Cybersecurity vulnerabilities are a concern for every company in every industry. In 2016, 4.2 billion records were stolen during 4,149 reported data breaches. This doesn’t take into account breaches not noted in the public record.
According to a Ponemon Institute survey, while security incidents have expensive consequences, costs associated with reputational damage are even greater. That explains why more than 60% of executives are primarily concerned with negative brand impact, according to the report.
Even so, facing the problem might feel like being stuck between a rock and a hard place. Training employees on safe data practices is time-consuming, and cybersecurity solutions can be prohibitively expensive.
It turns out neither approach is effective. The real solution is straightforward and doesn’t cost a penny.
Cybersecurity Vulnerabilities Are a Governance Problem, not a Technology Problem
Breaches rarely occur because of insufficient technology; this is a governance problem. Many organizations react by conducting employee training. Training increases awareness but is proven ineffective at changing behavior. Furthermore, extensive spending on specific cyber tools has created more gaps than it’s closed. Studies confirm this inefficient resource allocation damages company reputation and often incurs legal costs.
Reducing the risk of cyberattack is no different from reducing any risk; it begins with identification. Specifically, root-cause risk identification. Verizon’s 2016 Data Breach Investigations Report revealed that “63% of confirmed data breaches involved leveraging weak, stolen or default passwords.”
It therefore makes sense that expensive point-of-sale solutions or artificial intelligence don’t work. Training increases awareness of the problem, but it’s an extremely poor catalyst for action. In other words, trained employees rarely make an effort to change weak/reused passwords, and the problem lingers.
Two other important parts of the equation are access rights and asset management. Do all employees have access to only the applications they need to perform their roles effectively? Are all assets that contain sensitive information documented and included in your company’s password policy? Most likely, no. Seven out of ten organizations have material gaps in their asset management tracking of devices, applications, and services, and this is a major cause of problematic passwords.
Complexity: The First Barrier to Successful Implementation
Redesigning and implementing (operationalizing) a policy that addresses cybersecurity vulnerabilities should take no more than 90 days to become effective.
Often, organizations struggle to review, revise and implement their policies within that timeframe. Many groups within the company hold a piece of the puzzle, but organizations don’t have the ability to put the full picture together. Consider the following table:
Knows assets and process owner allocation, but has no method/system for sharing that information with the right parties
Has no system for managing authorized assets or sharing information or enforcement of controls
Has authority, but lacks any control implementation or monitoring
Does not have the complete asset list (finance does), meaning it cannot identify all login practices or monitor password quality or access rights
Has no way of notifying application administrators of user entitlement changes
Has access to an entitlement policy, but doesn’t have a user access list mapped to specific assets
The problems detailed in the above table persist as long as departments are unable to communicate effectively. The information they need does exist; it’s a simple matter of finding out how to access and coordinate that information.
A written password, asset, or access policy will not lead to realized benefits unless these limitations can be overcome. It is not the existence of the policy itself that improves security; it is the implementation, or operationalization, of that policy. This is why preventing breaches starts with governance, not technology. The crucial success factor is engaging each of the business areas that can be responsible for a certain component.
Implement and Sustain Your New Policy by Actively Engaging Appropriate Roles
Step 1: Compose and Approve the Policy Itself
This step is already performed by the vast majority of organizations. The board or executive leadership decides to mitigate the threat posed by employees’ weak passwords, access rights, and asset lists. It enlists the help of the security department to validate the implementation of these policies.
Step 2: Grant Security the Visibility it Needs
Here is where most organizations falter; they have a policy, but they can’t implement it or are unsure if all vulnerabilities are covered. The failure to operationalize is therefore a governance problem; an inability to coordinate activities and responsibilities across business silos. Senior leadership leaves it to security to ensure the company is adhering to the new policy because, after all, security has the most subject-matter expertise, right?
In reality, security can only handle certain parts of the policy. A current LogicManager customer reported its prior inability to implement such a policy. They told us, “We’ve been in deadlock for three years. We have a policy drafted, but security has said it only has actionable control over certain parts, and so nothing moves forward.”
LogicManager was able to help for a very simple reason; ERM provides a centralized information hub, plus the ability to:
- Break up roles and responsibilities
- Assign those roles to appropriate stakeholders;
- Create automated tasks to monitor the activity and ensure password/access policies are adhered to by all stakeholders.
This makes it easy for security to find all devices, applications, and services that weren’t previously visible. Specifically, every organization’s finance department maintains a “master asset list” of all applications (finance approves the budgets for and executes purchase orders for every application!).
Think about your payment systems, payroll system, customer relationship management, vendor management, and other third-party software applications. Once finance provides the list of assets and which departments own them, security simply reaches out to each process owner to operationalize the policy.
Step 3: Hold Each Party Accountable for its Piece
When security is isolated, they cannot operationalize the policy, and it’s paralyzed. But after security has access to information about which managers use which applications, it’s a simple matter of using the ERM system to push out tasks/notifications and track the results.
Each process owner receives an automatic task within the platform, which includes background on the policy as well as what is required of the individual manager. Since it’s functional managers, not the security department, that know which employees have access rights, it’s easiest to get this information by pushing the requirements and questions down to the front lines.
After process owners handle their own pieces of the policy, they send their information back to the security department, where it can be monitored. The same process can then occur with vendor management; which vendors have access to password-protected applications, and how should their contracts be updated to reflect proper enforcement of the policy? Enforcement is then managed through contract terms and audit capabilities (based on risk assessment priorities).
Enterprise risk management enables security to provide the board absolute assurance of the quality and effectiveness of policy execution.
To learn more about eliminating cybersecurity vulnerabilities throughout your enterprise, read our previous blog, “Mitigating Cyber Risk Should Be a Top Executive Priority.”
For more information on how a risk-based approach can foster engagement, explore LogicManager’s information security and technology solutions.