Businesses across sectors and geographies are dependent on an ever-increasing array of IT systems and technologies that enable them. Added to that is the need to be interconnected with suppliers, vendors, customers, and business partners.
The proliferation of and the dependency on technology combined with the interconnected nature of business, has resulted in increased potential for cyber security risks.
In the current business scenario, cyber attacks represent a business risk and not just an IT problem. The cyber threats are increasing in frequency, sophistication and severity; they have evolved from unsophisticated attackers looking for technical vulnerabilities ‘for fun’ to state-sponsored attacks that are targeting specific industries, sectors, companies, and individuals (eg, executives) because of who they are, what they do, or the value of their intellectual property.
A successful cyber attack can impact shareholder value, tarnish the brand and reputation, expose the company to litigation, result in loss of competitive advantage, reveal regulatory or legal non-compliance, and result in steep financial consequences in billions of dollars.
Cyber security threats typically evolve with unparalleled speed, complexity, and impact with new, more complex cyber risks emerging every day.
The media often focuses on cyber attacks relating to the theft of credit card data or the theft of Personally Identifiable Information (PII). The executives of companies that do not process or maintain customer credit card data or PII do not fully understand the severity of cyber security threats to their intellectual property and proprietary information.
Intellectual Property Include: Product designs, source code, pending patents, formulations, manufacturing process instructions and procedures, research and development results and analysis, exploration data, scientific papers.
Proprietary Information Include: Customer lists, pricing, cost and sales information, pre-released financial results, merger and acquisition information, third-party contracts, strategy and product roadmaps, bid plans.
CYBER ATTACKS—EVERYONE IS VULNERABLE
Given the mission critical nature of data in nearly every aspect of modern enterprise—and the astonishing growth in the cyber criminals who seek to undermine it—organizations across all sectors are facing not just an escalating risk, but the near-certainty that they will suffer an information security breach.
WHAT ARE SOME LEADING PRACTICES?
- Progress from protecting the security perimeter to protecting their data with the understanding that some attackers will inevitably penetrate perimeter defences.
- Create dynamic capabilities to manage information security so that they can react quickly in a rapidly evolving environment.
- Actively involve senior business leaders across functions in making security trade-offs.
- Create information security strategies and processes based on a much higher degree of transparency into critical assets, attackers, security capabilities, business risks and options for defense.
ALIGNING SECURITY STRATEGY TO BUSINESS PERFORMANCE
The key to being at the forefront of cyber security is to understand that the solution to the problem is 80% non-technical and can be managed with good governance. The cyber security efforts need to be championed by executives at the highest level of the organization. It is imperative to identify IT security risks in conjunction with the business objectives in terms of new markets, products, etc.
Companies need to take inventory of their intellectual property and understand what to protect the most. They need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions.
IDENTIFY THE REAL RISKS
- Develop a security strategy focused on business drivers and protecting high value data.
- Define the organizations’ overall risk appetite and how information risk fits.
- Identify the most important information and applications, where they reside and who has or needs access.
- Assess the threat landscape and develop predictive models highlighting your real exposures.
PROTECT WHAT MATTERS MOST
- Assume breaches will occur—improve processes that plan, protect, detect, and respond.
- Balance fundamentals with emerging threat management.
- Establish and rationalize access controls models for applications and information.
OPTIMIZE FOR BUSINESS PERFORMANCE
- Make security everyone’s responsibility
- Align all aspects of security (information, privacy, physical and business continuity) with the business.
- Spend wisely in controls and technology—invest more in people and processes.
- Consider selectively outsourcing operational security program areas.