HOW TO GET AHEAD OF CYBERCRIME
By David Neuman
Cybersecurity is becoming increasingly complex. Around the globe, businesses are moving with greater velocity and using digital frameworks and technology that create security vulnerabilities and, often unintentionally, make company data and assets more accessible to cyber threats. Meanwhile, the sophistication of cyber attackers is also escalating. With access to significant funding, resources and processes, these criminals are more effective than ever before and are gaining increasing success breaking though the security barriers across a company’s entire operating environment and ecosystem.
While organizations are investing and taking proactive steps to improve their cybersecurity measures in the face of these threats, many are simply not moving fast enough or are struggling to focus their efforts on the assets that matter most. In a recent survey* only 13 percent of the 1,825 organizations surveyed said their information security function fully meets the organization’s needs.
In addition, 37 percent of companies have no real-time insight into their cyber risks and only 27 percent “sometimes” have real-time insight. Around 43 percent of the organizations surveyed said their company’s information security budget will remain at current levels in the coming 12 months while five percent said their budgets will decrease.
The most important and recurring roadblock to readiness is the lack of cybersecurity resources and skills. Fifty-three percent of organizations say the lack of skilled resources is one of the main obstacles to improving their information security. This includes a need for growing cybersecurity specialists as well as building skills and awareness in nontechnical disciplines.
What Can Texas Companies Do to Protect Themselves?
Most importantly, companies need to treat cybersecurity as a core business and competitive issue. This starts at the highest organizational level. The following three building blocks – activate, adapt and anticipate – illustrate the cybersecurity journey and how organizations can move from a reactive “victim” mindset to a constant state of readiness.
Activate – Building a strong cybersecurity foundation is integral. By developing a comprehensive set of security measures, companies can establish basic (but not necessarily good) defense. However, creating a foundation is not easy, and the specifics will often depend on industry and geography. For companies that have not yet created this foundation, six often overlooked critical action items include:
- Performing a security assessment
- Creating a road map of next steps
- Securing board-level support for a security transformation
- Reviewing and updating security policies, procedures and support standards
- Designing and implementing cybersecurity controls
- Testing business continuity plans and incident response procedures
Adapt – once a company has integrated a solid foundation, the next step is to make the cybersecurity program more dynamic and integrated with its business processes. In this stage, it’s also important to design the cybersecurity program in a way that allows it to adapt Organizations undergo constant change, such as new technologies, new or different third-party services or remote hosting, or evolving regulatory environments and requirements. In order to keep pace with these changes as well as with external shifts, a company’s information security measures must evolve. Companies that have architected and implemented a baseline security foundation may require increased investment to resolve existing cybersecurity gaps using the following four areas of “low-hanging” improvement:
- Improving the Security Operations Center (SOC) and its interaction with the business as a whole
- Creating a core cybersecurity team that can help the system adapt to new threats
- Establishing accountability for information security across the organization
- Going beyond the borders to assess the impact of cyber attacks on their business partners, suppliers, vendors and others
Anticipate – The final, recently emerging building block in information security offers organizations a real chance to get ahead of cybercrime. When threats have already arisen, there is only so much a company can do. But, more and more organizations are now using cyber threat intelligence to get ahead and proactively protect themselves. This stage incorporates thorough risk assessments, cyber threat intelligence, regular response practice and learnings, and greater understanding across the entire organization. To start, organizations need to be able to answer the following questions:
- Do you know what you have that others may want?
- Do you know how your business plans could make these assets more vulnerable?
- Do you understand how these assets could be accessed or disrupted?
- Would you know if you were being attacked and the assets have been compromised?
- Do you have a plan to react to an attack?
Cyber risks are evolving – and rapidly. These building blocks – activate, adapt and anticipate – will help companies add capabilities before they are needed and prepare for threats before they arise. By taking the necessary initiatives to adopt cybersecurity as an integral business function and shifting their focus from known threats toward adopting processes that deal with cyber unknowns – which include addressing cyber gaps created alongside future business strategies, developing incident response processes to manage cyber developments, and assessing third-party vulnerabilities – companies will begin to get ahead of cybercrime.
David Neuman is an Executive Director in EY’s Information Security Advisory practice. He is based in San Antonio, and has over 28 years of experience in information security, technology and cyber defense operations. He can be reached at firstname.lastname@example.org
*Data is from EY’s 17th annual Global Information Security Survey
The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP.