Stephane Nappo, Global Chief Information Security Officer at Groupe SEB, said, "It takes 20 years to build a reputation and a few minutes of cyber incident to ruin it." And, for the most part, it takes two years for an organization's reputation to recover after a data breach, according to research by HSBC.
Added to that, reputational damage drives off customers — when a data breach occurs, more than 80% of consumers are ready to walk away and take their business elsewhere. That's why ignoring cybersecurity is no longer an option for companies.
Here's how organizations of all types and sizes can start improving their cybersecurity strategies.
Conduct a cybersecurity risk assessment
In a nutshell, a cybersecurity risk assessment examines organizations' IT infrastructure, analyzes their digital assets, gains high-level insights into potential weaknesses, and eliminates risks. It empowers businesses to design more effective strategies to protect valuable data and remain competitive in the marketplace.
Depending on the industry, location-specific regulatory requirements, and the size of an organization, there are different approaches to conducting a practical cybersecurity risk assessment. However, its foundation stays unchanged.
Let's take a look at the basic steps of a cybersecurity risk assessment:
- Determine the scope of the assessment: Establish all assets that demand evaluation. Is it the entire organization, organizational unit, location or a specific aspect of the business?
- Identify and locate data: What data does the organization have stored? Is it located in data warehouses or lakes, hardware or the cloud?
- Categorize data based on sensitivity: Not all data is created equal. For example, personally identifiable information (PII), data from the payment card industry (PCI), trade secrets, and regulated and protected information is highly sensitive. Find out what data is protected by laws and compliance regulations in the region where the organization operates.
- Analyze current protections, practices and controls: Dive deeper into what protocols — encryption or firewalls — are currently in place to protect data and monitor systems. Find out where organizational cybersecurity gaps are.
- Identify threats: Investigate what data breaches could impact the business, and then identify the threat sources. Phishing attacks, malware, ransomware and denial of service (DoS) attacks are some of the most common types of external threats that organizations face today.
- Establish a framework for improvement: Determine the best practices to manage risk, prioritize needs, and start working toward closing organizational cybersecurity gaps. The NIST Cybersecurity Framework is perhaps the most recognized and comprehensive standard, but it can also be a bit overwhelming from some teams. Explore multiple options to find the best fit for the security team and company.
Remember, advancing technology is also creating new cyber risks. Therefore, repeating these steps regularly is crucial to keep organizational data safe and secure.
Focus on internal cybersecurity awareness training
From downloading infected software to improper information sharing practices to choosing a weak password, various unintentional activities can lead to a data breach or leak. To err is human, but when it comes to cybersecurity, people make so many mistakes that it is overwhelming. According to a study, more than 90% of cyberattacks are made possible by human error.
That's why adopting a cybersecurity awareness training program is critical to ensuring that employees are familiar with potential, preventable threats.
For example, when tax season comes around, remind staff that no one from the organization will be contacting them asking for their W-2 tax form or social security number. So if they get an information request from an internal email, they — hopefully — will not click on any links or respond to the sender.
Educating teams across the organization can enable them to understand how to handle sensitive data and information. This way, security teams of all sizes can add another layer of security and strengthen their cybersecurity practices.
Last but not least, keep lines of communication open and friendly. Instead of making your colleagues feel inferior when they want to confirm whether an email is legitimate or not, encourage this kind of behavior — it’s better that they ask than click.
Regardless of industry or size, every organization with an online presence is a potential victim of malicious cyberattacks. Therefore, creating regular cybersecurity assessment reports and awareness programs can mitigate the risk of data breaches and help build a positive reputation.