Many business leaders know risk management should be taken seriously. Not only can proactively managing cyber risk protect your company and the people it serves, but it can be essential to maintaining a healthy bottom line.
When companies struggle to combat cyber threats, the results can be devastating. Maria-Kristina Hayden, founder and CEO at cybersecurity firm OUTFOXM, recalls an incident at a Fortune 100 company last year. Because the problem initially appeared to be only a glitch in a central operational tool, their Ops leadership followed their own troubleshooting checklists for 6 hours before thinking to loop in cybersecurity teams, Hayden recalls. And in those 6 additional hours, an active adversary inside the network was able to cause considerable damage - erasing key data, building a backdoor for future access, and accessing backups.
Attacks of this magnitude can be extremely costly. In a recent report, IBM said the global average cost of a data breach is $4.45 million.
Managing Risk: The Hallmarks of an Effective Cybersecurity Program
How do you protect your business from such threats? Here’s an overview of nine building blocks of a robust cybersecurity risk management program.
1. Antivirus, antimalware, firewall, and intrusion detection
Cost-effective security tools can make it far more difficult to breach your company’s defenses. Given how quickly threats can evolve, keeping your security tools up to date can be key. If possible, enable automatic updates, and pay close attention to vendor communications, as they often include detailed steps to combat the latest threats.
"This "standard" set of security tools is a cost-effective and important place to start," says Hayden. "Not only do they defend against attack, but they can provide a warning if an intrusion has occurred."
According to Hayden, deploying antivirus software and keeping it updated on every laptop or device in the system is one of the simplest and most important steps to consider.
2. Software updates and patches
Cybercriminals often exploit known vulnerabilities in systems and software. Companies can update software and install patches as soon as possible. An individual or team within the IT department can ensure the updates take place quickly. Testing updates and patches before putting them into production can be helpful, as some updates can conflict with existing systems.
"If the list is too long to reasonably update 100% of available systems, prioritize based on the criticality of the patch (often designated as such by the manufacturer or vendor) and the risk the vulnerability poses to your business operations," says Hayden.
3. Strong password policies
Weak or recycled passwords can make it easier and less time-consuming for an attacker to breach a company’s defenses. Password managers can help streamline the process of maintaining strong passwords: such tools can generate unique passwords rapidly, store them securely, and pre-populate them when an employee accesses a system.
4. Least privilege principle
The principle of least privilege limits employee access to only those systems they need to perform their job. If an attacker compromises an employee's credentials and gains access to the network, it will be harder for them to roam freely within your environment. Hayden sees added benefits of this principle.
"This principle also helps defend against the pernicious problem of insider threats - employees with legitimate credentials who seek to steal sensitive data or disrupt operations."
5. Data encryption
Attackers often focus on stealing data as they can sell it on the black market or hold it for ransom. Encrypting data at rest and in transit renders it useless to an attacker who doesn’t possess the decryption key. While encryption can be a robust security measure, it's not foolproof and should not be relied upon exclusively to protect your company’s data.
6. Offline and online backups
Backing up data can make it easier to recover quickly from an attack, especially those involving ransomware. An offline backup involves storing data on a device not connected to the internet.
"These are usually considered the most secure option, but retrieving the data can take a bit more time," notes Hayden.
An online backup stores data in a different physical location via the internet and is hosted by a third-party service provider.
"While restoring from online backup can be quicker, there is the added risk of these backups being infected during a malware outbreak," says Hayden.
Some companies cannot create an offline backup due to the size of their data. Creating two online backups in separate locations can make sense in those cases.
7. Incident response plans
Quick coordination can be of great value to mitigate an attack. An incident response plan can provide a step-by-step process, ensuring your company responds quickly and decisively when a breach happens.
"The best incident response plans have been coordinated amongst cyber teams (e.g., cyber incident response, threat intelligence, security operations), as well as non-cyber technology teams, legal teams, compliance teams, and communications teams, amongst others," says Hayden. "All groups that would be pulled into a major cyber incident should collaborate to craft realistic plans."
8. Periodic testing
Vulnerability assessments can uncover weaknesses before criminals can exploit them. Companies can also conduct penetration testing, which involves simulating an attack. A periodic security audit can prove invaluable.
"Incident response plans should also be tested at least quarterly against the latest cyber threats facing your industry," says Hayden. "Penetration testing and tabletop exercises that simulate attacks are the best ways to test your plans against reality."
9. Employee education
Attackers often succeed in breaching a company’s defenses via taking advantage of employees who lack security-related knowledge. According to Verizon’s 2023 Data Breach Investigations Report, 74% of breaches involved the human element, including social engineering attacks, errors, or misuse.
“Employee education is so often viewed as a 'nice-to-have' element of a cybersecurity program, as opposed to something essential," says Hayden. In reality, a well-educated staff is often the last layer of protection between your crown jewels and a malicious attacker."
She suggests using gamified training that requires active participation. For example, Hayden recommends immersive seminars that walk an audience through a realistic cyberattack. The audience votes on how to respond and learns how those choices change the trajectory of the incident. They're also taught personal and corporate cyber hygiene along the way.
Keeping Track of Cyber-Related Laws, Regulations
There’s a growing list of data privacy laws and regulations to protect consumers and encourage investment in cybersecurity. Keeping up to date on these laws can make it easier for your business to achieve compliance and respond appropriately in the event of a breach.
Companies can also create Google Alerts on keywords, subscribe to relevant blogs and newsletters, and attend industry conferences. When data privacy is a cornerstone of your business, it can serve as a competitive differentiator.
"Consumer-focused data privacy practices can be a differentiator in any industry," says Hayden. "Consumers are increasingly focused on how companies use, retain, sell, and lease their data – and using that information to guide their decisions about who to do business with."
The Case for Cyber Insurance
Cybersecurity insurance can offset breach-related costs and make it easier to resume normal operations. Cyber policies vary in their terms, conditions, and coverage. Subject to an individual policy’s restrictions, insurance can cover the cost of investigating a breach, resulting losses, customer and regulatory notification costs, and legal expenses.
Insurance brokers specializing in cybersecurity policies can help your company select a suitable policy. So can third-party cybersecurity security firms that often work closely with insurers. A third-party firm can also help your company apply for insurance by helping to complete the firm's intake forms. If a breach happens, a security firm can help your company submit a claim and maintain its coverage.
Stay Ahead of Cyber Risks
From data security and cyber risk quantification to implementing technologies, business leaders can remain ahead of the curve, especially during unpredictable times. While every company faces a unique set of cybersecurity risks, by proactively investing in security, your business can take steps to safeguard its operations in an increasingly complex and risky world.