Insights

Making Cybersecurity a Business Priority: Can You Handle the Risks?

Making Cybersecurity a Business Priority: Can You Handle the Risks?

Jun 05, 2017

Cybersecurity has become a nonnegotiable responsibility for companies of every size and in every industry. That’s because cybercriminals are equal opportunity offenders. Today’s organizations must continually identify risks and diligently mitigate them in order to protect the confidentiality, integrity, and availability of their information systems and overall infrastructures. This includes protecting customer data and especially applies to all third-party relationships. 

The driver behind it all is technology. It has become a double-edged sword, making business processes easier but cybersecurity tougher. Demands for improved functionality, process improvements, and decreased cost make your information technology security efforts a moving target. Mobile devices, outsourcing, and cloud computing blur the lines of responsibility and introduce new business risks.

Bottom line:  It’s no longer a question of “if” your organization will become a victim; it’s a question of “when” an attack will happen.

With so many high-profile data breaches in the news, conversations regarding cybersecurity have moved from the backroom to the boardroom. Without question, every business has something to protect. Business plans, intellectual property, and client lists are just as vulnerable as obvious targets like credit cards, banking information, and health records—with potentially more devastating consequences if compromised.

Businesses must accept the following truths:

  • Cybercrime is big business.There is a well-organized and funded underground economy for stealing and selling corporate data. Yet there are also countless renegade attackers who’ll take their ill-gotten goods in any amounts and any ways they can.
  • 100% protection is not possible. There are thousands of ways attackers can compromise security, and they need to be successful only once.
  • Cyber incidents will happen. And the time it takes to compromise your data is almost always days or less, if not minutes or less. How quickly and effectively organizations detect and respond makes all the difference.

The effects of a breach are many and costly and include loss of intellectual property, disruption of operations, reputational damage, remediation costs, litigation costs, and potential regulatory fines and penalties. It all adds up. One IBM study on data breaches estimates the average cost to victims is $4 million.

Before you can begin to manage your risks, you have to know what they are and where they lie.

Uncovering the Risks

Criminals arbitrarily look for the path of least resistance. Often that means finding weak links in cybersecurity chains. For instance, a hacker will work into your network through holes in its defenses, usually starting with Internet-facing computers. They exploit software vulnerabilities and missing patches and take advantage of weak passwords or default configurations on hosts and network devices.

Yet hackers are also finding increasing success by targeting your employees and using social tactics like phishing and pretexting to manipulate human nature.

Another common risk involves company insiders (employees, contractors, vendors) who release sensitive data and information, either intentionally or through error. Vulnerabilities in third-party vendors or service providers can also expose your information.

Consider these sobering facts on how breaches commonly occur:

  • 81% exploit weak or stolen credentials.
  • 62% use some form of hacking.
  • 51% incorporate malware.
  • 43% employ social tactics.
  • 14% involve privilege misuse.
  • 8% involve physical attacks.i

Clearly, cybersecurity is an enterprise-wide risk management issue and must be addressed as such. Focusing just on tools and technical solutions that support cybersecurity and overlooking the many human factors and policies that are part of the equation cannot suffice, either as a definition or as a successful strategy. Threats and incidents occur at any corner or level of your organization, making the best definition of cybersecurity one that includes the comprehensive and multidisciplinary approach necessary for effectively securing data on every front. 


 

iVerizon 2017 Data Breach Investigations Report.


Author(s)

Robert Cedergren
Robert D. Cedergren, CPA, CGMA, CITP, CISA, CISSP, CISM, CGEIT, CCSFP
Risk Advisory Services Partner In Charge
View Profile
Torpey White
Torpey White, CPA, CITP, CISA, CGMA
Partner
View Profile