Questions every Business should consider in a Cyber Security Plan
By Clement Teo, Principal Analyst, Ovum
Security is top of mind for enterprises today, and increasingly, at their board level. As the digital economy become pervasive, high-profile cyber attacks on large enterprises such as Sony and Bangladesh Bank have demonstrated how damaging a security breach is.
Ovum estimates that spending on Cyber Security protection this year by businesses will exceed $37bn alone. In Asia Pacific, firms are estimated to shell out $6.8bn in 2016, with related services spend estimated at 5x more.
A Quick Guide to Assessing Security Readiness
As cyber security concerns become more prevalent, the key is to secure critical enterprise data based on business priorities. CIOs and CISOs should ask themselves:
- What do I know about my most Critical Data? A useful approach to data discovery includes knowing the value of your data, knowing who has access to your data, knowing where your data is, knowing who is protecting your data, and knowing how well your data is protected. Enterprises should gather key stakeholders to map out the answers to these questions, and from there, determine which data is critical and must be protected at all costs.
- Do we have the right people to secure our Critical Data? IT employees may not be security experts, and they are ill-equipped to devise a robust security defence/protection.
Work with experts to draw up cyber security readiness, response and remediation plans for the organization.
- Do we have the Right Process to secure our Critical Data? A responsibility assignment matrix (covering who in the organization and third-party partners is responsible/accountable/need to be consulted/need to be informed) is a must in case of a cyber breach? Who’s responsible for fronting the media, for contacting customers, for investigating the breach, for contacting third party suppliers, for contacting legal and so on? Who is accountable and is ensuring that all these processes are correct, thorough and executed flawlessly? Who should be consulted in the event of a breach is? How have recent breaches been managed? Who needs to be informed – who are the stakeholders that you have to keep informed of progress and next steps?
- Is your Supply Chain Secure? For instance, automotive manufacturers have begun to take the threat of cyber breaches more seriously, and are looking at how their third party parts suppliers are aligning to their security own policies. This is to ensure that the sensors, systems, and other data-linked parts that make up an automobile cannot be easily hacked. Extend this concern into other manufacturing segments (e.g. aircraft supply chain) and the threat dynamic gets alarmingly. Take a closer look at external third party possession of key customer data, and how it is being used.
Enterprises must seek to:
- Transform the behaviour of all stakeholders. Not all data is equally precious, and enterprises should spend greater focus on prioritizing threats that are relevant to individual business operations and their most critical assets. A cavalier employee or third party attitude to security will render an ironclad plan ineffectual. Organizations must transform internal and external behaviours to tighten their security posture.
- Transform its security posture. Enterprises must transform from being reactive and tactical to being strategic, preventative, and proactive instead. Consult your managed security service provider about advanced MSS capabilities, such as incident response management and predictive forensics.
- Defend against attacks with a cyber security ecosystem. Look at the breath of joint partnerships between telcos/SIs and security vendors (such as IBM, HPE and so on) – and understand how these combine to provide security benefits. These should not obfuscate a security agenda that misses the forest for the trees.