The top question on the minds of many of the CIOs, CISOs, and CPOs I’ve met with this past year has been, “How do I keep my organisation out of the news?” The fact that data breaches have moved from a distant fear to the cost of doing business in 2016 was amplified even more by its inclusion in the first presidential debate.
Intel Security and the Center for Strategic and International Studies (CSIS) recently released a study that pointed out that more than 80 per cent of organisations around the world have a significant skills gap in the area of cyber security. So what does this mean for our organisations?
Prepare for an impact on your company
Of the respondents who reported a staffing shortfall in cyber security (82 per cent of the respondents of the study), 71 per cent indicated that there was direct and measurable damage because of this gap. I mentioned that facing data breaches is often the cost of doing business, but there are still steps that can mitigate their impact:
- Inventory and understand where your most secure and sensitive data lives. A simple data classification exercise will often help you understand the data that needs to be protected, as well as understand the potential impacts of data loss.
- Identify stakeholders for the key areas of sensitive data internally and make sure policies for security and safe data handling have been pushed out to your teams.
- Establish a breach response program with those in your privacy and legal practice group to understand potential notification and remediation requirements for your industry.
Remember that proof of automated controls and remediation can often result in a decrease in fines due to breaches or violations, as well as increase confidence in consumers with public steps taken to respond to breaches. This is something that should be at the heart of your organisation and does not necessarily require highly skilled cyber security teams. The International Association of Privacy Professionals (IAPP) and Cloud Security Alliance (CSA) provide great resources to get you started on educating professionals you already have in house to help meet this challenge.
Expect a delay in talent, rely heavily on software
There is a reason cybersecurity was brought up in the presidential debates: 76 per cent of respondents blame their governments for not investing in cyber security talent. Less than 25 per cent of respondents felt that universities fully prepared professionals to enter the cybersecurity workforce, meaning additional education would need to be provided on the job (such as hacking competitions).
The shortfall of more than 200,000 jobs in the US means that even if you were looking to hire these professionals at a premium, you’ll be facing high competition for at least the next few years before being able to successfully onboard a team large enough to tackle external threats. In the meantime, you should look to software and automated solutions to:
- Actively monitor access and authorisation to systems with your most sensitive data, including automatic detection for suspicious behaviour (such as the impossible traveller, the disgruntled employee, or the compromised account).
- Routinely monitor governance policies on the systems containing your most sensitive content using a data-centric audit and protection solution.
- Look to implement a digital rights management framework for information protection that can encrypt your most sensitive information even after it has left your company.
Remember to include file shares in this exercise, as “security by obscurity” is not an adequate defence against any cyber threat. A good automation strategy can not only help mitigate risk, but might also provide a reduction in fines in the event of a breach as indicated above.
Establish a culture of privacy by design
Whether your organisation chooses to hire additional cybersecurity experts from the industry or develop them internally through training, your company has to respect the discipline of cybersecurity for this program to flourish. While we all acknowledge that external threats pose a great risk to us, remember that internal risk is a very real danger for all companies.
Creating a culture that focuses on data privacy first, only collecting the right amount of information, disposing of unneeded data, and other best practices will go a long way to supplementing the lack of in-house resources. Remember: Ultimately, cybersecurity is everyone’s job.
John Hodges, Vice President of Product Strategy, AvePoint
Image source: Shutterstock/jijomathaidesigners