As regulatory compliance pressures increase, CIOs must take a progressively integrated and holistic approach to information risk management.
The pace and scale of cyber-security threats continues to increase, endangering the reputation of today’s most trusted organizations struggling to cope with the quantum speed and sophistication of global cyber-attacks.
PwC recently highlighted numerous cyber-security issues that should be of concern in today’s connected society and, according to the Ponemon Institute’s 2015 Cost of Data Breach Study, the average consolidated total cost of a data breach is $3.8 million. These findings demonstrate the importance of having a business process in place for cyber-security preparedness.
Organizations are also becoming increasingly dependent on their use of cloud services, both internally and with third-party suppliers across multiple jurisdictions. However, while these services can be implemented quickly and easily, organizations need to have a clear understanding of where their information is stored and how reliable these services are.
As regulatory compliance pressures increase, the CIO must take a progressively integrated and holistic approach to information risk management. By implementing strong information security measures, the CIO is more likely to stay ahead of regulatory mandates.
There is no way to get around data privacy laws and regulations. Businesses must either comply or pay a stiff penalty. Few jurisdictions are alike in their regulations, privacy legislation, fraud and breach prevention. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the cloud. Unless you are continuously monitoring the rules, and put mechanisms in place to do so, you might be compromising your data and your corporate responsibility.
Most governments have created, or are in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.
Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.
Cyber-resilience recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves. Cyber-resilience is about ensuring the sustainability and success of an organization, even when subjected to the almost inevitable attack.
Organizations of all sizes need to make sure they are fully prepared to deal with attacks on their valuable data and reputations. The faster you respond to these problems, the better your outcomes will be. Here are steps businesses should implement to better prepare:
*Re-assess the risks to your organization and its information from the inside out
*Change your thinking about threats: “It couldn’t happen here” is not a great backup plan
*Revise cyber security arrangements: Implement a cyber-resilience team and put a recovery plan in place
*Focus on the basics: People and technology
*Prepare for the future: Be ready to provide proactive support to business initiatives in order to protect your reputation and minimize brand damage
Safeguarding Your Data
It goes without saying that business leaders recognize the enormous benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, many have difficulty assessing the risks versus the rewards.
One thing that organizations must do in this day and age is ensure they have standard security measures in place. One example of guidelines is the Information Security Forum (ISF) Standard of Good Practice (The Standard). The Standard is used by many global organizations as their primary reference for information security. It addresses the rapid pace at which threats and risks evolve and an organization’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, BYOD, the cloud, insiders and espionage. As a result, The Standard helps ISF members maintain their position at the leading edge of good practice in information security.
Risk Happens; Awareness Is Key
Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. If the data being moved is subject to privacy regulations, and the data centers are in different jurisdictions, this can trigger additional regulations or result in a potential compliance breach.
Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.
Four Actions for Better Preparation
Demand for cloud services continues to increase as the benefits of cloud services change the way organizations manage their data and use IT. Here are four actions that organizations can take to better prepare:
*Engage in cross business, multi-stakeholder discussions to identify cloud arrangements
*Understand clearly which legal jurisdictions govern your organizations information
*Adapt existing policies and procedures to engage with the business
*Align the security function with the organizations approach to risk management for cloud services
With increased legislation around data privacy, the rising threat of cyber-theft and the requirement to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing. But remember: your privacy obligations don’t change when information moves into the cloud, meaning that most organizations’ efforts to manage privacy and information risk can be applied to cloud-based systems with only minor modifications, once the cloud complexity is understood. This can provide a low-cost starting point to manage cloud and privacy risk.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.