What Cybersecurity Strategies Have Significantly Reduced Risk for Your Organization?
To uncover effective cybersecurity strategies that have significantly reduced risk, we asked technology professionals to share their experiences. From implementing an incident-response framework to identifying and managing top risks, here are four insightful examples from cybersecurity consultants and chief information security officers.
- Implement an Incident-Response Framework
- Utilize Robust Defense Mechanisms
- Operationalize Cybersecurity Risk Management
- Identify and Manage Top Risks
Implement an Incident-Response Framework
Just weeks after implementing an incident-response framework and conducting the first cybersecurity incident response team exercise for a client, they faced a real business email compromise attempt. The attackers were trying to steal tens of thousands of pounds. My heart sank when my client first told me about the incident.
However, my client went on to say that thanks to the recent training, the team's heightened vigilance led to quick detection. They swung into action using the framework and successfully foiled the fraudsters' plans. This single incident saved them from tens of thousands of pounds and immeasurable reputational damage.
What struck me was that I could hear a newfound confidence in their voice. They felt well-prepared and in control. It was a 'proud mom' moment for me and serves to reinforce why rehearsing your organization's cybersecurity incident response process is one of the most important cybersecurity strategies.
Utilize Robust Defense Mechanisms
Robust defense mechanisms are essential to protect against cyber threats. For instance, intrusion detection systems help prevent unauthorized access and monitor network traffic for suspicious activity. Multi-factor authentication is being used by your banks for a reason; it adds an extra layer of security, making it harder for attackers to gain access to sensitive systems and data.
Proper cyber hygiene practices, such as using anti-malware, supported operating systems and software, and frequent patching, are critical but easy ways to protect against known exploitable vulnerabilities.
And don’t minimize the importance of your staff – people are often the last line of defense; a comprehensive and engaging security awareness and training program, including anti-phishing exercises, creates a culture of security. This helps employees identify suspicious activity and report it to the security team.
In my opinion, the most often overlooked risk is your third- and yes, fourth-parties – they have access to your data and systems – do risk assessments, monitor them, and make sure they have good security controls in place.
Finally, incident response and disaster recovery plans must be practiced regularly and involve cross-functional teams as well as the C-suite. This is paramount to organizational resilience when, not if, a cyber-attack occurs.
Operationalize Cybersecurity Risk Management
I am incredibly proud to have implemented and operationalized the Cybersecurity Risk Management program for Treasure Data. This program aims to foster a culture of security and accountability among all executives. It has shifted the conversation and decision-making process away from being unilateral within the IT and Security space. Instead, the relevant stakeholders are now involved in determining the company's risk tolerance. When my team identifies inherent and residual risks within our systems, we collectively discuss how to address these business (financial, operational, technical, legal, and trust) risks to stay within our risk tolerance.
This program not only provides visibility of risks to top-level management but also advances discussions about ownership, resource investment, and bringing risks within our preferred tolerance.
Companies that act on risks without a risk-management program are doing a disservice to their shareholders.
Identify and Manage Top Risks
Organizational risk is challenging to quantify and fully mitigate. It involves balancing “how much is good enough,” the cost of mitigation, and the operational impacts of those mitigations. The critical task of determining “how much is good enough” is a judgment call by an organization’s CISO with, hopefully, lots of input and discussion among the organization’s senior leadership team.
The first and most important step in risk management is to identify the organization's top risks and establish its risk tolerance. I refer to these top risks as “extinction events” – things like a major data breach, ransomware, or supply-chain attack that would be painful for an organization to survive. From this identification, cybersecurity strategies can be developed to reduce risk to acceptable levels.
For SaaS providers, cybersecurity strategies should include a mix of hardening the environment against known attack vectors, actively monitoring for anomalous activity, and having a well-rehearsed incident response plan that allows your organization to quickly respond to an attack and minimize damage to your customers and the organization.