harm caused?


Once you know what assets in your cyber ecosystem are most critical,
companies can work toward developing internal controls and leverage
existing IT infrastructure, people and processes to help ensure they're
sufficiently protected. This involves ongoing regular efforts to understand
how critical assets can be at risk, monitor access to and activity over
these assets, and develop sound incident monitoring, detection and response
capabilities to be sufficiently prepared to react to and recover from a
breach.

We all live and operate in a complex web of digitally connected entities,
people and data. Companies rely heavily on global digitization to share
data, and most key business activities have a cyber dimension. Any direct
connection to the internet can mean a direct link to attackers. While we
cannot completely stop hackers, cyber-resilient companies can move from a
reactive state to a more proactive approach.

By putting the building blocks in place and designing a cyber program that
is adaptable to change, companies can start to get ahead of cyber crime,
building capabilities before they are needed and preparing for threats
before they arise.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!