Apply to MSS

[contact-form-7 id="1518" title="Apply to MSS"]

Join Our Talent Community

[contact-form-7 id="1516" title="Join Our Talent Community"]
facebook linkedin sharethis

Tag Archives: Cyber Security

Don’t Think You Need to Invest in a Cyber Security Program? Think again!


By Dr. Romeo Farinacci, Cyber Security Expert and Contributing Writer

Keeping your business safe with Cybersecurity investments

Getting pulled over and found without auto insurance can cost you hundreds, but getting caught without cybersecurity can cost you millions.

Cybersecurity is more than meeting compliance, regulations, laws, and standards, it is about sustaining your business in this competitive landscape. Without effective cybersecurity tools and best practices in place (i.e. appropriate patches, periodic scans, or hardened network devices) the likelihood of data loss or intellectual property leaks as result of hacks, ransomware, viruses, or simple human errors in data management increases substantially, thereby reducing an organization’s profitability, market value, trustworthiness, and ability to be competitive.

Understanding that data is a product, service, or good, and efficient management of such data can provide profit in the billions of dollars, companies will begin to grasp the importance of data protection that cybersecurity standards and controls provide.

How do you measure the return on investment (ROI) for Cybersecurity initiatives?

How can an organization balance the costs of sophisticated security technologies and communicate the benefits they provide? Some simply state, “Potential cyber breaches and their consequences justify the upfront and ongoing expense required to prevent its occurrence.”

Many large enterprises use a risk assessment approach and current research among like organizations who have been compromised to identify the likelihood, impact, and threats associated with various risks. These values provide a what-if scenario and cost analysis for not implementing or controlling the data flow appropriately. However, small and midsized businesses (SMBs) with limited resources face challenges in obtaining, applying, and managing cybersecurity standards and controls and have bigger challenges and understanding and communicating the investment of cybersecurity. In many cases, they also lack the research to compare potential impacts of data loss for their organization.

Most executive leaders have a good grasp of market risk, financial risk, operational risk and so on, but lack the knowledge of cyber risk, especially for new businesses who have yet to gather metrics to identify potential threats. Executives and board members need reliable data to make informed strategic decisions. Using language such as ‘could,’ ‘may,’ and ‘most likely’ provide sound insight but lack confidence and true justification. “…many key decision makers still insist on seeing real, measurable results in order to justify the value of having an established, solid threat detection plan in place.” All things considered, trying to calculate and communicate a return on investment for cybersecurity is a poor and in many cases unrealistic approach.

How much are you willing to spend, to save?

This is perhaps the foundational question in balancing cost and benefits (or potential benefits) for cybersecurity strategies. Security professionals love to use scenarios, case studies, or simple metaphors to express the meaning and justification for various tools and technologies used to secure and manage enterprise intellectual property and consumer data. For example, why purchase locks and security monitoring systems on a home? What if during the lifetime in a residence no one ever tries to enter the home unannounced; does this still justify the expense accrued over the years for the lock and security system? When relinquishing the residence, is there truly a return on investment? Americans spend thousands of dollars a year on home security systems for peace of mind, because let’s face it, if a bad guy wants in, they will get in. This follows true in cybersecurity as malicious actors will find a way regardless of the measures put in place, but for some organizations (very few) a breach may never occur. However, the role of cybersecurity is not necessarily to keep bad guys out, but to limit what they can access or exploit, to reduce reaction time or mean time to resolution (MTTR), to demonstrate the organization’s diligence, competency, and trustworthiness with consumer data, and ultimately to train and educate internal employees on proper use of data.

Investing in cybersecurity improves productivity and saves money. One could argue that it also increases profitability as it communicates to consumers trust and reliability. It not only saves money from what could happen, but from what does happen. According to a recent article “…the major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris. These human forms of malware can be present in any organization and are every bit as dangerous as threats delivered through malicious code.” Security awareness training for employees on how to properly manage, store, and transmit data provides data proficiency and control that positivity impacts productivity. Data is available and reliable at critical moments, is transmitted securely with integrity to persons of interest, and is stored and backed-up for quick recovery. Investing in the right cybersecurity tools and technologies provides business leaders a peace of mind in operations and management of digital information or revenue streams.

According to Murphy’s Law, bad things can and do happen. Whether external or internal a compromise of intellectual property may occur. With the right cybersecurity investments, the root cause can be identified, data can be tracked, and recovery operations can be underway in minutes. Companies have spent hours, weeks, months, or years trying to determine how an incident occurred, what data was compromised, and how to prevent or reduce the reoccurrence of the incident. “It is estimated that about 60 percent of MTTR is spent determining the root-cause of the actual problem.” Cybersecurity tools can save thousands of man hours by reducing the MTTR and getting operations back into production. A key strategy to investing in cybersecurity is to consider the most impactful cyberthreats that are likely to occur and apply appropriate measures to not simply deter but recover quickly and with little disruption to business. This is where cost savings really shines!

