Ashish Thapar: With data breach, prevention is worth a pound of cure

Unless you make resiliency a priority, your data and reputation will remain at risk in digitization world, says Ashish Thapar of Verizon Enterprise Solutions

Ashish Thapar Jan 24th 2018 A-A+

"We have been breached” are the four words that are dreaded by the C-Suite of any company. These four words may not only represent loss of money and/or data, but also obliterate the reputation, and threaten the foundation of the company in the eyes of its stakeholders. 

In the event of a data breach, there are various challenges that a company has to bear. It starts with identifying and fixing the problem. On top of that, there can be charges from the victims to replace the stolen assets (e.g. money or any monetizable asset) and provide them with identity-theft protection in extreme cases. Yet, surprisingly, many companies survive the immediate financial implications and sales figures and often climb back to pre-breach levels. 

Damage to your reputation could be irreparable

8 recommendations to prevent cyber attacks

-Implement effective and pragmatic cyber risk management controls

-Balance focus, effort & costs across three tenets of information security spending

-Invest in training of employees

-Actionable and pragmatic intelligence is key

-Meet compliance standards

-Make sure controls work together

-Getting cyber insurance right

-Sharing is caring

While consumers might forgive quite quickly, they don’t forget. Trust is hard to earn—and it’s even harder to win back as competitors lurk. To complicate matters, companies now have to deal with online news and social media, which often require another set of expertise. The reality is that, depending on the severity of the breach, companies may be associated with poor cybersecurity long after the criminals have moved on and business is back to normal.

Let’s assume that your sales recover to pre-breach levels. Customers may continue buying out of convenience, habit or familiarity. However, will they download the new mobile app, leave their credit card details, or sign up for that loyalty program? If the customers choose not to share relevant information due to mistrust, it could seriously harm opportunities for growth. 

Is prevention better than cure? This saying cannot be more apt for companies today when it comes to adopting cyber security measures. The following eight recommendations will help businesses build sustainable security controls that provide lasting protection from cyber-attacks:

•    Implement effective and pragmatic cyber risk management controls: Every company is different and so is the information they handle, the threats that they face, and the risk appetite they have. Identifying the crown jewels, evaluating threat landscape, prioritizing cyber security investments and measuring/maintaining the implemented controls is something that goes a long way in bolstering an organization’s cyber-defences. A better understanding of the complete costs will help make wise decisions ahead of time and achieve a better return on your investments.

•    Balance focus, effort and costs across the three tenets of information security spending: Prepare, Detect and Respond. Companies have historically focused only on prepare and detect tenets. Incident response is something that is now the next focus area with more and more companies trying to identify shortcomings and enhancing their preparedness to handle cyber incidents. Remember “It is not a question of if but when”. 

•    Invest in training of employees: Employees should have the knowledge on how to enhance, monitor and measure the effectiveness of security controls and more importantly, they should know how not to be the easy targets for social engineers.

•    Actionable and pragmatic intelligence is key: Receiving relevant and actionable intelligence is key to stay ahead of the cyber criminals in most of the cases. This intelligence should be well-integrated, easily consumable and actionable. Every company is different and this intelligence can come from public sources, cloud-based sharing platforms, DarkWeb research, internal monitoring/event correlation and threat hunting exercises.

•    Meet compliance standards: Payment Card Industry Data Security Standard (PCI DSS) compliance is necessary for companies handling card payments. Organizations that concentrate on the long-term effectiveness of their security controls have a big advantage over those that focus on short-term compliance.

•    Make sure controls work together: The performance of each security control is interlinked. If there’s a problem at the top, this will impact the controls at the bottom. All controls need to work together in an effective and sustainable way, to protect your data. Consolidation of security controls makes it easier for organizations to manage multiple sites, multiple platforms and multiple networks.

•    Getting cyber insurance right:  Organizations need to see cyber liability insurance as a standalone policy and a way to manage for unplanned expenses in the event of a breach. These expenses usually stem from forensics investigations, containment, remediation, and the recovery of business processes.

•    Sharing is caring: The sharing of data-breach information is not only vital in the fight against cybercrime but also in understanding how a breach can impact an organization’s reputation and operations. While there are no mandatory data breach notification laws in India, sharing data breach information across collaborative industry groups, ISACs, and local CERTs remains to be one of the most effective ways to combat cybercrime.  

As India creates its path to a digital future, an increasing number of governments, consumers and enterprises are spending more on ensuring a robust IT infrastructure for smart cities, smart vehicles, smart systems and digital society. Companies are becoming more and more reliant on digitization, due to which, they need to work continuously to maintain effective risk management and strong cyber security controls while ensuring sustainable compliance and ultimately keeping the organization secure. Cybercriminals are constantly testing defences; hunting for hidden weak spots and new ways to get in. Unless you make resiliency a priority, your data and reputation will remain at risk.

The author is Managing Principal, APJ at Verizon Enterprise Solutions.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).