October is Cybersecurity Awareness Month…and scary movie season.
There is nothing quite like the anxious uncertainty experienced while watching an Alfred Hitchcock film. The calculated silences between avian attacks in “The Birds.” The suspense in “Dial M For Murder” builds slowly, unfolding like a play in a theater. Hitchcock, describing the art of cinematic tension, said, “There is no terror in the bang – only the suspense of it.”
By comparing two vignettes, Hitchcock defines suspense. In the ordinary scenario, two people are sitting at a table. We, the audience, do not see that there is a bomb under the table. The bomb suddenly explodes and we are surprised. In the suspenseful scenario, we have seen a villain place a bomb set to explode in two minutes under the table just before the two people sit down. The people having the conversation become fascinating because we, the audience, are participating in the scene. We sit on the edge of our seats, longing to warn the characters on the screen “There is a bomb beneath you and it is about to explode!”
Taking the Drama Out of Cybersecurity
Suspense in cinema is art; suspense in cybersecurity really has no place. Organizations need to assume that a bomb is set to explode under their table and take steps to diffuse the detonation of a potential cyberattack, ransomware attack, or any other type of nefarious cybersecurity event.
Alternatively, organizations can be armed to prepare for a safer explosion. Enter risk management “camera right.” Risk management, in some ways, is the art of assuming something bad will happen at some point and taking steps to lessen the negative impact of this event.
To help take some of the suspense (insecurity!) out of cybersecurity, we asked our Shared Assessments subject matter experts to identify top cybersecurity challenges facing organizations and risk programs today and to share solutions to these challenges.
Keeping Up With New Technologies
Keeping up with new technologies including cloud, blockchain, and IoT is a major challenge and not doing so poses a threat to an organization’s cybersecurity.
Companies will continue to gravitate to new technologies to improve customer experience, reduce costs, and leverage innovations. But, often security is several steps behind these technologies which can translate to slowing down progress. Security needs to be at the table when formulating business and IT strategies so that we are proactive rather than reactionary.”
“Shift Happens!”: Changing Cybersecurity Landscape
Shift happens! The cybersecurity landscape is constantly shifting and changing. The hot topic of the day is ransomware, and for good reason. The amount and veracity of attacks are increasing at an alarming rate.
So how do we address this problem? Establishing that October is security awareness month is a great start.
Very often, ransomware attacks are successful due to the unwitting user clicking on a malicious link. Educating users on how to become more aware of malicious emails is a huge step in helping to reduce the probability of a successful attack. At the same time, it’s important to layer additional security controls in place to lessen the impact of bad actors whether they be internal or external, intentional or unintentional.
It all starts with policies and standards. Built upon those policies and standards are the technical controls needed on a systematic level. Good cybersecurity is really a combination of securing the human element as well as your digital assets. The combination of these two will help to lessen the impact when shift happens.
Ask What You Can Do For Your Vendors
Small and medium-sized vendors often struggle to meet the cybersecurity expectations required by their outsourcers. Third party risk teams can add value by taking off their “assessor” hats and putting on their “consultant” hats.
By changing from assessor to consultant, risk teams assist the vendor in achieving the security and privacy posture required to comply with the outsourcer’s various obligations. This change of focus ensures the business unit can engage or continue to work without interruption with the vendor. This consulting mindset also helps to address the challenges and issues identified through due diligence and continuous monitoring efforts.
Mitigating Risk of Moving to The Cloud
As your organization migrates to the cloud, “don’t just lift and shift.” Your organization really must enhance the foundational elements of cyber hygiene first. You must ensure your network, data, application, asset, third party, identity, and access management controls meet your risk appetite before making the move.
Turning Insecurity Into Security
As we move our organizations and risk management programs forward with new technologies, we should assume that cyberthreats are ever lurking. We cannot define the type of explosive used to make the bomb under the table. We do not know the villain who put the bomb under the table. But we should assume cyberthreats to be omnipresent.
You, as a risk practitioner, know about that bomb under the table. Pull the blanket down from over your eyes, put the popcorn aside, and follow best practices for cybersecurity and the advice of our subject matter experts to avoid the “unexpected ending” to your cybersecurity story…