This post first appeared on Risk Management Magazine. Read the original article.
Every organization today is undergoing a journey to take advantage of the technological advances that are transforming the way we do business. This business evolution has, in turn, made information and data some of the most valuable corporate assets. But like any asset, data is exposed to myriad cyberrisks and threats that could lead to financial losses. As the world becomes more interconnected and our most valuable business assets are housed on computers and in the cloud, it is increasingly important for organizations to invest in intelligent and holistic security frameworks to mitigate such risks. However, investing money in information security without due diligence or the right testing, training, technology and monitoring will not ensure enterprise-wide security. A number of elements must be considered.
Internal Assessment and Mitigation
To keep sensitive data safe, an organization must have a clean house. The first step is to develop a regimen for internal testing to verify and maintain low levels of risk and instill confidence in customers that your organization is trustworthy.
Hiring. The process of assessing and preventing risk begins in the back office. During the interview process, one can explore a candidate’s digital behavior and consciousness with a specific set of questions that get to the heart of the matter. For example, asking how many email accounts a candidate uses, what their social media posting habits are and clarifying educational background may help identify past behaviors that could be red flags for potential risks. Background checks find traditional risks but to protect an organization from modern cyberrisk—especially in cases of flexible work situations—we must dive deeper into use of company devices, online behavior and understanding of security best practices.
Educating. Once an employee is hired, education is of the utmost importance. All employees need to be trained on the organization’s risk mitigation process. The better equipped an employee is to identify potential risks and feel confident in how to escalate them, the better positioned the organization is to contain and prevent an issue from occurring.
There are multiple touchpoints within and outside the IT network where employees can fall prey to phishing schemes and introduce risk into the organization. With flexible work and work-from-home cultures, employees access and use internet-facing corporate assets (such as email, VPN and file sharing) more often. This puts the organization at additional risk from less controllable external forces and thus must be factored into risk mitigation planning.
Monitoring. No matter how much technology is in place, employee training and behavioral monitoring is still a critical component of security management. For example, a data breach at a telecom service provider in 2015 that exposed information from more than 280,000 U.S. customers was spotted by a fellow employee. The employee was a new hire and recently trained to identify behavior that may indicate a problem. When he saw two co-workers huddled over their screen, preventing others from seeing what they were doing, he immediately alerted his supervisor. Unfortunately, it was too late to stop the breach, but they were able to identify the perpetrators and hold them accountable.
At the most basic level, the facilities themselves and vigilance of the security team are important elements of risk management. Dual entrances and a requirement for employees to swipe their badge as well as show their badge to a security guard are common components of a robust risk mitigation process. Cameras installed to monitor employees are necessary to keep information safe.
External Relationship Management
The relationship between companies and service providers is smooth, efficient and productive—until there is an issue. That is when the integrated nature of a partnership breaks down and finger-pointing can impede recovery. To prevent this, one of the first and most important steps in starting a new vendor relationship is to draw up a contract that requires enterprise risk to be mitigated in multiple ways. For example, such a contract might stipulate that there is a primary and secondary delivery center for data, information and/or customer service in case of an outage or disaster. It may seem simple, but clauses that allow for a company to move information within a set period time after an unanticipated event are not always commonplace.
Vendor and client risk. When entering into a new client or vendor relationship, a full assessment of the third party’s business allows for discovery of areas of risk and areas that might need improvement. Once improvements are identified and resolved, there should be constant monitoring and review to ensure this is maintained. It is very much an active process built on proactive behavior, not reactive problem-solving. Cataloging any and all vulnerabilities allows for effective predictive and prescriptive risk management.
Technology. Part of the risk assessment process includes looking at all of the technology and applications the third-party uses day-to-day. Determine if the host environment for sensitive data—like financial statements—is secure and if they clearly define who should have access to different types of confidential, public or private data. Unfortunately, it is a constant race to keep up with the bad guys, but the more advanced the technology and the more vigilant the team, the better chance of preventing problems.
The cloud. While there can be real benefits to using cloud technology, it is not always a smart decision when it comes to risk management. Nearly every large company today has a hybrid structure, split between a grounded, internal network and the cloud. This is advisable in many cases as not all applications can be securely moved to the cloud.
At the end of the day, the cloud is nothing more than an off-site server, and when conducting an assessment to identify which applications and information can be migrated to the cloud, there are two primary risks. The first is functionality: If the application is not designed to be cloud-based, it may not be ready to be moved. The second is application security: If the application is vulnerable where it is currently housed onsite, then that must be addressed within the organization or with the vendor before developing a mitigation strategy.