It’s no surprise that cyberattacks continue to increase in frequency and impact for enterprises across every industry. Recent research suggests the cost of cyberattacks for the average company is nearly $8 million per year.
All industries fall victim to cybercrime, but to different degrees. In the coming weeks, we will take you through five of the industries we encounter most – and are on the Ponemon Institute’s list of top verticals falling victim to cyberattacks – when working with enterprises to secure their data: aerospace, education, financial services, healthcare, and insurance. We will take you through the specific threats, nation and industry specific regulations, and cybersecurity use cases each of these verticals must address.
While there are specific compliance regulations by which companies must abide, it is important to understand that regulatory compliance is just the beginning of the journey to true cybersecurity. For example, we’ve seen countless healthcare organizations fall victim to massive data breaches even though they were found to be Health Insurance Portability and Accountability Act (HIPAA) compliant.
As you are reviewing your cybersecurity strategy, it’s important to walk before you run. Don’t just implement new technology for the sake of new technology. Patchwork security fixes are just that – patchwork. They don’t truly get to the heart of the problem and you’ll constantly have to plug an even bigger security hole.
First and foremost, you need to understand what’s critical to your business through a risk assessment. Only then can you put a plan in place that truly protects your data, detects any breach, and responds to threats rapidly.
Risk assessments aren’t an opportunity to play the blame game. It’s an audit of what you have today in order to plan for a more secure tomorrow. Ensure all line of business leaders participate in this assessment. This isn’t just an exercise for the security team – cybersecurity is everyone’s responsibility.
Here are five steps you can take that will get you on your way to proper risk assessment:
- Identify information assets. Consider the primary types of information your company handles, and make a priority list of what needs to be protected. This should also be according to whatever region or industry specific compliance regulations you must address (e.g. HIPAA for healthcare and Payment Card Industry Data Security Standard for financial services).
- Locate information assets. Identify and list where each item on the information asset list resides within your organization.
- Classify information assets. Assign a rating to your information asset list, so you can prioritize what’s most important to protect first.
- Conduct a threat modeling exercise. Rate the threats that top-rated information assets face. One option is to use Microsoft's STRIDE method (spoofing of identity, tampering with data, repudiation of transactions, information disclosure, denial of service, elevation of privilege).
- Finalize data and start planning. Now you have a rational and comprehensive ranking of threats to your organization. It includes both the importance of the assets at stake and a broad spectrum of possible contingencies. A reasonable security plan will tackle the biggest risks first.
US Cyber Vault can be your trusted advisor to help you assess your existing security posture as well as create and implement a best-in-class strategy that aligns to your specific cybersecurity and budgetary needs. Starting with penetration testing and then either using Shield to protect your existing IT environment or Vault to move your data and applications into a secure cloud, our experienced team of intelligence agents will help you maximize security and efficiency in a true team environment with complete cooperation. Unlike many companies, US Cyber Vault will work with you, rather than with the goal of replacing you or downgrading your value within your organization.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.