Part 2 of 6: This blog series details 5 practical steps for creating a culture of cybersecurity in the workplace.
You wouldn’t take a road trip without first checking your oil and tire pressure, or fly in an airplane that hasn’t had its regular safety check. Similarly, you shouldn't initiate company culture change without first assessing your current security posture. The initial assessment will expose critical risk factors and set the course for policy and procedure updates. Some organizations embark on a program to strengthen their security infrastructure without first performing a comprehensive assessment. That’s a mistake. They risk misallocating resources and failing to address their most critical vulnerabilities.
Why a Risk Assessment is Important
Before explaining why a cyber risk assessment is a vital first step, let’s take a look at a few recent statistics:
- Nearly half of all cyber-attacks are committed against small businesses.
- An estimated 556 million people fall victim to cybercrime annually, or 12 people every second.
- Cyber security incidents have surged 38% since 2014.
- The average cost of a data breach is $3.62 million, or $141 for each lost or stolen record containing sensitive and confidential information.
- Attackers often have more than 200 days before being discovered.
Did those statistics convince you to run over to your IT department and ask when your last cybersecurity assessment was conducted? Because they should have. The fact is, it’s no longer a matter of if your organization will fall victim to cybercriminals, but when.
If your organization is like many others, and you have never conducted a risk assessment, now is the time to do so. Not only will a cyber audit reveal technical security inadequacies, but will also take the human element into account by determining the factors that most put employees at risk of enabling a breach. This is the most vital segment of the risk assessment, as human error is to blame for the majority of security breaches.
If you have performed a cybersecurity assessment in the past, this is still the place to start. Regular assessments and reviews are critical to keeping your company, and your employees, ahead of cybercriminals.
Things to Consider
While your IT department or outsourced IT company can handle the typical preventative measures, there are still breach risk factors tied directly to employees. These are just a few questions to consider:
- Does your company employ a bring-your-own-device (BYOD) policy?
- Are employees required to use multi-factor authentication for all work accounts?
- Do employees store or have access to company data on personal devices?
- Does the CEO’s secretary keep her passwords on a sticky note on her desk?
- What about disgruntled former employees? Are there any safeguards in place to protect your information following their termination?
- Is data segmented on a need-to know basis, or does every employee have access to all data?
These are all questions to consider when developing company-wide policies and procedures. Identifying and addressing common key risk factors is the starting point for developing policy and conducting awareness training.
Performing a Risk Assessment
According to National Institute of Standards and Technology (NIST), the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.” As set out by NIST, conducting a risk assessment typically includes the following six steps:
- Identify and Document Asset Vulnerabilities
- Identify and Document Internal and External Threats
- Acquire Threat and Vulnerability Information from External Sources
- Identify Potential Business Impacts and Likelihoods
- Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impacts
- Identify and Prioritize Risk Responses
A risk assessment can be performed in-house, but is most effective when performed by an external cybersecurity firm. While internal IT departments have typical preventative measures in place, they are not equipped or trained to deal with today's evolving threats. An external, objective assessment provides access to experienced professionals with the latest, advanced tools to provide an informative assessment that will influence security measures.