By Joseph Kirkpatrick, President, Kirkpatrick Price
Developing sound cybersecurity systems is a complex, multi-faceted task– but a crucial one. Not only do these systems help businesses meet their regulatory requirements, but they are intended to help the business succeed. Many businesses focus on the required aspects and simply forget that cybersecurity efforts are meant to achieve and support business objectives.
So, you’ve built in cybersecurity practices to your business structure. But once you’ve architected a cybersecurity system, how do you tell if it’s resilient and effective? How do you know if it’s working, before you find out the hard way that it’s not?
What Do Attackers Want?
The goal of a cyberattack is typically to steal the data you are responsible for or to take control of your systems. Have you ever considered how much your data is worth to a hacker? According to Symantec’s 2019 Internet Security Threat Report, hackers can earn $1-$15 for groups of hacked email accounts, $10-$20 for certain hotel loyalty accounts, $0.10-$1.50 for stolen identities, $0.10-$35 for stolen medical records, and $30-$100 for a full ID.
While they’re making money off of the hack, what will it cost your business? That depends on how quickly you identify and contain the data breach, who you will need to report to, what systems you will need to fix, and if you owe your customers anything. Think about Capital One’s 2019 breach; when their cloud migration went wrong and the data of 100 million individuals was exposed, it cost them $80 million in fines alone.
How can your organization develop and measure durable cybersecurity systems to avoid the consequences of a data breach?
3 Measurements for Durability and Resilience
Building a durable and resilient cybersecurity system that can stand up against attackers comes down to being proactive instead of reactive. When you can anticipate what your attackers are going to do and where they will strike, you’re in a winning position.
I’m not asking you to overcomplicate or overdesign your cybersecurity systems – not at all. Mastering the basics may be effective enough for your organization. But there are three signposts for assessing if your cybersecurity systems are durable and resilient enough.
- Becoming Data-Centric: When you implement cybersecurity practices at the data level, it makes it much more difficult to attack instead of difficult to defend. It means you’re doing everything possible to cut the attacker off from the moment they begin the attack.
- Minimize Security Incidents: If a security incident does happen, you need to minimize the impact that it will have.
- Continued Operations: Accenture defines cyber resilience as the ability to continuously deliver your intended outcome despite adverse cyber events. When your Business Continuity Plan incorporates and addresses your cybersecurity systems, it will enable you to operate despite a security incident.
The NIST Cybersecurity Framework is an industry-standard for learning how to measure your cybersecurity systems’ durability through five steps: identity, protect, detect, respond, and recover. That Framework will be a great resource for developing innovative cybersecurity systems for new areas like IoT, mobile, and the cloud.
About the Author
Joseph Kirkpatrick is the President of Kirkpatrick Price. Kirkpatrick Price is a licensed CPA firm, PCI QSA, and HITRUST CSF Assessor, and most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and penetration testing. Joseph can be reached online on LinkedIn or at his company’s website https://kirkpatrickprice.com/