Change, complexity and confusion. This seems to be the status quo in the world of cybersecurity today. The frequency and impact of cyber attacks and data breaches have spiked in recent months, forcing companies to grapple with a business threat that has grown significantly in seriousness and scale, yet has only existed in its current form for a few years. This leaves lingering questions about how to deal with the threat.
To compound this challenge, according to Ernst & Young LLP’s most recent Global Information Security Survey, while 67 percent of respondents see threats rising in their information security risk environment, more than half said it is ”unlikely” or ”highly unlikely” that they would be able to detect a sophisticated attack.
Whether it’s for political gain or proprietary information, hackers may have different motivations for their activities, but they share key commonalities. They are more persistent, more resourceful, better funded and better organized than ever before, and they target vulnerabilities in people and processes beyond the traditional technology gaps. To mitigate these risks, organizations must acknowledge that cybersecurity has evolved from a technical IT issue to a boardroom priority — and they must take a business risk approach to combat the threats.
A business-focused approach
The best prepared companies aim for cyber resilience — the ability to resist, react to and recover from potentially devastating cybersecurity threats. Getting started requires two key components. As a foundation, companies must have an effective IT infrastructure that can detect and protect against ongoing threats. And, equally important, companies must take a business risk-focused approach to cybersecurity that regularly examines key information assets and develops a strategy to protect them.
This approach begins by developing a thorough understanding of your company’s cyber ecosystem, a complex community of interacting devices, networks, people and organizations, and the supporting processes and technologies. A cyber ecosystem inventories the locations where critical information assets may reside, ranging from your internal data center to external vendors and suppliers. The system also encompasses the key factors that can affect how these assets are protected and how they can be accessed or impacted, including current economic conditions and world events.
Managing risk in the cyber ecosystem requires companies to understand that, unlike with traditional information security, it is no longer enough just to think about your own security. Companies must consider a wider range of unknown or unknowable security threats to these key information assets given the interconnectivity of people, organizations and devices, including variable factors (e.g., PR and employment agencies, software developers) and uncontrollable factors (e.g., economy and governmental regulations).
Protect your critical business information assets
Cyber-resilient companies know what assets are most at risk and could pose the largest impact if compromised. What is determined to be most valuable varies from company to company and across sectors. It may be information about your business, intellectual property or employee and financial data. Asking the following five questions will help make this important determination.
- Do you know what you have that others may want?
- Do you know how your business plans, such as key vendor outsourcing relationships or a planned business transaction, could make these assets more vulnerable?
- Do you understand how these assets could be accessed or disrupted?
- Would you know if you were being attacked and if the assets have been compromised?
- Do you have a plan to react to an attack and minimize the harm caused?
Once you know what assets in your cyber ecosystem are most critical, companies can work toward developing internal controls and leverage existing IT infrastructure, people and processes to help ensure they’re sufficiently protected. This involves ongoing regular efforts to understand how critical assets can be at risk, monitor access to and activity over these assets, and develop sound incident monitoring, detection and response capabilities to be sufficiently prepared to react to and recover from a breach.
We all live and operate in a complex web of digitally connected entities, people and data. Companies rely heavily on global digitization to share data, and most key business activities have a cyber dimension. Any direct connection to the internet can mean a direct link to attackers. While we cannot completely stop hackers, cyber-resilient companies can move from a reactive state to a more proactive approach.
By putting the building blocks in place and designing a cyber program that is adaptable to change, companies can start to get ahead of cyber crime, building capabilities before they are needed and preparing for threats before they arise.
Jeff Bilek is a Risk partner in the Advisory service line of Ernst & Young LLP, serving clients in Wisconsin and Illinois.
