Natural disasters. Extreme weather events. Climate change. In the World Economic Forum’s (WEF) Global Risk Report 2019, these are listed as the top risks we are likely to face this year, which could be catastrophic to not only the affected industries, but also the world we live in.
Similarly, these descriptions could apply when analysing cyberattackers, who are equally as unsympathetic with their targets. With data fraud/theft and cyberattacks rounding off the top five on the WEF list, the world is most certainly taking notice of the constant barrage of headlines regarding data breaches. It will take a collective effort where employees and enterprises share responsibility to reduce cybersecurity risks.
To help, here are six tips to help enterprises of all sizes improve cyber risk management this year.
- Security threats, risks and trends in 2019
- Safer in the clouds: mitigating security risks in hybrid, multi-cloud environments
- Why risk-based security is the key to driving business value in 2019
Finding a balance
Identifying the right balance between risk and reward is an age-old battle, but having this aligned with the main objectives of the business is key to helping make the most effective risk management decisions.
By coming together, security teams can become more effective with efforts to help the enterprise and its employees to recognise their shared responsibilities in reducing cybersecurity risks.
However, the organisation as a whole must come to an agreement on its risk tolerance levels and adopt a standard methodology combining people, process and technology to measure and respond to certain high-profile risks. It’s also important that the monitoring of risks is carried out on a continuous basis.
Be smart when purchasing
Many organisations make the mistake in rushing to purchase the latest shiny new security tool in the market before realising it may not be necessary.
Security teams often have the tightest budgets, so any purchase made has to be relevant. Therefore, security teams should spend less time hunting for that “silver bullet” solution, particularly considering today’s security solutions are mainly point solutions that may not effectively address threats unique to that business. It is paramount reviews are conducted across the entire system.
Only once this is complete will the security department have a more complete understanding of where the seams and risks are and, from here, they will be able to make an informed decision as to what technology to invest in.
Avoid being static
So, you’ve got the tools; you’ve got your defence model in place; your security team has mastered the current ethos towards cybersecurity. Now what?
Well, cyber is a constantly evolving beast with hackers growing in both intelligence and deception. Therefore, being proactive and nimble, with a strategy that can quickly adapt to the changing nature of the business as well as against new threats could be the difference between a business suffering a catastrophic breach or dodging a bullet.
Protect the right data
Data makes the world go around. Consumers have it. Organisations need it. Hackers want it.
With this in mind, business decision makers need to evaluate what data is required to enable the company to fully function and operate. Consumers are becoming savvy as to where their data is and how it’s being protected. Therefore, the onus is now on organisations to have a dedicated structure in place for data while providing adequate reasoning for their need/use for it.
For this reason, those responsible for data security need to have visibility into the flow of data and flag any possible risks associated with it. From here, organisations can prioritise any necessary security failings.
Drill home security awareness
The power of educating the workforce about the basics of cybersecurity should never be underestimated.
With more than 90% of security breaches involving human error at some point, informing employees about the do’s and don’ts can help reduce, and possibly, remove the element of carelessness. Having a dedicated security awareness training course should be made mandatory for businesses to help implement best security practises.
For example, such programs can teach employees the various social engineering tactics employed by hackers, which can help spot the tell-tell signs of a phishing email. If this is implemented, enterprises should see a positive change in employee behaviour towards cybersecurity and this will in turn make the business more secure.
Go beyond the call of duty
With a host of security and data protection regulations coming into force on both sides of the Atlantic, enterprises have felt pressure to achieve compliance. But this shouldn’t be the objective. Instead, sustaining and maintaining compliance should be the goal.
The National Institute of Standards of Technology (NIST) framework and the European General Data Protection Regulation are both perfect guides for those seeking to meet compliance needs as well as address much needed security, privacy, and risk failings.
Remember, security and compliance are not the same, but both are critical for any business to survive in the modern world.
Bindu Sundaresan, Director of AT&T Cybersecurity
- We've also highlighted the best antivirus to protect your organization from the latest cyber threats
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Bindu Sundaresan is the Director of AT&T Cybersecurity.
She is a highly-motivated and resourceful Security Professional with an engineering background and 17 years of experience with a record of developing and supporting successful initiatives and solutions incorporating a wide range of technologies and industry best practices. Consistently recognized as able to improve organizational effectiveness and efficiency through a leadership style that aligns the business processes, information technology, and corporate security function to realize cost savings, accelerated performance, and to sustain strategic flexibility for the organization.