News, SECURITY
Cybersecurity Management
June 29, 2020 - News, SECURITY
Cybersecurity is directly related to a company’s reputation. Suppose an organization is the victim of such an attack or incident due to a recognized security breach. In that case, the consequence is a loss of confidence in that organization because it is in sight of the lack of attention or care of its responsible persons regarding protecting its clients’ information and personal data.
Consumers are increasingly aware that their personal information is valuable and should be protected; failure by an organization to take adequate measures for such protection represents a breach of that trust, which is essential for establishing and maintaining business relationships.
In some cases, the reputational damage can even be considerably more significant than the economic damage since it affects the company’s commercial image and its potential to generate business relationships.
Thus, information security has become an essential element of the organization’s strategy, whether public or private, which must include control policies and procedures to ensure the integrity, access, and confidentiality of the information used in their activities.
So it’s evident the need to implement a phased process to identify and assess risks, improve security procedures, quantify the burden of an eventual transfer of risks, and respond to attacks and other incidents that lead to the loss of information. Only a correct definition and implementation of this process will ensure the limitation of technological, legal, regulatory, financial, and reputational impacts.
The identification and evaluation phase aims to map risks, analyze them and quantify their impacts. Main threats and vulnerabilities, the sources of the risks, the probability of their occurrence and the impact they may have on the business, as well as the priority actions to take, must be documented.
The next phase focuses on improving control mechanisms to limit the probability of occurrence and the impacts of previously identified risks. This work will culminate in a set of tools that will allow changes to management processes: a list of control mechanisms and objectives, a risk management plan (which includes accepting residual risks), and an implementation plan for the control mechanisms.
The third stage is the economic quantification of the impact of risks, using a detailed analysis to determine the financial consequences of a loss of information in the previously identified contexts, evaluating the losses in the extreme scenario of a total loss and the intermediate hypotheses that estimate maximum probable losses. The aim is to evaluate the cost of a risk transfer to the insurance market and, if necessary, to facilitate such transfer procedures.
The last step is to define the response process to detect, communicate, evaluate, and manage incidents. This process’s results should be used to improve and strengthen other change management plans, namely internal awareness and training of the organization’s employees. Furthermore, internal training programs are essential elements to consolidate the organization’s awareness of cybersecurity and mitigate its breakdown risks.
The fact that companies often use external entities to provide IT services deserves special mention. These service providers have access to the company’s technological systems and are intimately familiar with its information management architectures and models. For this reason, the creation of security policies must pay special attention to relations with entities outside the organization. There is no point in having sophisticated security measures and control procedures if they are not respected by external entities with access to the company’s information systems.The last step is to define the response process to detect, communicate, evaluate and manage incidents. The results of this process should be used to improve and strengthen other change management plans, namely internal awareness and training of the organization’s employees. Furthermore, internal training programs are essential elements to consolidate the organization’s awareness of cyber security and mitigate the risks of its breakdown.
The fact that companies often use external entities to provide IT services deserves special mention. These service providers have access to the company’s technological systems and are intimately familiar with its information management architectures and models. For this reason, the creation of security policies must pay special attention to relations with entities outside the organization. There is no point in having sophisticated security measures and control procedures if they are not respected by external entities with access to the company’s information systems.
