Every company concerned with protecting its systems and information must also be concerned with shortcomings in its cybersecurity risk management efforts. Some companies possess critical information such as confidential business and customer data which if compromised can lead to serious consequences including competitive disadvantage, tarnished corporate image, lost customers and loyalty, increased fraud costs, lawsuits, and penalties for violating regulations. Companies usually have good intentions when it comes to information security and consumer data privacy but fail to properly plan or execute the information protection plan due to concerns for initial costs, required efforts, and lack of resources.
Shortcomings in cybersecurity risk management can be attributed to the lack of information security risk awareness on the part of company executives and management who are sometimes blinded by short term gains. Some companies do not take information protection seriously because of the immediate costs associated with protecting confidential information. According to Henry Bagdasarian, “companies typically pay attention to cybersecurity when associated costs and efforts are tied to mandatory compliance with regulations, customer requirements or audits, and serious data breach incidents”. As such, executive management support for cybersecurity is usually limited to the bare minimum in order to comply with laws, keep customers happy, and maintain a responsible corporate image at the lowest costs possible.
When companies only consider the immediate impact of information protection, they fail to properly address the long term information protection risks including lost revenues, lawsuits, government or client scrutiny, impact to their industry, and costs of identity theft and fraud cases.
Impact of Data Security Regulations
Most of the time, information protection laws are introduced and forced upon businesses because companies fail to properly and collectively address the data protection risks to the society and damage inflicted upon others. But why do companies need government intervention to do the right thing? Isn’t proper protection of customer information a good business practice with long term benefits such as higher revenues due to customer loyalty and retention? Then why give the government an opportunity to introduce overlapping laws which will cost money to comply with anyhow? Why can’t industries proactively act in the best interest of every one to address a business risk which is growing each day? System intrusions, data breach, identity theft and fraud are growing business risks which should be properly addressed and which might require actions beyond the regulatory requirements such as educating customers. The corporate cybersecurity risk management shortfalls may be ignored by the government for as long as these cybersecurity shortfalls do not affect people or other businesses. Once this line is crossed, governments and their lawyers will react to protect consumers and affected parties.
Cybersecurity Risk Management Shortfalls
Shortcomings in cybersecurity risk management are many, however, companies which either fail to identify as many of their shortfalls or ignore their information security weaknesses are more exposed to the consequences of unprotected information.
Below is a list of information protection shortfalls:
Low visibility of the cybersecurity function – In many organizations, the cybersecurity team reports to the Chief Information or Technology Officer without a direct line to the Board or a sub-committee of the Board to avoid a conflict of interest and escalate issues quickly. The function must be centralized as much as possible from an oversight standpoint.
Lack of adequate executive management and Board support – The lack of management and Board support often results in the lack of organization-wide support for the cybersecurity function as the tone at the top determines the behavior of the rest of the organization.
Lack of periodic risk assessment and gap analysis – A frequent and adequate risk assessment is a precursor to security gap identification and remediation. Periodic risk assessment is necessary to identify, prioritize, and remediate security gaps.
Incomplete cybersecurity scope – Before risk assessments can be executed, the cybersecurity scope must be determined. For example, critical systems and data must be identified, and, cybersecurity scope must also include processes outside of the information systems. Not all companies can readily list their systems and vendors which handle various types of business or personal data.
Inadequate budgets for automated tools, expertise, gaps remediation, and staffing resources – To properly address cybersecurity risks, planning must include adequate budgets for advanced tools which deploy artificial intelligence, technical expertise, and adequate levels of cybersecurity staffing.
Unqualified or inadequate level of cybersecurity management and staff – We often hear about the lack of available qualified cybersecurity experts in the market. This shortfall and budget deficits leave companies with no choice but to hire unqualified and less expensive employees or leave the vacant position open for a long time which lead to shortcomings in cybersecurity risk management.
Lack of documented and communicated policies and procedures – Some companies either don’t have a full list of cybersecurity policies and procedures which are tied to best practices and global standards or do not update them regularly to reflect changes in the threat landscape. Once these cybersecurity policies and procedures are documented, they must be communicated to all appropriate parties to collectively help secure the systems and data.
Improperly designed or configured internal and system controls – Internal control is the foundation of risk management and thus internal controls must be properly designed and configured within business operations and systems to ensure adequate level of security across the enterprise.
Inadequate monitoring of external incidents and regulatory requirements – It is often said that knowledge is king and therefore being aware of the cyberattacks and how they occur is important for managing cybersecurity risks. Keeping track of industry standards and regulations is also important to avoid shortcomings in cybersecurity risk management.
Insufficient awareness of the risks and solutions – Organization-wide education regarding cybersecurity risks and best practices is critical to ensure continuous protection of systems and data. This includes employees, executives and management, customers, vendors and anyone else accessing the resources.
Unmanaged and blind transfer of controls to third parties – Many companies blindly trust their vendors and business partners to have adequate security and comply with best practices when they outsource their services. This is not a very good idea as the organization assumes the risks even if their vendors cause a data breach. It is wise to establish security SLAs with business partners and include an enforcement clause such as an audit.
Exclusion of cybersecurity from key business decisions and changes – Decisions made by various departments have often security implications which must be planned and mitigated before exposing the organization to unnecessary risks. Such decisions include outsourcing, process re-engineering, acquisitions, and mergers. Many times, the cybersecurity teams are not aware of changes in their environment and therefore can not assess or mitigate the risks on a timely basis.
Inappropriate access to confidential information and related systems – Access certification is a cybersecurity best practice which assesses and certifies access to systems and data periodically to determine the appropriateness of access to resources. The frequency of access audit and certification depends on the risk level of each system and data residing within the system. As this is a labor intensive effort, most companies delay or avoid this best practice.
Excessive collection, duplication, sharing, and retention of personal data – The excessive collection, retention, and sharing of personal data which are collectively referred to as “Identity Obesity” by Henry Bagdasarian in his book titled Identity Diet which suggests that most consumers and businesses are “identity obese” as they mishandle personal information. The proposed identity theft protection tips in the book were later adopted and included in the Certified Identity Protection Advisor (CIPA) certification study guide and exam.
Inconsistent and inadequate data destruction and disposal practices – Ignoring just-in-time data destruction adds additional cybersecurity risks. Since all confidential data must be protected, keeping unneeded data leads to unnecessary risk, cost and effort.
Poor data breach response and management – Finally, companies are very slow at detecting system breaches because they have not invested in state of the art cybersecurity technologies. Also, most companies do not have an adequate breach response plan which addresses resources and vendors when a data breach occurs.