From Australia to the EU and the United States, countries are sponsoring cyber awareness efforts during the month of October to help combat a persistent challenge: cybersecurity threats. Despite good intentions, we’re still talking about the same types of information security issues: poor cyber hygiene, phishing and static passwords.
The issue is that the threat landscape and vulnerabilities are multiplying at a staggering pace due to the rapid pace of increased technology adoption and digital transformation. In fact, 48% of security and risk practitioners believe their risk profiles will expand “significantly” over the next two years. This is a sobering reality considering that many organizations struggle with existing cybersecurity threats.
While National Cybersecurity Awareness Month only comes around once a year, the importance of elevating cyber awareness should not be contained to just a month.
Risks today come in many forms. While cyberattack risk may be top of mind for many, there are also risks that are introduced through new data privacy regulations, third-party partnerships and more. Considering that these digital risk challenges are multiplying in spades, I assert that our industry needs to make cybersecurity awareness a yearlong topic of discussion across the business.
As we look towards the future, our industry has the opportunity to help business leaders better understand the state of risk while mitigating future vulnerabilities. Here are my recommendations for you to consider:
Talk about Risk as a Business Enabler
Organizations are expanding their tech stack, but are their new technologies secure? Many likely don’t know the answer to that question because security is too often kept as an afterthought. RSA’s recent study shows that 28% of security and risk practitioners believe that implementation of digital transformation is happening so quickly that they may not have time to implement the right risk controls. With the threat of cybersecurity and digital risks looming, it’s critical to understand how each technology works, what systems it has access to and what data is being created through its use.
To be clear: the solution to this dilemma is not that infosec and risk management teams should be the party of “no.” Instead, our professionals need to be viewed as business enablers. The organizations that will thrive in a digital world are those that involve security and risk teams from the start and align with C-suite leaders to ensure the business impact of unmanaged risks are understood.
What we know from the past year’s headlines is that a cybersecurity incident can have an adverse impact on more than just the IT team. Today, unmanaged risks can have a negative consequence on customer relationships, brand reputation, future viability and regulatory compliance.
Initiate conversations between the CISO or CSO, the IT department and business leaders from the start. While everyone at the table may not understand pen testing or what an APT attack is, you can help them understand the potential impact by quantifying risk in terms of actual dollars and cents.
What Do You Know about Your Vendors?
It’s not just the IT landscape that’s expanding. To help facilitate digital initiatives, our vendor and partner ecosystems are also multiplying.
The complexity of third-party risk will not be simplified any time soon. Gig employees, agency partners and supply chains are all essential components of your network. Too often, these relationships are managed in a silo and few organizations have an adequate third-party governance strategy. It’s why we’re seeing more “shadow” third parties and “islands of identity”—the result of user identities stored in multiple places without a unified control.
A lack of visibility and governance leads to fraud and theft, business interruption, reputational damage and data breaches. The challenge of third-party risk escalates as more third, fourth and Nth parties gain access to networks, apps and critical data—including customer records, intellectual property, patient records, strategic plans, financial data and more. Unfortunately, the current method for governing Nth parties and resources is not sustainable and needs to be addressed as a critical business risk.
Although the challenge is daunting, we cannot afford to show indifference or rest on our laurels. The consequence of poor cyber hygiene has been showcased in recent phishing attacks that have brought major cities to a standstill.
As the number of risks facing your organization multiply, it’s essential that cybersecurity be viewed as more than just an IT concern. When addressed strategically as a business risk, it can help your organization innovate and adopt new forms of technology without exposing consumers to potential harm.
Start a conversation among business leaders and security and risk practitioners this October, and over the course of the next year, to ensure your business is ready to grow and thrive in today’s connected (and risky) world.