Your brand is a valuable asset, but it’s also a great attack vector: threat actors exploit the public’s trust of your brand when they phish under you name or when they counterfeit your products. The problem gets harder because you engage with the world across so many digital platforms – the web, social media, mobile apps. These engagements are obviously crucial to your business.
Something else should be obvious as well: Guarding your “digital trust” – public confidence in your digital security – is make-or-break for your business, not just part of your compliance checklist.
COVID-19 has put a renewed spotlight on the importance of defending against cyber-attacks and data breaches as more users are accessing data from remote or non-traditional locations. Crisis fuels cybercrime, and we have seen that hacking has increased substantially as digital transformation initiatives have accelerated and many employees have been working from home without adequate firewalls and back-up protection.
What will the new normal be like? While the COVID pandemic has turned business and society upside down, well-established cybersecurity practices – some known for decades – remain the best way to protect yourself.
Data must be governed
Data governance is the capability within an organization to help provide for and protect for high quality data throughout the lifecycle of that data. This includes data integrity, data security, availability, and consistency.
Data governance includes people, processes, and technology that help enable appropriate handling of the data across the organization. Data governance program policies include:
- Delineating accountability for those responsible for data and data assets
- Assigning responsibility to appropriate levels in the organization for managing and protecting the data
- Determining who can take what actions, with what data, under what circumstances, using what methods
- Identifying safeguards to protect data
- Providing integrity controls to provide for the quality and accuracy of data
Size of an organization does not equal security maturity
It does not matter how big you are or the resources your team can access, as defenders, we always think: “If I only had enough money or people, I could solve this problem.” We need to change our thinking. It’s not how much you spend but rather, is that spend an effective use? Does it allow your team to disrupt attacks or just wait to be alerted (maybe)?
No matter where an organization is on its journey toward security maturity, a risk assessment can prove invaluable in deciding where and when it needs most improvement.
For more mature or “leading” organizations, as defined by a benchmark survey we conducted with Enterprise Strategy Group on the impact of cybersecurity maturity on business outcomes, the risk assessment process will focus less on discovering major controls gaps and more on finding subtler opportunities for continuously improving the program.
An assessment of a less mature program is likely to find misalignments with business goals, inefficiencies in processes or architecture, and places where protections could be taken to another level of effectiveness.
Do more with Less
Limited budgets, limited staff, limited time. Any security professional will have dealt with all of these repeatedly while trying to launch new initiatives or when completing day-to-day tasks. They are possibly the most severe and dangerous adversaries that many cybersecurity professionals will face.
They affect every organization regardless of industry, size, or location and pose an existential threat to even the most prepared company. There is no easy way to contain them either, since no company has unlimited funding or time, and the lack of cybersecurity professionals makes filling roles incredibly tricky.
Resource prioritization is key. So how can organizations cope with these natural limitations? The answer is resource prioritization, along with a healthy dose of operational improvements. By identifying areas where processes can be streamlined and understanding what the most significant risks are, organizations can begin to help protect their systems while staying within their constraints.
We’re all in this together
Remember - an edict out of the IT department will not get the job done; building a security culture takes time and effort. Awareness training should also be incorporated across the entire organization, not just limited to governance, threat detection, and incident response plans. The campaign should involve more than serving up a dry set of rules, separate from the broader business reality.
What’s more, cybersecurity awareness training ought to be a regular occurrence — once a quarter at a minimum — where it’s an ongoing conversation with employees. One-and-done won’t suffice. People have short memories, so repetition is altogether appropriate when it comes to a topic that’s so strategic to the organization. This also needs to be part of a broader top-down effort starting with senior management.
To create a brand that can be trusted, security must be engaged at every level of the organization. Not only do endpoints, networks, applications, etc. all have to be secured, but companies that foster a culture of security from within will ultimately build brands that inspire the most confidence from consumers and employees alike.