Company executives often only make cybersecurity a priority for their company following a security incident — most commonly a ransomware attack, as these incidents can be costly and taxing to the entire organization. Despite this pattern, preparing for a security incident before it happens is a better way to expend resources than following an incident. The return on investment of preparing for, rather than responding to, an incident is obvious. Preparation for a security incident is the cornerstone of an organization’s digital risk management practices that constitute a robust risk management program.

Here are some steps to consider when evaluating how to enhance digital risk management practices.

Review governance structure of information security

 Companies that have purposefully determined the strategy of how information security fits into their organization’s governance structure are stronger in their digital risk management posture. Having a centralized strategy around the governance of data and the risk it could pose to the organization helps define communication about risk, vulnerabilities presented to the organization, how to respond, collaboration on priorities to reduce digital risk, and how to establish a strong culture around digital security.

 Organizations that have a strong governance structure around digital security and clear communication with executives and their board of directors are better able to prioritize risk and response, enforce preventative measures and address incidents in a more organized way than those that have a decentralized governance structure. Executives’ priorities around digital risk management are key to implementing measures to achieve those goals. Relying on the IT department to try to figure out these priorities and goals can lead to a disorganized way to govern digital risk management. Strong communication between executives and information security personnel is critical to enhancing an organization’s digital risk management practices.

Map and classify high-risk data

 Not all data poses the same risk to an organization. It is important to segregate and protect high-risk data from low-risk data. An organization needs to know where the high-risk data is in its system to be able safeguard that data from loss or unauthorized access, use or disclosure. If they don’t know where the high-risk data is located, it is impossible to protect it with access controls, sandboxing, encryption and other security measures. This is a fundamental way to reduce and minimize risk of data loss and a data breach.

 To start mapping or classifying the high-risk data, security leaders may wish to start with the human resources, finance, customer relations and other areas of the business that collect high-risk data, such as Social Security numbers, driver’s license numbers, passport numbers, financial information, health information, genetic information, credit card numbers and other information that could be used for criminal acts.  

Implement strong security measures for high-risk data

Once it is known where the highest risk data is in the organization’s system, the next step is to implement strong security measures to protect it from both external and internal cyber threats. Cyberattacks are becoming more and more sophisticated, so focusing on basic security measures is no longer sufficient. Security incidents are not just caused by external hackers, but also include internal threat actors, which could be either malicious or unknowing.

In tandem with the usual methods of implementing a strong firewall, spam filter, multi-factor authentication and employee security awareness education, some additional considerations to look into include:

• Strong access controls
• Close evaluation and oversight of provisioning privileged credentials
• Termination of credentials when employees terminate employment
• Endpoint management
• Behavioral analytics
• Robust patching schedule to minimize risk from known vulnerabilities to hardware and software used by the company
• Subscribe to industry alerts on security threats, including CISA and FBI groups

 These are just some examples of security measures (from a lawyer) to consider. Security leaders should consult with the organization’s internal and external security professionals when developing a security program.  

Implement and test an incident response plan

 An important way to enhance digital risk management procedures is to develop, implement and test an incident response plan. Companies that have an organized plan in place and have tested it, including who is on the incident response team, what those individuals’ roles are in an incident, and testing the plan with a scenario, have developed an effective way to mitigate the risk of chaos to an organization following an incident.

 Security leaders should think about planning a tabletop exercise and consider using a ransomware incident as the first model, as it can be so complicated and stressful when an organization goes through it in an actual emergency. Tabletop exercises are an eye opener for everyone involved and it hits home with executives that they need to concentrate on digital risk management in a more centralized fashion.  

Keep an eye on compliance and risk of litigation

The laws and regulations in data privacy and information security are changing rapidly. They are hard to keep track of, even for those of us whose professions rely on doing so.

The focus should be on developing a strong digital risk management program, and in doing so, the organization may comply with most data privacy and information security laws. Nonetheless, there are very specific requirements to keep an eye on as applicable. Some areas to look into include:

• State data privacy laws, especially in California, Virginia, Colorado, Utah, Nevada and Connecticut. These state laws are either in effect or coming into effect in 2023. Others will follow, so keeping an eye on their requirements and when they come into effect is an important risk management strategy.
• Biometric and genetic laws. The best known is the Illinois Biometric Privacy Law. If these laws apply, certain measures must be taken to comply with them to reduce the risk of litigation.
• State employee monitoring laws. Several states have already adopted laws around monitoring employees, so this is an area to watch.
• Website risk. There is increased risk of litigation surrounding an organization’s website, including for failing to ensure compliance with the Americans with Disabilities Act, and for the use of cookies, tracking technology and pixels that track the information consumers provide through a website and then tracks and discloses that information to third parties. Reviewing the company’s website Privacy Policy and Terms of Use may be a high priority to reduce this risk.
• Enhancing a digital risk management program starts at the top of the organization — with the CEO. Focusing on governance and communication to determine the priorities of the company from the top will emanate throughout the organization. Implementing data classification, strong security measures, an incident response plan, and keeping an eye on compliance and litigation are all ways to reduce and minimize digital risk in the organization.