Cyber resilience is the new buzzword, but what does it really entail? The focus is not just on technology, which is merely a tool, but on creating an unbiased cyber risk management strategy that clearly identifies and prioritizes the cyber risks to your business assets.
Risks are often ignored, treated like a check-the-box item, or are incorrectly weighted due to human bias and lack of communication and proper assessment.
People are a primary cybersecurity vulnerability. People challenges may include inadequate funding from the C-suite, remote employees oversharing files and bypassing security, insider risk and data loss, misconfigurations and overworked IT staff, undertrained users, and vendors with supply chain risks.
People risks also encompass those targeting your organization, including rogue hacker teens leaking source code and sensitive data, or nation-state threat actors focused on espionage, IP theft, and disruption. These human risks play out in the news each week.
An effective security plan must start out with an assessment of the risks to your business assets including people vulnerabilities. The plan should also address potential biases, such as overestimating the user-friendliness of security tools, or overloading existing IT staff with an unmanageable pile of alerts and vulnerabilities.
Honest dialog between departments and employees at all levels will greatly help in illuminating risks, as well as building “best practices” partnerships with other organizations’ security teams, the white hat hacker community, vendors, your internal departments, and proactively interacting with government and regulatory authorities.
For example, the National Institute of Standards and Technology (NIST) is asking for feedback on its new guide that will address artificial intelligence (AI) bias, the “AI Risk Management Framework.”
The 2022 SANS Security Awareness Report from the SANS Institute discusses how to mature your cyber awareness training and states that security awareness training can’t be treated like an annual check-the-box compliance event. However training doesn’t have to be complicated or expensive.
💡 Tip: Humanize cybersecurity by sharing your security team’s comedic side with funny podcasts or video skits on policies, phishing threats, and security best practices (check out the ones from StaySafeOnline.org).
Opening up communication and learning pathways must be paired with developing processes and methods to continuously assess and capture data on risks to business assets. Guides and automated tools can be a big help in assessing risk and monitoring your changing cyber landscape.
The U.S. Navy’s CIO Aaron Weiss collaborated with Scott Bischoff, the command information officer at the Naval Postgraduate School, to research how technology could be used to innovatively help Navy security staff. These cyber leaders emphasize that cybersecurity can’t have a checklist mentality – continuous monitoring and improvement is required.
Red team events a couple times a year don’t cut it. Bischoff said: “I don’t want a snapshot. I want a movie throughout the year.”
Automation and artificial intelligence create efficiencies so humans stay focused on higher-level tasks and ever-evolving best practices.
The National Institute of Standards & Technology (NIST) NISTIR 8286 – Integrating Cybersecurity and Enterprise Risk Management guide states its goal as: “This document is intended to help improve communications (including risk information sharing) between and among cybersecurity professionals, high-level executives, and corporate officers at multiple levels.”
NIST’s guide outlines how to develop risk registers, which are interdepartmental communication reports about risks. These feed into a high-level risk profile, which according to NIST, is “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process…” that are then used by enterprise-level decision makers.
Risk assessment challenges outlined in NIST 8286 include:
- Insufficient asset information – “Keeping track of an organization’s computing assets, especially end-user devices and data, has always been a challenge.”
- Lack of consistency – “Most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways.”
- Bias – “A significant risk to the effectiveness of cybersecurity controls and mitigation actions is the knowledge, training, and experience of the officer(s) in charge of a risk or set of risks … Decisions are often made based on an individual’s instinct and knowledge of conventional wisdom and typical practices … It is important to look out for and mitigate instances of cognitive bias.”
- Evaluating the current-state risk profile – “Existing organizational practices and conditions (i.e., a current-state profile) should be evaluated to determine how they contribute to potential risk scenarios, as well as considering risk events that have already occurred in similar organizations.”
- Assessing impact – Three areas should be adequately evaluated for risk, including financial, reputation, and mission.
Goals within the guide include:
- Continuous improvement and communication – “A risk-aware culture should be looking for opportunities for improvement—reinforcing effective practices and adjusting to correct deficiencies. Figure 2 points out that communication takes place throughout the risk management life cycle.”
- Continuous risk monitoring – “Because cybersecurity risks and their impacts on other risks frequently change, enterprise risk conditions should be continually monitored to ensure that they remain within acceptable levels.” Table 4 – “Examples of Proactive Risk Management Activities” – is largely focused on communication activities from the leadership level down to the non-technical user level.
- Weigh potential ROI with risk – A SWOT analysis considers strengths and weaknesses as well as threats and opportunities. This can be a useful brainstorming exercise to reveal how a new project’s ROI may weigh against risk.
Cybersecurity risk assessment must include accurate identification of the organization’s assets and determine the potential threats to those assets.
However, per a recent article regarding Forrester’s Zero Trust research, continuous data discovery and classification for Zero Trust projects is a major challenge and causes project failures.
Understanding what risky employee file-handling behavior may have occurred in the past is difficult, as well as monitoring ongoing changes to your data estate of unstructured and structured data. For example, risks may include unencrypted password files, overshared and duplicated PII and business intelligence, over-retained legacy data, and misfiled PHI or PII.
Do you know what and where all your data is? Can you monitor changes to your data estate? Is there over-retained, misfiled, or unencrypted data that should be protected?
True AI/ML data discovery allows organizations to get a single pane view of the entire data estate and its risks by automating fast and accurate identification and monitoring of unstructured and structured data.
High ROI results from shrinking data breach vulnerability, saving IT staff from inefficient manual processes, and reducing storage costs from ROT (Redundant, Obsolete, Trivial) data. Clean up your data and then keep it protected with ongoing data discovery workflows.
You can see data discovery in action on your own data by scheduling a free test drive using Anacomp’s D3 AI/ML Data Discovery Solution. D3 is unique because it acts like an intelligent data risk search engine:
- Automate continuous data indexing, risk assessment, and monitoring on petabytes of both unstructured and structured data to manage over 950 file types
- Search and filter on actual file content, not just file attributes, to easily find hidden risks in file contents, such as PII
- Customize visualizations and workflows using user-friendly dashboards, risk filters, data tagging, metadata, and alerts
This article appeared in Anacomp’s weekly Cybersecurity & Zero Trust Newsletter. Subscribe today to stay on top of all the latest industry news including cyberthreats and breaches, security stories and statistics, data privacy and compliance regulation, Zero Trust best practices, and insights from cyber expert and Anacomp Advisory Board member Chuck Brooks.
Anacomp has served the U.S. government, military, and Fortune 500 companies with data visibility, digital transformation, and OCR intelligent document processing projects for over 50 years