We covered the release of our 2015 IT Security and Privacy Survey here on our blog in September, but given the survey’s finding that there was a widespread lack of cybersecurity confidence among organizations surveyed, we wanted to revisit this important topic with discussion from our October 27 webinar.
Cyberattacks are increasing in frequency and sophistication. One in three targets falls victim. If your organization is not keeping pace with the threats, then you are falling behind.
Directors take note: The most significant differentiator in an organization’s preparedness for a security breach or cyberattack is the degree to which the board is engaged in IT security and asking hard questions that management has to answer. These include:
- Does the organization have a formal and documented IT crisis response plan?
- Is it tested at least annually?
- How robust is the testing – perimeter only, or more enterprise-oriented war games? Does it evaluate the efficacy of breach detection and kill chain disruption?
- How deep is our training/knowledge?
- What is our average time to detection of breaches and how does it compare to the industry?
- Are we testing for social engineering attacks?
Executives beware: The cyber threat landscape is evolving faster than typical IT security measures can keep up. One of the rising threats is social engineering attacks (especially spear phishing), designed to trick high-level executives into downloading malware/spyware. Statistics show that such schemes have over thirty percent success rate. This rate can drop significantly with proper training but even so, it only takes a single high-level breach to gain access to high-value, “crown jewel”-type information.
In addition to the questions listed above for board members, executives should be asking:
- Who is responsible for IT governance – especially information security?
- Does everybody in the organization know that?
- How deep is our bench? If one or two key people were removed from the chain of command, would we still be able to effectively executive our crisis plan?
- What are our “crown jewels?” What information do we have that needs to be protected?
- How would we know if we’ve been breached?
IT leaders: Make sure you’ve got your bases covered. Recognize that the threat landscape is constantly changing. Stay up to date on data security certifications, such as ISO 27001 and PCI DSS. Make sure you have a solid, vetted IT crisis plan in place, test it regularly, communicate it to employees and train everyone in their role. Drill your team with real-life war game scenarios until you are confident that everyone knows their role and your plan will work as intended. Pull out a couple of key people and run the simulation again to ensure sustainability. Constantly ask yourself: “What are we missing?”
It is worth pointing out that most breaches go undetected for more than 6 months, and are usually discovered by a third party. This highlights the need to test detection capability, in addition to response capability.
The survey revealed a decrease in certain key IT security elements – such as policies and training – over the past three years. Although disconcerting, such dips are not uncommon as organizations transition from a rote “check-the-box” mentality to real readiness.