This post is also available in: 日本語 (Japanese)
This is the second blog in a two-part series, breaking down the cost of dealing with an incident versus the cost of investing in cybersecurity to prevent an incident. Learn the value of cybersecurity and how to invest your money wisely.
When it comes down to people, process and technology, people will always be the weakest link in an organization’s metaphorical security fence. Your organization may have the most detailed, security-forward processes and top-notch technical solutions, but if your workforce is not appropriately trained, your security might as well be non-existent. Equip employees with polished, emerging and industry-relevant cybersecurity training materials. Gone are the days when a simple handout or outdated PowerPoint deck is sufficient. Instead of issuing an annual training, or one that must only be completed when an employee is first hired, ensure that security awareness is built into your organization’s culture. Require a new module to be completed monthly. Run frequent phishing campaigns. Create excitement by offering small incentives for folks who successfully report malicious emails. Investing in cybersecurity awareness and overall knowledge of your workforce is the number one way to elevate your long-term security posture.
Take the time to understand what regulatory requirements must be met by your business. If your organization becomes the victim of a cybersecurity attack, claiming ignorance will not save you from the monumental fines associated with regulations such as CCPA and GDPR. If your business has an especially complex environment with a large amount of customer information or Personal Health Information (PHI), it may be worth hiring a Chief Privacy Officer or vCISO. This individual should specifically focus on ensuring that customer data is appropriately protected, and that all applicable regulatory requirements are fulfilled by the business.
They say that “practice makes perfect,” and Incident Response is no exemption to this rule. There is a savings of approximately $2,000,000 on average when comparing the data breach costs of an organization that tested their Incident Response Plan versus those who did not complete testing.
However, many organizations end up building the car while they are driving down the highway at 100 miles per hour. They are hit with an incident and no one has any idea what to do:
- The Incident Response Plan hasn’t been updated in three years.
- No one’s phone number is accurate.
- Cybersecurity insurance was never set up.
- Reporting requirements are not defined.
The possibilities of how things can go wrong are truly endless.
Triaging a cybersecurity incident is an incredibly stressful experience. Alleviate some of that stress and save money by testing your Incident Response Plan via Tabletop Exercises or interactive scenario-driven sessions, at least two times a year. Make sure to include a “Lessons Learned” hot wash after any testing exercises to identify what Incident Response methods worked well, and what could use some work. Finally, take action and ensure proposed enhancements or changes to current Incident Response processes are updated within the Incident Response Plan and associated policies.
You can’t protect yourself against the threats that you do not know you are susceptible to. Execute an annual cybersecurity risk assessment across your organization, accounting for people, process and technology. Consider leveraging an external vendor that specializes in conducting in-depth cyber risk assessments against a respected industry framework, such as the National Institute of Standards and Technology (NIST) and Cybersecurity Framework (CSF). Identified risks should be associated with an in-depth recommendation that can be implemented to either fully remediate or mitigate the associated risk. In most cases, findings and recommendations are accommodated by a priority designation or strategic implementation roadmap—these are invaluable tools you can use to determine how to make the most impactful mark on your current security posture.
As mentioned earlier in this report, ransomware was the number one compromise method of 2019. Without viable backups, you are quite literally putting the livelihood of your business into the hands of cyber criminals. According to Unit 42’s 2020 Incident Response & Data Breach Report, an increasing number of incidents have included the deletion or disablement of backups. Regularly create and test backups. Be intimately familiar with the backup restoration process. And most importantly, ensure that backups are stored off-network and are protected by appropriate security measures, so threat actors cannot gain access and disable or delete backups to prevent recovery.
You don’t have to do it all alone. Engaging a cybersecurity consultant or external partner is a great way to introduce security-specific expertise into your organization. Cybersecurity consultants are often privy to best practices and industry trends of the moment, so they will be able to offer new insights regarding what is currently working in the field. Forming relationships with outside experts will equip you with a strong network to tap into whether you are looking to bolster your organization’s security solutions or just gain an outside perspective regarding industry best practices.
Breaches are expensive, and likely more expensive than you thought they would be. While the up-front costs of proactively investing in cybersecurity capabilities may seem expensive, they are likely to save organizations significant amounts of money in the long run. Strategic proactive cybersecurity investments are imperative for organizations that wish to flourish in today’s complex and dangerous cyber landscape.
To get help preventing and combating cyber incidents, contact the Unit 42 Incident Response team.
Read the first part of this series, The True Cost of Cybersecurity Incidents: The Problem.