Spring forward with three essential cyber improvements

    March 30, 2016
    Cybersecurity is as much a strategic business issues as it is a risk or technology issue
    Image Courtesy of BigStock.com
    . Many organizations are struggling to keep up with the challenges that accompany the rapid expansion of digitization and the increasing connectivity of business, challenges that amplify the real reputational and financial risks your business faces when a cyber-attack occurs.
    . Many organizations are struggling to keep up with the challenges that accompany the rapid expansion of digitization and the increasing connectivity of business, challenges that amplify the real reputational and financial risks your business faces when a cyber-attack occurs.

    Spring brings new growth, new beginnings and new opportunities to think about cybersecurity. It’s the perfect time to make some important cyber improvements aimed at building trust, protecting critical assets and intellectual property and seizing market opportunity.

    As we’ve seen with numerous high-profile attacks throughout 2015, the nature of cyber threats has evolved significantly. Many organizations are struggling to keep up with the challenges that accompany the rapid expansion of digitization and the increasing connectivity of business, challenges that amplify the real reputational and financial risks your business faces when a cyber-attack occurs. As we build taller fences to keep threat actors out, they simply build longer ladders to get back in.

    Here are three critical improvements your company should implement that can embed cyber agility and resilience at every level of your organization.

    Improvement #1: Make sure the priorities you are protecting are aligned to the priorities of the business.

    We are all aware that it’s not a question of if a cyber-attack will occur, but when. Cybersecurity is the intersection of business strategy, technology and risk. Knowing your business’ strategic priorities and the location of your key assets is critical because that’s where a breach could hurt you the most.

    Knowing what has value to a perpetrator is another essential component of mounting an active defense. However, EY’s Global Information Security Survey 2015 found that 42 percent of respondents said that knowing all of their assets was a key information security challenge.

    Without information governance, a lot of cyber-budget can be wasted on controls or equipment that does not put protection where it is most needed. What is information governance? It is processes, enabled by policies and technologies, which empower business leaders to make more intelligent decisions to maximize the value of their information assets while also minimizing associated risks and costs.

    Information governance is a simple -- but not easy -- process. The first step is to know what information you have and where it is located. Step two; understand who has access to the information and how the information is currently protected. Step three; plan your response if there is a cyber event. Finally, put protocols in place to retain sensitive information only as long as you need it and to dispose of everything else in a timely way.  

    Stay ahead of cyber-attacks by aligning with your business’s leaders to identify and protect the assets that matter most.

    Improvement #2: Involve leadership and key stakeholders in your cybersecurity plan — and educate them on signs that a breach has occurred.

    The Finance department, Marketing, Operations, R&D, HR, the board of directors — all of these key areas should have cyber awareness and be clear on the cyber risks to the organization. Their ability to identify oddities in behavior and alert the relevant cyber contacts will be critical for your plan’s success. Commit to conducting regular cybersecurity program assessments that involve all of your key stakeholders.

    Educating your teams on visible signs of penetration is part of this process. Are customer or user databases showing inconsistent information? Are there oddities in payment processing or ordering systems? Is there unusual employee behavior? What about unexpected share price movements or new products launched by competitors that are uncannily similar to your R&D and IP and reach the market just before yours?

    Each of these could be caused by a cyber breach. Communicate to your stakeholders that reporting even small suspicions could enable your cyber team to detect and contain an attack.

    Improvement #3: The cyber threat is constantly evolving. Build an Active Defense to keep pace.

    Everyone is aware that the threat landscape has changed, cyber-attack vectors have evolved and business continues to innovate. Cyber threats, both internal and external, are increasing exponentially.

    Digital technology is fundamentally altering business models. It’s enabling companies to launch new products and services. It’s creating a mobile workforce that demands data be accessible anytime, anywhere, often by putting data into the cloud. And it is opening up traditionally closed back-end office systems to the internet.

    Digital technology is connecting companies with their customers in ways never before imagined. But these same channels of communication are enabling cyber criminals to gain access, too. Unfortunately, the proliferation of cyber-crime is accelerating faster than companies can improve their information security programs. This creates a gap that grows by the day.

    Given these circumstances, is the cyber strategy you developed two or three years ago still relevant? Just as your business must constantly adapt to its competition, regulations and environmental stresses, your cybersecurity plan must be a living, evolving mechanism.

    Unfortunately, most organizations fail this test. In fact, EY’s Global Information Security Survey found that 88 percent of the respondents do not believe their current cybersecurity programs meet their organization’s needs, showing a huge vulnerability for the enterprise and a huge opportunity for criminals.

    Building an Active Defense can help. It extends traditional security operations capability in key ways, guided by professionally analyzed Cyber Threat Intelligence.

    More than just receiving “feeds,” actual analysis of threat intelligence allows Active Defense practitioners to look ahead and identify likely attackers, infer their most likely targets within the business and develop hypotheses about likely ways those attacks will unfold. This insight enables the implementation of tailored countermeasures.

    Cybersecurity is not just a technology or risk issue. It’s a strategic business issue. Imagine the world where those charged with preventing cyber-attacks know the organization’s crown jewels, understand the business-critical risks, have deep insights into the business strategy and are solely focused on securing the path ahead.

    Implementing these three cyber improvements will provide you proactive prevention and an Active Defense in 2016.

    About the Author:

    Heidi Kujawa is the Media & Entertainment Cybersecurity Leader for Ernst & Young LLP. Views expressed are those of the author and do not necessarily reflect the views of Ernst & Young LLP.

    Kujawa is an executive director in EY’s Advisory Services practice focusing on cybersecurity and enterprise risk transformation. She was formerly the CISO for a major Hollywood studio and has held key executive positions at some of the largest motion pictures studios in the industry; successfully establishing and leading large-scale global enterprise technology and security/risk/compliance related initiatives; specializing in developing security departments from the ground up and/or re-aligning security functions to meet the needs of the business.

    Heidi was also a CISO Summit Governing Body Member (2010-2011), awarded Oracle Corporation’s Content Management Architect of the Year (2007) and has spoken internationally on the topics of content management, content security, information security, identity management and access controls. She holds a Bachelor of Science in Management and is a certified PMP and ITIL.