Preventing Data Breaches

The four tenets of an effective cyber security risk management program

By Presidential Proclamation, October is Cyber Security Awareness Month. As state-sponsored cyber-attacks raise the importance of cyber security to national security status, business leaders need to know they can fight back. Data breaches can be prevented if your organization has the right practices in place. In virtually every recent publicized instance, the breach occurred as a result of the absence of fundamental security measures.

As a friend of the firm, we want to make sure that you understand how to protect your business from cyber-related risks. Our Information Risk Management and Assurance Practice would like to take this opportunity to share the four tenets of an effective cyber security program.

1. As CEO, you must own cyber security
   Establishing executive ownership is the lynchpin to any successful business process, and cyber security is no exception. Cyber security must be treated as a management process with defined objectives and metrics. Business leaders that don’t take on this responsibility are placing their employees, their customers and the value of their businesses at risk.
2. Use foundational security frameworks
   For industries that do not have defined compliance protocols, we recommend leveraging proven frameworks such as ISO 27001, NIST 800-53, NIST Cyber Security Framework and SANS Top 20. The internationally accepted ISO 27001 security management framework can also provide added meaning to vaguely-worded compliance protocols such as the HIPAA Security Rule. These frameworks provide the standards that drive the accurate assessment of existing controls and enable the identification and remediation of potential gaps.
3. Layer risk management based on prioritized risk assessment
   Do you understand your company’s “digital assets?” Digital assets are logical groupings of data elements that enable your business model. Understanding the value of these assets to your business and potential threat actors should provide the foundation of any cyber security risk assessment. The organization’s digital assets should be inventoried, then assessed for the “value at risk” they represent to the business. This asset-based approach allows organizations to dedicate information security money and resources in the most cost-effective way – selectively applying advanced security measures to higher value assets, while maintaining baseline controls for the majority of data.
4. Monitoring and reporting to drive improvement
   Effective cyber security will always be a work in progress due to the dynamic nature of technology, commerce and the threat environment. Organizations should regularly update their understanding of risks and assess the efficacy of their risk management program design. This includes monitoring to confirm the deployment and operation of controls through periodic testing and reporting. Reporting against the appropriate proven security framework provides the proof that trading partners and other stakeholders require to be assured that you are doing the right things to protect their interests.

CYBER RISK MANAGEMENT THAT STANDS UP TO SCRUTINY

Cyber crime is on the rise. However, companies that adopt these tenets and implement effective information security programs greatly reduce the likelihood of ever having to deal with a cyber incident.

In the event of a breach, customers, employees, shareholders, plaintiffs’ lawyers and regulators (depending on your industry) all have reason to scrutinize your organization’s management of privacy and security risks. If you were to experience a breach today, could you prove to these stakeholders that you have taken the appropriate risk management measures? The most defensible approach hinges on a realistic assessment of threats to the confidentiality, integrity and availability of your digital assets, and it builds on a robust baseline of information security controls with enhanced risk management for those assets that represent the greatest liability.

For more information, contact Dan Schroeder, partner-in-charge of Information Risk Management and Assurance, at dan.schroeder@aprio.com.