Cybersecurity vulnerabilities are an increasing concern for every company in every industry. Year over year, data breaches increase by 75%. Why are they becoming more prevalent, and how can you protect your business?
- 81% of hacking-related breaches leveraged either stolen and/or weak passwords
- 70% of employees reuse passwords at work
- Ransomware is the top variety of malicious software, found in 39% of cases where malware was identified
- 59% of companies experienced a data breach caused by a third party
These stats start to give us an idea of the true root cause of cybersecurity risk. Yes, there are bad actors involved, but data breaches also have everything to do with governance.
Realizing the connection between good governance and cybersecurity is in itself a huge benefit to an organization. Not only do data breaches hold financial and intellectual property concerns, they also have the potential to impact a company’s reputation.
Because of the See-Through Economy, consumers are more aware of data breaches than ever before, they’ve cried out for better protection, and regulators have taken steps towards providing it for them. More opportunities to be hit with regulatory lawsuits mean more chances for a company’s brand to suffer.
The good news is, the leading causes of cyber breaches – weak passwords, ransomware, and third parties – can be entirely mitigated with good governance.
Cybersecurity Risks Are a Governance Problem
For another, many organizations react by conducting employee training. Training increases awareness but is proven ineffective at changing behavior.
Reducing the risk of a cyber attack is no different from reducing any risk; it begins with identification. Specifically, root-cause risk identification, as we’ve started to do with the bullets above.
If 81% of hacking-related data breaches leveraged weak passwords, then expensive point-of-sale solutions or artificial intelligence won’t work.
Additionally, trained employees rarely make an effort to change weak/reused passwords, and the problem lingers. In fact, a survey by LastPass of LogMeIn, a password management tool, found that although 91% of the employees claim to understand the risks of using the same passwords across multiple accounts, 59% said they did so anyway.
Moreover, if over half of data breaches that occur stem from third-parties, what good will more training with employees or more expensive point solutions do?
Chances are, you already have many solid security policies and advanced technology in place. The next step is to implement good governance over them to make sure they’re actually protecting your company.
So how is good governance achieved?
Improve Cybersecurity with Good Governance
Good governance doesn’t happen overnight. It takes a village. A huge misperception people have is that cybersecurity is the IT department’s responsibility. But actually, every department plays a key role. The first step to good governance, then, is realizing what piece of the puzzle each department holds. Consider the following:
- IT Security – Does not have the complete asset list, meaning it cannot identify all login practices or monitor password quality or access rights
- Finance – Knows assets and process owner allocation, but has no method/system for sharing that information with the right parties
- Third-Party Management – Has no system for managing authorized assets or sharing information or enforcement of controls
- Legal – Has authority, but lacks any control implementation or monitoring
- HR – Has no way of notifying application administrators of user entitlement changes
- Audit – Has access to an entitlement policy, but doesn’t have a user access list mapped to specific assets
The problems detailed above persist as long as departments are unable to communicate effectively. The information they need does exist; it’s a simple matter of finding out how to access and coordinate that information.
A written password, asset, or access policy will not lead to realized benefits unless these limitations can be overcome. It’s not the existence of the policy itself that improves security; it’s the implementation, or operationalization, of that policy. This is why preventing breaches starts with governance, not technology. The crucial success factor is engaging each business area.
Actively Engage Different Departments in Cybersecurity
Step 1: Compose and Approve the Policy Itself
This step is already performed by the vast majority of organizations. The board or executive leadership decides to mitigate the threat posed by employees’ weak passwords, access rights, and asset lists. It enlists the help of the security department to validate the implementation of these policies.
Step 2: Grant the Security Department the Visibility it Needs
Here is where most organizations falter. They have a policy, but they can’t implement it or are unsure if all vulnerabilities are covered. The failure to operationalize is therefore a governance problem — an inability to coordinate activities and responsibilities across business silos. Senior leadership leaves it to security to ensure the company is adhering to the new policy because, after all, security has the most subject-matter expertise, right?
In reality, security can only handle certain parts of the policy. A current LogicManager customer reported its prior inability to implement such a policy. They told us, “We’ve been in deadlock for three years. We have a policy drafted, but security has said it only has actionable control over certain parts, and so nothing moves forward.”
LogicManager was able to help for a very simple reason: governance platforms provide a centralized information hub, plus the ability to:
- Break up roles and responsibilities
- Assign those roles to appropriate stakeholders
- Create automated tasks to monitor the activity and ensure password/access policies are adhered to by all stakeholders
Step 3. Carry Good Governance Out to Third Parties
Since 59% of data breaches stem from a company’s third parties, it’s not enough to shore up internal security, password, and access rights policies. You need to make sure your vendors are taking as many precautions with your data as you are.
How many applications does your company rely on? How many third parties have access to sensitive information? Which employees have access to which? How much access does each employee need to get their job done?
Again, IT isn’t solely responsible for keeping track of these vendors. Every organization’s finance department maintains a “master asset list” of all applications, since they approve the budgets and execute purchase orders for every application.
Think about your payment systems, payroll system, customer relationship management, vendor management, and other third-party software applications. Once finance provides the list of assets and which departments own them, security simply reaches out to each process owner to operationalize the policy.
Step 4: Hold Each Party Accountable for its Piece
When security is isolated, they cannot operationalize the policy, and it’s paralyzed. But after security has access to information about which managers use which applications, it’s a simple matter of using the ERM system to push out tasks/notifications and track the results.
Each process owner receives an automatic task within the platform, which includes background on the policy as well as what is required of the individual manager. Since it’s functional managers, not the security department, that know which employees should have access rights, it’s easiest to get this information by pushing the requirements and questions down to the front lines.
After process owners handle their own pieces of the policy, they send their information back to the security department, where it can be monitored. The same process can then occur with vendor management; which vendors have access to password-protected applications, and how should their contracts be updated to reflect proper enforcement of the policy? Enforcement is then managed through contract terms and audit capabilities (based on risk assessment priorities).
So consider how achieving good governance can help you eliminate the vast majority of your cybersecurity risk by operationalizing the policies you already have in place across departments and out to third parties.
With the right governance solution, you should be able to operationalize any one of your policies within 90 days. If you operationalize your password policy across the enterprise, you’ve eliminated 81% of your cybersecurity risk.
This article was originally posted on LogicManager.com