Global VP of Marketing
NNT - New Net Technologies
For many, cyber security is still seen as cost and not as an enabler of business resiliency. The flip side is that – according to recent research by IBM and Ponemon – an organization prepared for a cyber- attack and for a data breach will have to bear a drastically lower impact, two million US dollar less in average than those unprepared.
Let see what the three disciplines are that will help your organizations to be well prepared.
Spanning the last five years, an ‘impressive’ list of prominent data breaches can be put together. Among them, just to name a few, are:
- Equifax, exposing the credit data of more than 147 million citizens;
- Uber, compromising the names, email addresses, and phone numbers of 50 million customers;
Marriott, in which hackers accessed the personal information of 500 million guests
(note that Marriott had to announce another large breach a few years later);
- Capital One, with 105 million customer records affected;
- our own research in the Health Care sector, which discovered millions of medical records in over 160 unsecured installations.
Of course, this list is somewhat random and there are many other cases, large and small, that can be named in the context of where these organizations sit with regards to the disciplines required to improve cyber-resilience, plus the ability to prevent, detect, respond to, and recover from a cyber-attacks or a data breach.
Users and consumers tend to have an attitude of negligence to their own data, with the notion of “I have nothing to hide”, “It won’t happen to me” or “How much can they do with my data anyway?”.
The answer to the last question, as it turns out is ‘a lot’. If data is the verbatim ‘new oil’ for digitalized business models, should a business not be doing its utmost to protect it from being stolen, copied, and encrypted for a ransom.
There is your first discipline, know what data you have, what value it has for your organization, how sensitive that data is for those who gave it to you. If you had collected millions of names, addresses and other personal individual data points, a single one might not be considered to be of value for you, but it will be for the person or organization who gave it to you.
Discipline in this area translates to consumer trust. If customers who entrust you with their data are aware that you retain robust and disciplined governance (and you’re transparent about it where needed for compliance reasons) when it comes to Data Protection, it not only earns you trust, but of course it reduces the potential for disruption and harm in line with the criticality of each process supporting the various business functions.
Here is the second discipline: do not stop digging deep into those internal processes and collect as much information as possible about the systems in use and how they support each step. Details must include but not be limited to:, The status of each, how vulnerable they are, how often unexpected changes happen to them. This will build the solid base needed to fully protect your business processes.
Cyber Resilience is about achieving and maintaining a company’s status to the point that it is able to endure an attack, keep afloat, maintain operability – even if diminished – and to overcome and mature from cyber-attacks. It requires IT security to understand the business processes, what the company relies on to generate its own value-add, in order to provide measured, fit-for-purpose protection to critical assets and processes, where other assets might receive lesser protection. In this it accepts that incidents will happen, and that preparation needs to encompass not only IT (DR / BC) but the complete business.
The above reflects the third discipline. IT Security will work with other department heads to understand what drives them, how they are measured, and how IT can help them to achieve their targets under normal operation, and what would be the impact if IT isn’t available for some reason.
Of course, a board can facilitate that cooperation, by encouraging and sponsoring it, but more so by setting the right objectives.
As a result of these three disciplines IT and IT Security will be seen as a business enabler, able to spot and launch initiatives that improve the business as a whole, not just a single system or something isolated within the organization. Improve business systems and processes, looking at all aspects of the business in order to create resilience, to create cyber resilient systems and data workflows that support a company’s vital business processes and secure its value generation. And the positive impact doesn’t stop there. Being diligent within these three disciplines will improve your continuous compliance, your ability to adhere to regulations like CMMC, CCPA, or GDPR.
They will show your customers that you really take their data privacy and your own cyber security serious.
SecureOps™ and NNT's Change Tracker are vital elements in these three disciplines as they will help you to prevent, to detect, and to respond to a data breach.