Everyone talks about cybersecurity strategy. The need is apparent and the risks are real -- for both external and internal threats. Internal breaches have escalated and now make up 75% of cyberattacks. Stemming from the hands of employees, people talk about insider risk less despite the rising numbers, and prevention strategies may tend to focus more on the wrongly perceived bigger dangers of malicious external hackers. That’s a big miss.
Equally problematic is this: According to a May 2018 survey, a large number of companies fail to implement defined security strategy in place, and many CEOs fail to take preventative action. For all the hype about cybercrime, that’s a large number of unprotected businesses that are approaching their security without a well-developed plan. Even with a carefully developed strategy, there’s one element of the plan that is often missed.
All-Inclusive Strategy
As the CTO of a company that specializes in cybersecurity, I know that for a company to be fully protected, any strategy today must be all-inclusive on two fronts. First, it must include preventative measures for both internal and external threats. The truth is a company may have hundreds or thousands of employees who already have access to critical business systems and sensitive data. They don’t need to hack their way in -- they’re already users and processors of company information and transactions. The vulnerability, however, isn’t so much with those who have access based on their role and need, but rather those who have too much access, which hasn’t changed as their jobs and responsibilities have shifted.
Some companies may take offense to the suggestion that fraud actually could occur at the hands of their own associates, but it does. A more likely scenario, though, is the possibility of transactions or sensitive information sharing that could happen by mistake, which makes up the majority of internal breaches. Safeguarding against all possible scenarios is paramount in any strategy.
Secondly, when it comes to inclusion, it’s not only about what type of cyberattacks -- internal or external -- are taken into account in the strategy but also who is involved in creating the plan. If a strategy is left up to the frontline IT and security teams who may have the most knowledge about risks due to their day-to-day tasks, key decision makers who may carry the most weight in enforcing strategy from the top down may not have a say. Buy-in may suffer. Additionally, there’s the chance that if your company leaves out executives, they may not realize the full extent of risks or understand the need for better solutions to avert them.
The ASUG survey also notes that there was a marked disparity in the level of concern about security between executives and IT/security professionals. Security concerns among executives was rated 55% lower than IT employees who have more direct involvement in managing systems and security. The survey noted in particular that professionals in the security space better understand the specifics of cybersecurity and its challenges. There may be multiple reasons for the divide, including the executive level's focus on bottom-line initiatives, a lack of easy visibility into risks and disengagement with system security oversight.
Communication: The Missing Link
To bridge the gap, executives need direct involvement in strategy design. More importantly, communication is a vital component -- not only to create strategy but also to ensure the knowledge of risks makes its way to the top and eliminates any disconnect.
Guidelines For Creating An In-Depth Strategy
You should not create a strategy reactively to address a security crisis, although all too often it takes a breach for a company to take risks -- especially internal risks -- seriously. Additionally, your team shouldn't create a strategy in a one-and-done manner. Once defined, a strategy should be a written document that your team revisits, reviews and revises as situations and needs change.
In addition to making sure executives and IT/security teams work on the strategy collaboratively, other steps should include:
• Defining assets, potential risks and worst-case scenarios, plus potential costs and damages if a breach should occur
• Performing an inventory of systems and existing security measures to determine any gaps
• Considering vulnerabilities realistically
• Consulting security experts if none exist within the company
• Researching and identifying cybersecurity best practices for internal security
• Reviewing roles and access rights for business systems
• Closing any security gaps by exploring and implementing better security solutions
• Creating a timeline for implementing best practices, policies and new solutions
• Determining how to manage and correct a breach -- who is the crisis team?
• Educating employees about both external and internal security policies and practices
• Scheduling routine touch points to review risks, remediation and adjustments to the strategy
The Missing Link Across The Company
Communication can be a major issue within a department in creating and executing a security strategy. However, communication has an even bigger role in a strategy as it relates to the involvement of other key people in the organization and your preparation for a security breach.
Corporate communications teams and the company’s spokesperson should also participate in the prevention and preparedness plan. Managers of company communications should fully understand all what-if scenarios. They should be members of the crisis team and know exactly how to handle a threat. Additionally, they should develop communication plans and messaging in advance in the event that a cyberattack occurs.
What to say, how to say it, and who to say it to -- including employees, board members, shareholders, the press and the public -- are all considerations in preparing and safeguarding a company’s reputation and revenue-generating potential.
Generally, communication is not at the top of the list in developing a cybersecurity strategy, but one cannot overemphasize its importance from developing a plan to protecting a company if a breach occurs.
