It is now axiomatic that data breaches have become a function of “when, not if”. At long last, organizations are increasingly cognizant of this fact. In Grant Thornton’s 2017 Corporate General Counsel Survey
, 72% of respondents cite cyber threats as their most significant source of risk. Cyber risk is significant, and it’s changing.
Today’s risks are significantly different than they were even a few years ago. Cybercrimes have evolved from blunt, brute-force tactics to highly automated, tailored, and targeted attacks. Cybercriminals employ sophisticated skills and operate within a thriving and evolving criminal marketplace. This sophistication breeds commoditization, meaning that bad actors no longer need to possess deep technical capabilities to wreak havoc; they merely need to know where to shop for the skills they need.
Accordingly, an organization’s information security controls alone are no longer sufficient to counter these threats. In the face of this evolving threat, organizations need to move from a cyber strategy focused purely on defensive technology towards a holistic approach that focuses on the concept of resilience. To be sure, organizations must continue to maintain effective preventative measures, but they must also build their ability to identify, to contain, and to recover from data incidents by employing a multi-disciplinary approach that incorporates skills from several core competencies.
Four steps to resiliency
Consider the following steps, all of which combine to form a resilient approach to cybersecurity.
- Build a collaborative, cross-functional team. Yes, strong technical controls remain vital, but your cybersecurity team needs to either develop internally or to partner with external parties to address a variety of disciplines. IT should coordinate closely with operational areas to fully understand data needs, uses, and exposures. Vendor management resources will need to focus on third-party risk profiles and to develop controls suitable to the risk profile of each third party (without over-engineering controls in a way that could unduly hamper operations). Your general counsel should play a key role in helping to ensure that appropriate contractual protections are in place, to provide guidance concerning when and how to involve law enforcement and to invoke and manage the attorney-client privilege. Crisis management and communications resources also play a key role to ensure consistent and accurate communications are relayed to affected stakeholders and customers in the event of a breach, thus helping to mitigate reputational damage.
- Get the right insurance—but understand its limitations. Insurance products are evolving to offer protection against a breach, but organizations need to understand the difference between insurable and un-insurable risks. Many organizations only discover the gaps, exclusions, and limitations in their coverage after a breach has occurred. Organizations should conduct regular, detailed reviews of the evolving array of insurance products available to tailor a solution. Organizations must also understand that some risks, such as reputational damage, are difficult to insure against.
- Control third-party risk. Most organizations today rely on a web on internal and external resources to meet evolving customer needs. That often means granting vendors and other third parties access to your infrastructure, transferring sensitive data, and generally expanding your “cyber footprint” beyond the traditional boundaries of your organization. Organizations must conduct due diligence on its key third parties to ensure that effective cybersecurity practices are maintained and that contractual protections against third-party failures are available.
- Practice, practice, practice. Once you’ve assembled the right incident response team (including external forensic and legal experts, as needed), this team needs to be run through its paces “before the bad thing happens”. Put differently, the effectiveness of a good team can only be measured through regular drills, which will identify gaps and better ensure that everyone is prepared to act quickly and appropriately in the event of a breach.
Focusing on resilience, not just defense, is the best way to prepare for an environment where a breach of some nature is almost inevitable. Grant Thornton’s white paper, Taking AIM at Cyber Risk
, offers further insights on how a holistic, resilient approach best positions companies to address today’s evolving cyber threats.
Principal, Practice Leader, Forensic Technology Services
: +1 404 704 0144