5 Fundamentals in Cyber Risk Management

5 Fundamentals in Cyber Risk Management

By Charles Cooper

When it comes to cybersecurity, organizations face a future in which it’s best to prepare for worst-case scenarios.

As the number of cyberbreaches top previous records, rampant cybercrime is expected to inflict major losses on the global economy before the close of this decade. That means breach prevention can’t be the sole cornerstone of an effective cyberstrategy. As outlined in the latest AT&T Cybersecurity Insights report, the question is not if a company is going to be attacked. It’s now a question of when the attack will come.

That shouldn’t be an impediment to your business’s future. But it means finding ways to improve defenses and reduce vulnerabilities to the point where attacks are no more than an acceptable cost of doing business. That’s where cyber risk management enters the picture. What follows are five risk management fundamentals for your business.

Risk Identification

Figure out what needs to get measured and connect the data points. Find attack patterns or any other traffic trends that might suggest imminent risks. Identify the greatest threats facing the organization and integrate any of those insights into your incident response strategy. And make sure that effective authentication systems are in place to vet whether the people accessing your organization are who they claim to be and not intruders. The National Institute of Standards and Technology has pulled together a longer list with specific suggestions about how to prioritize.

Get Top Management on Board

Boards need to understand the potential constellation of risks that may threaten their company’s reputation, finances and operational performance. Cyber risk management should be a central plank of any organization’s governance processes. The senior levels of the company need to know whether their data assets are being protected adequately and when to adjust future budgets to bolster security planning. Only the board’s buy-in will ensure that the organization’s security objectives are fully aligned with the larger goals of the business.

CSO-Board Communication

Set up an effective communications pipeline between the organization’s top security executives and senior management. That means it’s up to the top security executive in the organization to inform the C-suite about looming potential risks as well as the state of current defenses. Unless they receive up-to-date risk indicators, the C-suite will have no way to judge whether the security situation is improving or getting worse.  

Update Incident Response

No matter how well defended an organization may be, anticipate coming under cyberattack at some point in the future. Draw up worst-case scenarios along with an updated incident response plan. This is the road map to identify and prioritize the people, processes and technology issues to mobilize in an emergency. Don’t let the response plan gather dust. It should undergo frequent testing to remain relevant and ensure that everyone involved in the drill understands their roles when the alarm sounds for real.

Preach the Gospel

No matter how many times they need reminding, employees can always do a better job when it comes to adhering to best practices. It’s up to management to keep promoting a cyberaware culture. At a minimum, make sure that employees are aware of the cyber risks that threaten the organization as well as the likely business implications of a breach. Sometimes, this may not be as self-evident as it might seem at first blush. Success in this case may be measured in inches, rather than yards. But every little advance counts.

Read the AT&T Cybersecurity Insights report Mind the Gap: Cybersecurity’s Big Disconnect. Learn more about how your organization can minimize gaps its cybersecurity strategy.

Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.