Does it seem like there’s a major cybersecurity breach everyday? Every time you turn on the news or open a newspaper you see some famous company has become the victim of a major hacking attack. The latest high profile example was AT&T, who was recently fined $25 million for a massive data breach.
And if you look at recent statistics, it’s not surprising. According to the New York State Department of Financial Services report on Cyber Security in the banking sector, only the 49% of institutions surveyed reported that their information security strategy adequately addressed new and emerging risks, while 31% said they needed to modify their strategy to assess new risks, and another 22% said they needed to further investigate to understand the risks involved.
In my more than 20 years experience in the IT consulting world I’ve seen three common issues that make firms more vulnerable to the kind of attacks that are garnering headlines. And they’re all related to a company’s processes and policies, not necessarily their investment in technology.
1. Not Identifying Your Core Goals and Business Processes
Time and time again I come across firms that want to implement security technology right away without first identifying their business priorities and the IT risk management strategies they need to put in place. They’re so eager to protect themselves that they neglect to identify what it is they’re really trying to protect.
I know the impulse is to protect your assets right away, but I recommend taking these two steps first:
a.) Identify your goals. What are your business goals? What is your business model? What are your core business assets? Identifying these can help you determine your security priorities, and hence what will hurt the most during a data breach. Not all information needs the same robust protection: your customer database holds a different value than your product catalog.
b.) Identify your business processes. What are the core processes that make your business unique? What’s the combination of operational activities that together generates value for your customers and shareholders? You can’t protect your information if you can’t first identify your information flow and hence your data vulnerabilities.
It’s important to keep in mind that security technology tools are risk analysis and measurement tools, and as such are completely dependent on the processes and goals you prioritize.
2. Treating All 3rd Party Vendors The Same
Third party risk has become a major focus of data breach and risk mitigation programs, especially in light of the recent breaches at Target and Home Depot. In a recent report prepared by Softtek on a state-of-the-art supplier security & risk audit, based on 3rd party risk assessments performed by Softtek over six years in almost 2,500 audits globally, we found that business vendors are still dealing with critical security vulnerabilities in Access Control, Data Security, Communications Management, Software development and the Organization of Information Security, representing more than 51% of the findings.
But companies tend to make the mistake of treating all third 3rd party vendors the same. For example, the legal contractor who comes in every day carries a different risk than the accounting firm that has access to all your financial systems and comes in once a year during tax time.
As a 3rd party vendor ourselves, we at Softtek are very aware of the vulnerabilities, and we’re very sensitive to that.
Build an individual risk profile for each 3rd party vendor you contract with. This can include what systems they have access to, their public record, and complaints lodged against them.
But creating a single risk profile isn’t enough – this is a continuous process. Set a regular schedule to frequently reassess your 3rd party vendors and to compare where they are now to where they used to be. You might identify new security risks in the intervening time-span.
3. Not Having Enough Security Experts On Staff
Unfortunately there is an acute shortage of Information Security professionals. In their comprehensive 2015 (ISC)2 Global Information Security Workforce Study, Frost & Sullivan said that 62% of survey respondents stated that their organizations have too few information security professionals on their payroll.
And as I stated earlier, security risks are more than just technology risks. They’re a complex interplay between people, data, technology and business processes. Consequently you need a wide variety of skillsets to handle the complexity.
In addition to security experts, you need people who understand 3rd party risks, business processes, and people who understand PR so they can speak to the press about any high profile incidents you might have experienced.
The unique combinations of skills requires a significant commitment of company time and resources. If you can focus on all the IT risk and compliance moving parts without taking your eye off your core business, then more power to you. But it’s hard for companies to commit to both efforts, which is why the Softtek governance, risk and compliance practice is so busy!
Prioritize Your Risk Mitigation Program
Finally, the bonus point: make IT Risk and Compliance a strategic business priority by allocating sufficient budgetary numbers to support it.
I often hear, “We’ve already allocated so much money to our IT budget, especially security products, what more can we do?” I’ll say it again: IT risk and compliance is more than a technology problem, it’s a business problem. And with the growth in the scale and implications of security breaches, you must make it a major strategic priority – or else it will be made a strategic priority for you!
For more information on how to mitigate your IT risks, visit Softtek's Governance, Risk and Compliance service page.
