Cyberattack Prevention: Use ERM to Defend Against Ransomware and Data Breaches
Steven Minsky | April 26, 2016
Cyberattack prevention measures will always be necessary. The constant threat of data breaches and other hacks is simply a fact of business. Priority targets are no longer limited to retailers and banks; insurers, hospitals, energy producers, and (most recently) a host of law firms are all at risk.
“Hackers broke into the computer networks at some of the country’s most prestigious law firms,” according to The Wall Street Journal. This doesn’t come as much of a surprise: What do organizations like banks, insurers, hospitals, and law firms all have in common? Repositories of sensitive data.
This data does include personally identifiable information (PII) such as credit card info and social security numbers, but that’s old news. The “bigger fish” is confidential corporate information – data about M&As that might be used for insider trading, for example.
Clients (and potential clients) have been understandably concerned about the security of their information. As a result, they are spending more time and resources doing their homework. How do the firms they’re considering patronizing handle cybersecurity? Are they keeping up with recent trends, like phishing attacks and ransomware?
When it comes to such sensitive info, it’s clearly better to beef up cyberattack prevention measures instead of the ability to reduce fallout after an attack. And yet it often takes a headline event to galvanize organizations into action.
Take Action on Cyberattack Prevention
The first order of business is to accept that addressing these risks is obligatory. As we discussed earlier this month, all companies are now being held liable for their security procedures. Perhaps more importantly, this liability exists even if no breach ever occurs. Dwolla, for example, was hit with a major penalty for its negligent cyberattack prevention strategy.
Also consider that “Hackers often steal large amounts of information indiscriminately and then analyze it later to see how it could be useful…”. In other words, even if you think all your data would be useless to a hacker, you’re still at risk of suffering all the consequences of a major cyberattack.
The only way to keep up with evolving attacks is with a holistic approach to security. All departments should be on the same page, informing everyone from managers to front-line employees about password and network policy (basic cyberattack prevention), slightly suspicious emails (signs of attempted phishing attacks), etc.
Protecting the “Front Door” Isn’t Enough
Traditional cybersecurity measures revolve around the protection of the so-called “front door.” We’re conditioned to look out, rather than in, for threats. After all, hackers and other criminals are external threats, so the best form of protection is logically a barricade in the form of advanced firewalls and malware scans.
These days, however, reinforcing the front door is not a sufficient cyberattack prevention plan. Wide-reaching attacks like phishing emails and ransomware make every single employee a risk. This is a holistic governance-function issue that won’t be solved by buying a new piece of hardware. Seemingly innocent emails may contain only subtle red flags, fooling victims into thinking they’re legitimate. It’s certainly an IT problem, but it also extends to vendor management (are your vendors’ standards up to yours?), incident management (if there is an attack or an attempted attack, how do you cascade it out to the rest of the organization?), and compliance.
Enterprise risk management software offers the only solution – the problem itself is an enterprise-wide problem. Everyone needs to be on the lookout for things like suspicious emails, and everyone needs to know how to react. ERM facilitates the whole cyberattack prevention process because it:
- Helps each department identify its vulnerabilities with industry-specific, root-cause risk libraries;
- Ensures every department is performing this analysis with the same criteria, framework, and timeline, making collaboration easy;
- Reveals how department-specific approaches leave certain vulnerabilities unanswered, as well as which risks are already being covered by another department’s mitigations;
- Makes it straightforward to engage risk assessments and send reports back and forth from senior management to front-line employees (and everyone in between);
Allows risk assessments, control documentation, and monitoring automation to evolve as new threats emerge.