Cyber Safeguarding Your Enterprise: Seizing Opportunities to Tackle Risk

According to IBM, 51% of organizations are planning to increase security investments as a result of a breach, including incident response (IR) planning and testing, employee training, and threat detection and response tools. Businesses today rely on IT systems, including third-party software solutions, to drive many day-to-day operational activities. In recent years, there have been attacks on IT support software (SolarWinds, Atlassian), critical infrastructure (Colonial), and most recently, file transfers (MOVEit) which have impacted companies such as Estee Lauder, British Airways, Shell, Norton, and many government agencies. 

The Ponemon Institute reports that 53% of companies have experienced a third-party data breach in the past year. It appears that government and regulatory sector activity has increased to address these concerns.  

• The White House has issued recent guidance and continues to push effort and money into how to address cybersecurity.  
• The SEC has updated their guidance, and NIST has been asked to update its framework.   

• The Cybersecurity and Infrastructure Security Agency (CISA) continues to publish guidance and establish groups to address cybersecurity. 
• We continue to see privacy laws and interpretations expand and change.  

While these efforts are interconnected, each action is separate and regulatory response continues to add up for organizations.  

So, what can organizations do? UHY Consulting believes the foundation to resilient cyber success is to focus on the underlying threat and to prepare for that risk to materialize adequately. This unique approach allows organizations to lower their risk profile by understanding where threats may exist while proactively defining security event processes. 

Prioritization of an organization’s cybersecurity risk: Closing the gap 

Per Accenture, 68% of business leaders feel that their cybersecurity risks are increasing. So, what is Cybersecurity Risk? The definition of risk can change depending on the group. For instance, the HR team might emphasize that the primary risk lies in employment data, whereas the operations team might highlight intellectual property data as the most critical. Working through these essential systems and data internally can be problematic for an organization. However, knowing the importance of these systems and data is vital in understanding the risks and developing processes to mitigate those identified risks.  

Once an organization has identified the critical data, and the systems that support the data, then the task turns to understanding the data flow. How the data comes in, how/where it is stored, how it has access along the path, and where it possibly goes. This step has become increasingly difficult for some organizations due to third-party software, such as SaaS or other cloud-based storage. For example, the organization uses a data set to create its financial model for the upcoming quarter. The team in charge of the model has found it is more efficient to use third-party storage to allow collaboration on their modeling tasks and have set up the system themselves without IT management's assistance. Now there are multiple new risks, such as the risk that IT and Operations are no longer aligned, storing critical data against policy, access controls around this data may be hampered or avoided, etc. Most important, the organization is unaware that these new risks are present. 

The above scenario illustrates why having a third-party conduct a cybersecurity risk assessment can be advantageous. The third-party will gain a thorough understanding of data usage and have the experience of working with many other organizations to know where or what to ask to discover these possible additional risk areas. 

Additionally, using a framework assists in defining the policies and procedures for establishing and maintaining security controls. It also clarifies the processes used to protect an organization from cybersecurity risks.  While several frameworks are options, it is essential to ensure that the selected framework(s) are tailored to the organization to meet its specific security needs. 

The final step of the cybersecurity risk assessment process is developing the roadmap for addressing the identified risks. Again, a third party has the experience gained in working with other organizations and knows what has or has not been successful in tailoring and prioritizing roadmap items.  

Security event preparedness 

The other scenario to prepare for is a security event, such as a breach, lost device, or intrusion into a system. According to the Ponemon Institute, 64% of businesses have already experienced web-based attacks. Due to the increasing odds of experiencing some cybersecurity event, being as prepared as possible is critical to responding and recovering. As of the fourth quarter of 2021, the average length of interruption after ransomware attacks on businesses and organizations in the United States was 20 days, according to Statista.  

The first step is to be able to detect that an event is occurring. Proper logging and alerting of crucial systems and data is necessary to lower the detection time of a cybersecurity event. Endpoint Detection and Response (EDR) or if outsourced by the organization as a Managed Detection and Response (MDR) are typically how organizations address this issue, but finding the appropriate fit and use of these technologies can be difficult, as well as ensuring that the organization is receiving the necessary information needed to make their cybersecurity decisions. 

The next step is to have procedures in place to address cybersecurity events. Typically, the first procedure concerns incident response (IR), as events are usually detected through a help desk ticket or system not behaving as expected. Having a strategy in place outlines the process (the who, what, when, and how), with the appropriate personnel trained within the organization. Additional procedures are also needed, such as disaster recovery and/or business continuity if an event is elevated through the IR process. 

Also, there should be communication processes built into processes and procedures, such as internal reporting chains, customer/public updates, and proper notification processes based on the incident. Training personnel in the communication process and having joint tabletop sessions with their IT counterparts assists in conducting these procedures during an actual event. 

Another step organizations can take is to identify and retain third parties that may be needed to address cybersecurity incidents, such as outside counsel, digital forensics team, etc. These third-party companies typically have the additional training, tools, and experience to ensure the appropriate steps are taken. When a cybersecurity event occurs, these agreements will speed up the organization's response and recovery functions. 

Conclusion 

Cybersecurity is not a one-size-fits-all proposition. It requires continuous efforts, investments, and adaptations as threats evolve. However, taking these steps to understand cybersecurity risk and preparing to address it when a risk becomes an incident will improve the organization's ability to understand what is at stake and speed up the return to normal operations.  

How can UHY Consulting assist? 

The UHY Consulting Cybersecurity and Risk team has years of experience in assisting organizations with their cybersecurity risk assessment and security event preparedness. Our methodology and tools, along with thought leadership, have been developed through work and hands-on solutions design engagements. Considering business drivers, security industry trends that indicate future variables, and return on investment calculations for security mitigation techniques, we will recommend customized solutions that align with an organization’s objectives now and for the future.