To continue National Cyber Security Awareness Month, the following article focuses on why cybersecurity needs a new approach.
Last Thursday, Facebook announced that they had suffered a massive security breach and that the accounts of 50 million users were affected. Shortly after that, on October 2, the American Consumer Institute (ACI) analyzed 186 routers from 14 vendors and found a shocking 32,003 security flaws present. The fact is that security vulnerabilities exist everywhere, from web applications and hardware to business processes that employees engage with daily. Cybercriminals will continue to find and exploit bugs in any capacity. The fact that one of the world’s most potent social media giants can be infiltrated by hackers, makes it self-evident that no one is immune to such damage.
It’s become clear that silo approaches to cybersecurity risk management often can't see the forest for the trees, as the common phrase goes. Thus, it's time for a new, holistic approach.
Security strategies are often written exclusively by IT security teams, and it’s easy to overlook the importance of full business engagement. The fundamental problem with this is that security strategies need to be defined and driven by individuals who have an extensive understanding of the business as a whole, to determine where robust security policies are required and how to effectively carry them out across an organization to defend assets, data and users.
Cybersecurity is not limited to technology. It spans the realms of IT architecture, cybersecurity mechanisms, law and even human psychology with regards to social engineering tactics used by attackers. The disparity in these disciplines requires the collaboration of professionals with experience in IT, compliance, HR, governance and education.
There has been a notable uptick in cybersecurity awareness across businesses, in part as a direct result of all of the damage and attention that breached organizations receive. However, while the awareness exists, there is still a lack of effective cybersecurity training. Even if the IT teams and stakeholders are fully engaged in the cybersecurity program, the rest of the end users may not necessarily be brought into the fold. Perfunctory, annual training is still probably inadequate. Everyone across every company needs to understand precisely how hackers will attempt to take advantage of weaknesses across hardware, software and even their trusting dispositions to open phishing emails. The reiteration of how relentless hackers are is essential, as well as the ramifications that directly follow a successful cyber-attack including, but not limited to:
- Irreparable data loss, theft or compromise
- Damage to reputation
- Loss of customers
- Lost revenue
- Fines and more
An Integrated, Holistic Approach
To bolster both defenses and resilience against cyber threats, firms should take a holistic approach to align risk management and cybersecurity. Cybersecurity is often managed through its own set of controls as a part of IT, which may be completely separate from risk management and compliance, and this gap needs to be closed. Cybersecurity programs should be custom made to suit your organization. From the initial assessment that will help your company obtain a baseline of its present cybersecurity posture, to employee security training, every aspect of the business needs to be a participant in reinforcing the program put in place.
Seeking more information?
To explore our comprehensive risk management services, visit here.