Your key takeaway

Treat cybersecurity as an investment in meeting business strategies with little friction from the ongoing cyberwar. It is not to be treated as an insurance policy or broken down in such a way that a hypothetical ROI can be established. These misconceptions for building a cybersecurity program can lead to disappointment from employees, loss of support from leadership, and misrepresentation of the true value cybersecurity is bringing to the workforce. Executing cybersecurity programs and strategies is a valuable investment opportunity that will improve productivity and increase profitability for the business; by saving money, saving time, and integrating efficiencies in operations.


References
1. http://searchcio.techtarget.com/news/450419414/Not-investing-in-cybersecurity-has-inverse-ROI
2. https://cybersponse.com/2942-2
3. https://ayehu.com/calculate-roi-cybersecurity-threat-defense/
4. https://www.forbes.com/sites/gilpress/2017/07/10/leveraging-ai-to-maximize-cybersecurity-roi/#3d81c29539e4
5. https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/small-businesses-investing-cybersecurity/
6. https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training
7. http://business.financialpost.com/technology/companies-see-the-cyber-threat-but-spending-on-security-is-a-different-matter/wcm/6587b090-4936-48f9-80e1-e57ce22b8ccf
8. http://www.csoonline.com/article/3084887/leadership-management/philosophy-plato-and-cybersecurity-as-a-public-service.html

Being CyberAware is More Than Compliance for SMBs

Dr. Romeo Farinacci, Cybersecurity Expert, Contributing Writer

Cyber warfare is real, is here, and America is losing. Military personnel, law enforcement, and private security use bulletproof vests to protect themselves in hostile zones. These vests minimize injury and provide a means of security and safety of life. Additionally, they use intensive training, mindfulness, and combat skills to defend successfully against an enemy. This combination enables them to be effective in combat. Make no mistake, the Internet is a hostile zone and in a state of cyber warfare. Being compliant is simply the bulletproof vest, and needs a cybersecurity program to provide the training, visibility, and techniques to combat cyber threats.

Several small to medium -sized businesses (SMBs) use insurance (compliance and reduced liability), ignorance (too small of a business to be hacked), or inappropriate justifications (cybersecurity cost too much to carry out; pay for incidents when they occur) to manage cyber risks to the business, resulting in a false sense of security. These uninformed actions lead to lack of common sense measures. Military personnel, law enforcement, and private security do not rely on vests to prevent incoming bullets (insurance), place bulletproof vests on after they are shot (ignorance), or not buy one because the cost is too high (inappropriate justifications). Businesses should move beyond compliance and become CyberAware by understanding the ever-growing dangers throughout the enterprise.

According to the 2018 Verizon Data Breach Investigation Report, 58% of breaches hit small businesses. The report identified 30 percent more incidents than the previous year associated with Point of Sale (POS) breaches targeted at hotels and restaurants (most are small businesses). Many SMB companies do not have trained security staff, trusting heavily on their PCI certification to manage threats, which results in several unmanaged vulnerabilities.

“Compliance is not the end of cybersecurity but a part of it.”

Dr. Romeo Farinacci

Only using controls defined by compliances such as HIPAA, PCI, and ISO are not efficient methods to manage cybersecurity threats against the attacks today or forecast for tomorrow. Especially for small businesses that identify themselves as too small to attack, or simply do not have suitable funds to build a cybersecurity program. Compliance is not the end of cybersecurity but a part of it. If SMBs do not begin using cybersecurity best practices, they will be susceptible to hacks and breaches resulting in steep fines, damaged reputation, or loss of business.

CyberAware – Because it’s the Law

In just 20 years since introducing ecommerce and SSL encryption, some of the largest businesses are mostly virtual. The past five years have shown an exponential increase of businesses that depend on Internet-enabled services to include ecommerce, the cloud, online marketing, etc. However, cyber threats and hackers bent on exploiting a business’ weaknesses have also exponentially increased. Conducting malicious acts as they try to compromise business operations, reveal intellectual property to reduce competitive advantage, or simply breach customer data.

The U.S. and abroad have begun integrating Cybersecurity into law and changing how companies approach business practices with electronic data. The many proposals of Bills, Policies, and Laws by states, governments, and nations have surged in the last couple of years. According to the National Conference of State Legislatures, more than 36 states are introducing more than 265 bills around cybersecurity. This includes providing funds for cybersecurity initiatives, increasing penalties for cybercrimes, promoting security awareness and training programs, or enforcing security best practices and controls on critical infrastructures. Also, several laws such as the NYCRR and GDPR are setting directives enforcing businesses to complete cybersecurity programs to manage enterprise risks while achieving industry-wide cybersecurity objectives.

