Is Your Company’s Cybersecurity Posture Up To Par?
posted Mar 13, 2018 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
Are your employees well versed in their cybersecurity risk control? Employees are often the weakest link in an organization’s cybersecurity policy. Something known as employee posture training can help your business mediate this risk. Learn more...
What is security posture?
The cybersecurity “posture” of an organization refers to its overall cybersecurity strength. There are different tests that you can conduct to assess how strong your organization’s posture is. Employee posture training is arguably the most important part of assessing your organization’s cyber risk posture. This involves making sure your employees are well read on the mechanisms of spam, phishing and malware through simulated phishing attacks and security awareness training. The posture should be considered as your organization conducts a comprehensive (and honest) cybersecurity Risk Assessment.
5 questions to address to determine your security posture
- What are your biggest security concerns?
- Is your security spending and expertise properly allocated to address these risks?
- Do you currently conduct security assessments, such as penetration tests regularly? (Many companies do this on a bi-annual basis.)
- How realistic is your plan to address the security gaps that you may have today?
- Do you have an established process to address computer security breaches?
What’s at risk if your business’ cybersecurity posture is not strong?
- Brand damage and reputation loss
- Losing clients
- High costs for recovery
- Fines and other penalties from regulators
All of the above can lead to an organization ceasing operations.
Ways to mediate risks
Studies have shown that it’s important to invest in people, processes, and technologies to mediate cyber risks and develop a strong cyber risk posture.
People: The importance of security education- Employee Posture training
It’s not uncommon for companies to overlook the possibility that employees may leak data (either intentionally or unintentionally), causing a major data breach. In a lot of companies, cybersecurity education is either overlooked or given maybe once a year via PowerPoint or a short webinar that users click through quickly or do not listen or pay attention to. Effective end user security education can dramatically reduce social engineering and phishing attempts on an enterprise, and it could depend on simulated phishing attacks.
Starting point: The first time employees come through the door, start building cybersecurity awareness by conducting security training as part of the onboarding process. That way they have cyber awareness on the mind from their first day on the job. Build your security training based upon your operations and the potential events that your employees could encounter on a day-to-day basis. Do not settle for generic security training.
Looking for helpful tips for your employees? Check out our sister company Envision’s recent blog, “5 Tips to Avoid Phishing and other Cyber Threats.”
Processes: The importance of planning ahead.
User education is a key step for all organizations to take to better their risk posture. Some other things we recommend to have in place:
- Management systems- Limit user privileges and monitor all activity that goes in and out of company devices. You need to have a team who can properly manage the process of assessing risks and implementing controls (both in the business and the supply chain).
- Governance frameworks- It is essential to establish an effective governance structure and determine your risk appetite, just like you would for any other risk. Ensure that your governance framework encompasses information risk across the business and apply the same degree of rigor to address these risks as financial and other risk management systems.
- Incident management processes- Plan for a worst case scenario and have regularly tested incident management processes and contingency plans in place. This will allow you to recover and reduce the impact of any cyber breaches.
Technology: What controls do you have in place?
Among the essential technological controls every organization should have in place:
- Firewall- A digital locked door to your information.
- Spam filter- Blocks thousands of emails a day from phishing attempts.
- Content filter- Prevents employee access to websites you deem too risky.
- Anti-virus and Anti-malware- Helps to protect devices from incoming threats, and seeks out and destroys possible threats to the systems.
- Encryption- Ensures that information is only accessed by individuals or systems intended to view or access it.
Interested in assessing your organization’s cyber risk posture? We can assist you in conducting a cyber risk assessment. Contact our Information Services Team for more information.