Cyber-attacks arguably pose the single biggest modern threat to businesses. The number of cyber-attacks, their level of sophistication, and the financial and reputational impact they have all continue to increase at an alarming rate. The research firm Cybersecurity Ventures predicts that cybercrime will cost $6 trillion globally by 2021. Inside actors, nation-state groups, and criminal organizations now often work together to deploy an ever-expanding array of social-engineered cyber-attacks. Common tactics include: spear-phishing, business email compromises (BEC), ransomware, distributed denial-of-service (DDoS) and Trojan horse malware. The impact on both the public and private sectors is significant, creating unprecedented financial, operational and reputational risk factors for organizations worldwide.
These factors have helped the cybersecurity marketplace rapidly grow to a $100 billion industry. There is a wide offering of cybersecurity hardware, software and professional services in the market, often claiming to have the solution to many of your cybersecurity needs. Unfortunately, no single product or service can provide a magic solution to this multifaceted, ever-evolving, and highly complex set of global information security challenges.
Thus, many C-suite executives are trying to make the right investment decisions, but often they are not well informed regarding the cyber threats facing their organization and all the potential cyber liabilities. Rather than investing valuable resources in protecting specific types of high-value data, a threat-based approach to cybersecurity identifies the vulnerabilities that a cyber-attack would likely try to exploit, and outlines measures to secure those vulnerabilities.
THREAT-BASED CYBERSECURITY – GUIDELINES FOR IMPROVED BUSINESS RESULTS
We recommend a threat-based cybersecurity approach to combat cyber-attacks and mitigate costly cyber data breaches. Threat-based cybersecurity is forward-looking and uses analysis of a company’s unique threat profile to identify at-risk areas and protect against the most likely types of cyber-attacks that could occur. This requires a multi-pronged strategy and a range of proactive steps, including:
- Hire an independent firm to conduct some or all of the following advanced diagnostics: Email threat assessment; Network and endpoint threat assessment; Vulnerability assessment; Penetration testing; Spear-phishing test campaign; Red-team security assessment; Security software tools assessment.
- Hire a dedicated Chief Information Security Officer (CISO) who reports to the CEO or General Counsel to develop a sound cybersecurity and data privacy risk management program tailored to the specific cyber threats facing your organization
- Implement advanced software encryption with multi-factor authentication, including biometrics
- Provide timely and effective cybersecurity education and training programs for the entire organization, top to bottom
- Implement a timely and effective software security patch management program
- Ensure the organization has developed and implemented a robust information governance program to map, track and secure all data assets
- Review and periodically test the organization’s Incident Response Plan
- Review and periodically test the organization’s Business Continuity Plan and Disaster Recovery Plan
- Conduct or outsource 24x7x365 managed detection and response (MDR) of the organization’s information systems, networks, endpoints, software applications, and email systems using the most advanced machine learning and artificial intelligence applications
- Verify the compliance of the organization and all supply chain partners with all cybersecurity and data privacy regulatory requirements by using independent compliance and risk assessments conducted by qualified firms
The C-suite worldwide is increasingly concerned about the growing risk of a massive cyber data breach, like those encountered by Capital One, Facebook, Equifax, and numerous government agencies. Thus, C-level executives within all organizations need to understand the value of the information assets they possess, the cybersecurity and privacy related risks, and then factor the benefits of cybersecurity investments and risk variables into their respective business equation.
Simply put, it is vital that C-suite executives adopt a threat-based cybersecurity strategy to understand the cyber threats they are facing, and then make the right investments to mitigate identified vulnerabilities, thereby reducing their cyber liability while also maximizing resources.
This article originally appeared as a BDO USA, LLP’s Cyber-security Guideline (September 2019). Copyright © 2019 BDO USA, LLP. All rights reserved. www.bdo.com