How private companies can create a more secure cyber environment
In the crosshairs of cyber criminals
Large public companies used to be the main targets for cyberattacks. But now, even small private companies find themselves in the crosshairs. And as cyberattacks become increasingly frequent, sophisticated, and costly, the risk level is rising even higher.
The challenge is particularly acute for private companies, which often have limited cybersecurity resources. They tend to focus on basic blocking and tackling, such as password protection and once-a-year vulnerability assessments.
Of course, there’s no such thing as 100-percent bulletproof cybersecurity, and a perfect, one-size-fits-all cyber strategy doesn’t exist. Every business needs to develop its own cyber strategy and roadmap that reflects its unique needs, risk tolerance, and budget constraints.
For most private companies, the first step of this is to conduct a maturity assessment to understand their current cyber capabilities and identify what they need to improve.
The three facets of an effective posture
At its core, effective cybersecurity revolves around three broad sets of capabilities:
Key elements of a secure cyber environment
To be more secure, organizations need to establish effective controls for their most sensitive assets and balance the need to reduce cyber risk against other critical business needs such as growth, productivity, and cost reduction. Key elements of such a strategy include:
- IoT security. Securely developing and implementing next-generation connected products.
- Cloud security. Evaluating cloud vendor security capabilities and ensuring the security of cloud platforms.
- Infrastructure protection. Designing, deploying, and maintaining secure traditional and emerging infrastructures and technologies.
- Application protection. Designing, developing, and configuring applications using secure development and testing methods.
- Identity and access management (IAM). Establishing comprehensive IAM programs, from defining a clear vision and strategy for secure access to identifying information assets to deploying and operating IAM platforms (including integration with other IT platforms).
- Information privacy and protection. Navigating privacy risk and the broad challenge of information protection, including risks arising from people and processes, not just technology.
- Cyber risk analytics. Modernizing an established cyber risk management framework, shifting from periodic risk reporting to predictive, real-time (or near real-time) risk reporting.
Clients, vendors demand accountability
Robust cybersecurity is not something private companies can put off or ignore. A growing number of customers and value chain partners refuse to do business with companies that cannot demonstrate a disciplined and sustained approach to securing their cyber environment and data.
Cyber risk is also not something a business should delegate to an IT provider. Many companies that outsource some or all of their IT activities are under the mistaken belief that cybersecurity is strictly their vendors’ responsibility. If they take a close look at their outsourcing contracts, they’ll likely find that the responsibility for preserving and protecting data ultimately resides with them, not their vendors.
Start with a cyber maturity assessment
The first step toward creating a secure cyber environment is to assess your organization’s current capabilities and determine where they fall on the cyber maturity curve.
An assessment will show how secure, vigilant, and resilient your organization’s cyber capabilities are. It will also measure risk exposure and vulnerabilities, providing a prioritized roadmap to develop the cyber capabilities that are right for your business in light of its budget constraints and risk tolerance.
A comprehensive cyber maturity assessment includes:
- Evaluating your current cybersecurity governance and operations
- Reviewing cybersecurity-related documents such as security policies, standards, and organization structures
- Conducting interviews and workshops with key staff members from various departments, including information technology, information security, business operations and administration, human resources, and facilities and services
- Developing recommendations to address critical risks that are aligned with your organization’s business objectives
Overcoming the barriers to action
Private companies have different priorities and constraints than public companies, starting with the fact they aren’t subject to external audit. This gives them more latitude to avoid confronting the challenge of cyber risk. However, it can also increase their vulnerability and risk exposure, while making it harder to get funding for cybersecurity initiatives–especially when they’re facing other more visible and pressing priorities, such as the need to pursue sales growth.
A cyber maturity assessment can help members of the board of directors understand the critical gap that currently exists in the company’s cyber capabilities and what the potential impact is, thus equipping them to properly exercise their fiduciary responsibilities. Also, it provides a clear roadmap so the directors can see exactly what needs to be done to close the gap and create a secure cyber environment, instead of perceiving cybersecurity as an unsolvable riddle and bottomless pit of potential investment.
As with most big challenges, the hardest thing about cybersecurity is understanding the problem−and then taking the first step to address it. A cyber maturity assessment will help you understand exactly what challenges you face so that you can tackle them head-on.