In these times, with the acceleration of the digital economy, it seems there isn’t a day without news about large scale cyber-attacks against reputable companies or major public sector organizations, which creates anxiety among their clients, employees, and users of their services. Most cyber-attacks never even make the news.
Nowhere to hide! Incidents leak, reputations are exposed
Remarkably, we’ve recently seen attacks targeted to major Internet service providers, the very heart of our e-society. For example, let’s look at a big one that made the news – TalkTalk in the UK. The attackers were able to compromise its service and seize personal data on its customers. It is still struggling to rebuild confidence in the market after the devastating effects of these attacks and suffering a major reputational and financial impact.
This is probably one of the more striking examples, but we could certainly list many others from just searching the news.
Quick fixes not good enough
It’s no wonder that cyber security is now top of mind for company top management and in the boardroom. Not that hackers are a recent phenomenon, but digitalization of the business multiplies the opportunities for them, and the risks for their targets.
Faced with such threats, many organisations naturally up their investment in technologies to protect their systems. These tools are becoming more sophisticated, yet hackers and fraudsters continue to find new ways to circumvent protective layers or unfold new vulnerabilities.
In many cases, the responses against cyber threats seems to be more tactical or reactive. In worst cases, protection is implemented in urgency and at high cost after an incident has already happened and costly damage incurred.
For example, when you are faced with leaks in your home, you call a plumber to stop them and repair the broken pieces of equipment, until the next incident. The question then is: is it time to consider upgrading the whole piping system? Or would you continue with these fixes until a major leak hits you and causes mayhem?
Let’s transpose this to the big problem of cyber security in businesses, especially for large ones with extensive business networks which generate many potential points of entry for attackers. We could say that it’s certainly time to look at what type of cyber-governance programs – if any – are in place, and what technologies support them, not limited to point solutions for specific fixes and protections.
There’s help out there
Regulators have been making moves for quite some time, and to a degree have ensured companies get their acts together to, at a minimum, protect their business and incorporate critical IT controls in their compliance programs. This has derived from financial compliance and related regulations such as Sarbanes-Oxley in the US and other more industry-specific regulations.
Beyond this, standards have been developed to help define a more exhaustive framework of controls and best practices that can be implemented for a more robust cyber-governance program. For example under the umbrella of the NIST in the US, a dedicated cyber-security framework was proposed. And there are other standards that can be used, going deeper than the traditional CobIT or other ITIL, such as ISO 27002 and 27003, IASME, etc.
Implementing these standards can seem pretty daunting, and with systems needing to be protected on a day-to-day basis, cyber-governance projects can end up competing for skilled resources. There are obviously numerous advisory and consulting firms ready to help, but best-in-class technology is critical to enable the needed key components such as a robust framework of controls, consistent taxonomies, and operative evaluation, monitoring, and remediation processes.
This is where governance, risk, and compliance (GRC) technology comes into play, bringing the core platform of control to orchestrate the various tools of the enterprise cyber-security arsenal: identity and access governance, fraud and threat detection, and network security monitoring applications among others.
This more strategic and systematic approach may still seem a significant undertaking, but it is unavoidable to ensure that gaps are minimized (and the risk of detrimental breaches that go with them), and that controls established to protect critical systems and the integrity of the business are continuously monitored. The good news is that GRC solutions, and the best practices they bring, make it much more possible and secured.