Information security is a concern for virtually all businesses in today’s data-driven environment. It is so vital to the health of an organization that the general public is now making purchasing and investment decisions based on an entity’s cybersecurity readiness. In the last five years, businesses’ concern has skyrocketed, so much so that the government has increased its level of involvement and established more stringent requirements for publicly-traded companies. However, the true responsibility lies at the feet of entity leaders – the CEOs, the COOs, the CIOs, and their governing boards.
How has cybersecurity risk management changed over time?
When the internet made its debut, security looked different than it does today. Over the last 20 years, we have seen cybersecurity tactics shift through three distinct phases.
- Security-Minded Phase
In the late 1990s, companies focused on blocking unwanted visitors and not much else. The goal was to keep the threats out of the system and away from valuable information. Company leaders delegated these tasks to the IT department and moved on.
- Compliance-Minded Phase
By the 2000s, electronic data became more commonplace, so companies were forced to adopt a broader range of security measures. Breach events of personally identifiable information (PII) became an issue drawing governments to begin requiring compliance with security regulations. During this time period, we saw the rise of HIPAA, PCI and a host of other information security and privacy regulations. Industry leaders set standards that many businesses chose to follow. By complying with regulatory obligations, organizations felt confident that they were effectively managing risk.
- Risk-Minded Phase
Today, as the need to secure data is universal, entities are looking at their individual risk profiles before taking action. Regulatory compliance is not enough. Regulations are often behind new technology innovation. Regulations are often focused on PII and not on direct threats to a business. Beyond simple regulatory compliance, they look inward. They know that their risks are unique, and they utilize the entire organization to manage those risks.
The Securities and Exchange Commission (SEC) is urging organizations to develop policies and procedures that will identify and address their unique risks. At the moment, the SEC’s recommendations apply only to publicly-traded entities, but their standards set a precedent that nonpublic entities cannot ignore.
To effectively manage risk, an organization’s leaders must fully understand its weaknesses. A formal risk assessment, typically performed by a reputable accounting firm, identifies potential security issues and measures the impact of a potential breach. Most discovered weaknesses will fall into one of two categories.
Weaknesses in technology can swiftly result in a data breach if protective measures are not taken. A network running without the support of a good IT team, for example, is a technical weakness that could result in cybersecurity incidents. A few other potential technical weaknesses are:
- Poor access controls, such as weak passwords and not requiring two-factor authentication;
- Poor monitoring or logging of network activity;
- Failure to patch outdated systems;
- Failure to routinely test for security; or,
- Unreliable backups.
The company as a whole, not just the IT department, can alleviate security risks if they work as a team toward the end goal. Other potential administrative weaknesses are:
- Outdated security policies;
- Poor cybersecurity knowledge by staff members;
- Poor incident response plans;
- Insurance coverage without a rider to address cyber risk or insurance coverage with “cyber risk” riders that do not address the unique risks of that organization
- Failure to perform routine risk assessments; or,
- Lack of team member participation.
When technical and administrative weaknesses are not addressed, all aspects of the business will be affected. First and foremost, the business will suffer financial losses following a cybersecurity incident. A hacker may siphon business funds, or a security breach may close business operations resulting in a direct loss of revenue. Regulatory issues may come to light, and the fines and penalties that follow can take an unexpected hit on the business’s finances. Legal proceedings, such as employment-related or breach of contract lawsuits can be costly, time-consuming, and can take the focus away from the business’s long-term goals. But perhaps most importantly, a security breach can impact an organization’s reputation. Losing market share and managing a shrinking client base will impact the business for years to come.
Coming to terms with your organization’s weaknesses and understanding the potential consequences of failing to address those weaknesses is the first step. It’s important for business leaders to be involved in the data security and protection process. As technology and data needs change, so will the risks, therefore it is important to perform risk assessments regularly. Our team of experts can help you manage your risk by performing information security testing or full-blown risk assessments to fit your needs. If you want to learn more about what services we have to offer, contact us. We look forward to speaking with you soon.