For instance, the NYCRR enforces businesses to develop a Cybersecurity Program to include assigning a CISO, completing periodic risk assessments, conducting a security awareness and training program, and applying suitable controls to safeguard nonpublic information and information. GDPR wants businesses to define policies and procedures to comply with an EU Citizen’s Right to Erasure, to impose security measures to ensure minimal personal data is used for each specific business process, and to record and preserve all user data processing.

SMBs Must be CyberAware Too

Small to medium -sized businesses (SMBs) are critical to the nation’s economy. According to the Small Business Association, SMBs provide 66 percent of the nation’s net new jobs and employ 47.5 percent of the private workforce. It’s time to take Cybersecurity Awareness seriously, and each year introduces more CyberAware methods to aid businesses. Most recently, the government has passed into law Bill S.770 “To require the Director of the National Institute of Standards and Technology to disseminate guidance to help reduce small business cybersecurity risks….” Also, the bill will update the National Institute of Standards and Technology Act to incorporate small businesses and provide resources to lessen cybersecurity risks.

SMBs provide 66% of the nation’s net new jobs and employ 47.5% of the private workforce.

Small Business Association

The NIST has published a guide for small businesses entitled: Small Business Information Security: The Fundamentals, which provides guidelines using the NIST Cybersecurity Framework (CSF) for basic security of information, systems and networks. This guide contains programmatic information on setting up an information security program, and includes nine key practices to begin strengthening the safety and security of data that drives the business:

  • Pay attention to the people you work with and around;
  • Be careful of email attachments and web links;
  • Use separate personal and business computers, mobile devices, and accounts;
  • Do not connect personal or untrusted storage devices or hardware into your computer, mobile device, or network;
  • Be careful downloading software;
  • Do not give out personal or business information;
  • Watch for harmful pop-ups;
  • Use strong passwords; and
  • Conduct online business more securely.

The increase in cybersecurity awareness across the globe should drive all organizations to adopting basic standards and principles to combat the threats currently attacking our way of life. However, many businesses are still falling victim to the ignorance, mind-set of insurance, or inappropriate justifications to not set up healthy cybersecurity programs. Large businesses such as Verizon, Target, SONY, and Experian have the resources in place to bounce back and continue business operations, customer base, incomes, and image after experiencing a cybersecurity incident. Murphy’s Law suggests that what can happen will happen. A breach is unavoidable and small to medium sized businesses must be CyberAware and prepare for when an instance occurs.

What To Do

Focusing on defining people, processes, and technology within the organization is the first step in becoming #CyberAware. This leads to identifying what drives the business, what risks pose a threat to revenue, and suitable steps to building a strategy for tracking and managing incidents when they occur. Gartner’s Six Principles of Resilience highlights these ideas.

Principle No. 1: Stop Focusing on Check Box Compliance, and Shift to Risk-Based Decision Making

Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business Outcomes

Principle No. 3: Stop Being a Defender, and Become a Facilitator

Principle No. 4: Stop Trying to Control Information; Instead, Determine How It Flows

Principle No. 5: Accept the Limits of Technology and Become People-Centric

Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection and Response

Consider Principle No.1 “Stop Focusing on Check Box Compliance and Shift to Risk-Based Decision Making.” This principle implies an understanding of business risks associated with the people, processes, and technologies that enable the business to function, and not exclusively IT risk. Simply put, examine ‘what do we do and why,’ identify business risk profile, then apply appropriate protections that enable the organization to meet customer expectations (product quality, company trust, service confidence, etc.). Remember, compliance is not sufficient protection, it is only a tool, a bulletproof vest.

Each of these Principles are used to change an organization’s culture and approach to managing their digital footprint. One of the key elements within the six principles is the determination of how data within the enterprise flows, a concept many organizations have trouble documenting. Obtaining visibility into network infrastructure, end-user interaction with data, and how data is printed, emailed, transferred, and modified should be identified to begin establishing appropriate protection mechanisms.

Security Assessment services can provide visibility into data movement and guidance in developing a strategy and roadmap for implementing cybersecurity within an organization. These services can demonstrate how to combine compliance requirements with other cybersecurity program elements. These program elements include frameworks, threat intelligence, security awareness, vulnerability assessments, log management, audit reviews, hardening techniques, change control, forensics, policy development, etc. Such a cybersecurity program will increase productivity, align with compliance requirements, enhance security posture, and combat cyber threats. With an understanding of how to implement a cost-effective cybersecurity program SMBs can become CyberAware and turn tide on cyber warfare for America.