10 Steps For Combatting Cyber Threats
Health and fitness goals make annual appearances on New Year's resolution lists, and with good reason: After January vacations and a holiday season of indulgence, steps such as improving diet, losing weight, and getting fit take on a new urgency.
But as a business executive, perhaps you should carry these resolutions a step further. What about the health and fitness of your corporate networks and data? The new year is a perfect time to get your systems into shape, too.
Cyber security, defined by Merriam-Webster as "measures taken to protect a computer or computer system against unauthorized access or attack," is no longer the exclusive domain of the CIO and the IT department. The threat has become so pervasive, the points of illegal entry so numerous, and the implications of a breach so serious that every member of the organization has a stake and a role in protecting the company from cyber threats.
The steps outlined below range from the basic to the advanced. Some forward-thinking organizations will already have tackled some or even many, but, in our experience, very few have adequately addressed them all.
1) Focus on what matters: Identify and document the business-critical functions and information assets that must be safeguarded against cyber attack.
2) Get real about risk: No matter how strong your current security measures, cyber criminals likely know how to circumvent them. That's why you need a risk-based approach to cyber security, one that prioritizes risks based on their likelihood and impact, so you can effectively manage your cyber risk exposure.
3) Know your friends: In a recent Deloitte Touche Tohmatsu survey of technology, media, and telecomm companies, 92 percent of participants felt an average or high level of threat from third parties. To help combat this, inventory your extended relationships-supply chain, outsourcing, partnerships, clients, vendors, contractors, etc. Include anyone who has access to your IT infrastructure, and seek assurances from these parties that they are vigilant in addressing cyber security.
4) Become a detective: Develop capabilities for detecting threats to your business-critical functions, information assets, and operational continuity. By centrally monitoring your systems, you can detect cyber threats in real time, enabling you to respond quickly enough to mitigate negative impacts.
5) Draw up emergency plans: When it comes to cyber attacks, prevention is only half the battle. Even the best systems and most vigilant organizations can be compromised. That's why you need to establish procedures to react to cyber attacks, from fiduciary, legal, technical, business, organizational, and branding standpoints.
6) Crash your own gates: Cyber simulations can help you test the effectiveness of your emergency responses and the ability of your systems to detect intrusions and withstand attacks. This enables you to hone both your resiliency plans and your defensive strategies so you can recover quickly and get back to business.
7) Protect what's vulnerable: Cyber criminals increasingly evade current security controls to target vulnerable applications. To protect your business-critical systems, make sure to apply timely patches and software updates to your most exposed assets.
8) Get smart: Enhance your organization's ability to proactively detect and mitigate imminent and emerging cyber threats by leveraging the knowledge of industry associations, as well as commercial and open source intelligence sources. Whether you build the skills in-house or outsource, the key is to establish proactive cyber threat intelligence capabilities.
9) Jealously guard your reputation: Companies that suffer a cyber attack face more than financial loss. They also risk brand damage and the loss of public confidence. To protect your reputation, you need to know who's talking about your brand and what they're saying. By consistently monitoring your brand on the Internet, you can often prevent trademark, copyright, and other intellectual property infringement. More significantly, by improving your cyber security stance, you can even protect your corporate assets and sensitive customer and employee data from the outset.
10) Foster cyber awareness: The weakest link in your cyber security isn't your technology; it's your people. Social engineering attacks that use targeted phishing emails or other techniques often hoodwink users into revealing confidential information or trick them into downloading malware. This makes it easier for cyber criminals to penetrate your network, without even resorting to more traditional hacking methods. Educate your employees to make sure they're aware of these risks and threats.
Make cyber security one of your top resolutions for 2014. The more of these steps your organization can address, the less likely it will be to find itself in an embarrassing, costly, or litigious situation in the wake of a cyber security attack.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the "Deloitte Network") is, by means of this communication, rendering professional advice or services. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2014. For information, contact Deloitte Touche Tohmatsu Limited.