Critical Shortfalls Present Within Cybersecurity Risk Management Programs
For companies developing or reinvigorating their cybersecurity risk management programs, it’s vital to remember that security threats are a cruel reality, and implementing proper controls to mitigate risks ahead of time is the only way to successfully prevent the harmful effects of such risks.
As was recently discussed during our Achieving Cybersecurity Readiness in 2018 webinar, there are a number of critical shortfalls that organizations often make when attempting to mitigate cybersecurity threats, including those noted below.
Lack of awareness regarding the data your company possesses – or its value
It’s essentially impossible to mitigate risk across an organization without a proper understanding of what data and information at said organization requires safeguarding. Yet time and again, companies fail to properly identify the information in its possession and understanding how its value might translate in the hands of an external hacker or internal threat. Regardless of an organization’s size or industry, the data in its possession often holds an intrinsic – if not glaringly monetary – value. But without a proper assessment of what that data is, where it’s located/stored and who has access to it, companies cannot effectively protect it. Completing a thorough data inventory is necessary before implementing comprehensive cyber controls.
Lack of proper and/or regular employee cybersecurity training
With cybersecurity threats often extending beyond the confines of technology systems and targeting individuals, it’s more important than ever that employees understand potential risks and the role they play in mitigating those risks. Alas, companies often fail to implement proper cybersecurity training programs to educate employees on these risks. At the very least, companies should institute annual information security awareness training to ensure that employees are well-informed of potential cyber threats as well as gain an understanding of the company’s own policies and procedures related to security.
But annual training is often not enough. Organizations – particularly those who’ve faced cyber threats in the past or manage infinite amounts of sensitive information – should also consider recurring training initiatives to keep employees current on threats. Simulated phishing exercises, for example, are effective ways to engage employees in the detection and prevention of email threats as part of their regular workday.
Lack of remediation of cybersecurity issues/gaps
If your company has completed a cybersecurity risk assessment or gap analysis, you’re on the right track to an effective risk management program. But assuming gaps were identified during the process, which is likely the case, have you actually remediated the issues? Unfortunately, many companies take the first step and properly assess their programs but then fail to implement solutions that address problem areas. Whether it’s due to a shrinking budget, resource limitations or some other reason, this misstep is precisely what cyber hackers will take advantage of. It’s understandable if some of the reasons above (re: budget, resources, etc.) play a factor in immediate remediation of all critical issues, but companies only increase their cybersecurity risk by failing to address known security gaps. Consider staggering remediation to first focus on core and critical issues, with minor gaps addressed over the course of a period of time.
Lack of recovery planning procedures, notably for areas that extend beyond technology
They say acceptance is the first step – so recognizing there is potential for a cybersecurity threat to impact your business is important. But preparations are also critical, and they should extend far beyond technology. Most businesses today have disaster recovery plans to address a potential system outage and account for data retention in the event of a disaster. Many even have procedures in place for business continuity, which address steps employees should take in the event of an incident. In most cases, however, organizations fail to prepare for how else their businesses may be impacted by a cybersecurity incident – for example, on a legal level as well as reputationally. In the event your business suffers a breach, it will be nearly impossible to overcome the fallout if these areas aren’t considered ahead of time. Having a strong marketing plan in place and working with legal counsel to ensure liabilities have been considered will be imperative to ensuring your business survives impact.
For more insight on cybersecurity shortfalls as well as proactive guidance for cybersecurity risk management programs, listen to our full webinar replay by clicking here.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.