If you think that your business isn’t likely to be the target of a cyberattack because your firm is too small to be a viable target for cyber criminals and cyber terrorists or think you’re not in a vulnerable industry, now is time to re-evaluate your stance.
At this time, defense and intelligence officials in the U.S. are bracing for the possibility that there may be an onslaught of cyberattacks after a U.S. airstrike last Friday killed Qasem Soleimani, a top Iranian military official.
In a terror alert after the Soleimani strike, the Department of Homeland Security warned of Iran’s long history in cybercrime and ability to target critical infrastructure.
Last week, a group claiming to be Iranian hackers defaced a federal government library website with a violent image depicting President Donald Trump.
In today’s geopolitical landscape, businesses of all types have legitimate reasons to be concerned about the possibility of cyber terrorism and state-sponsored cyberattacks. “Attacks from state-sponsored sources have significantly increased over the past few years for businesses,” said Jordan Mauriello, vice president of managed security at cybersecurity firm Criticalstart, in an email to CNBC.
In fact, U.S. companies have often been the targets of cyber terrorism. In the past few years, Iranian hackers carried out a series of attacks on the largest U.S. financial institutions including Bank of America and Citigroup. Las Vegas Sands Corp. was attacked in 2014 over owner Sheldon Adelson’s support for Israel and calls for attacks on Iran.
So, what can businesses do to make sure they don’t become collateral damage as geopolitical crises escalate? Here are a few key security measures to take, according to cybersecurity experts.
1. Purchase a cyber insurance policy
In our turbulent time, cyber insurance is no longer a luxury, it’s a must-have. Cyber insurance policies are designed specifically to cover intangible, non-physical loss caused by a cyber event, such as the loss of data, cyber extortion, and loss of business income.
According to Marsh, a large insurance broker and risk management firm, the share of their clients that have purchased cyber insurance has doubled from 2014 to 2018 — from 19 percent of total clients to 38 percent. Additionally, Marsh found that organizations today are also purchasing higher coverage amounts than in the past.
To get sufficient coverage, you need to understand your risk posture. And similar to other types of insurance, there are things you can do to lower your premium. Here’s a list of high level items you should consider when purchasing a cyber insurance policy (via CIO.com):
- Ask for retroactive coverage when first signing a contract. This is important because it takes an organization an average of 256 days to identify a cyberattack.
- Make sure to get coverage for claims resulting from vendor errors as well as your own.
- Make sure to include coverage for any loss of data.
- Make sure to clearly understand your policy’s coverage.
- Ask your insurer for a lower rate after an advanced penetration test is conducted and findings have been remediated.
2. Work on your compliance processes
Most organizations already have some security measures in place. However, it’s important to recognize that what you currently have may not be enough. Working through a thorough compliance process is a great way to uncover the gaps in your security program. In a very concentrated period of time you can uncover the biggest weaknesses in the design and execution of your control processes. Once you’ve refined controls to address these issues, your organization will have created a better (and more secure) product or service.
To gain greater peace-of-mind, security leaders should familiarize themselves with the common cybersecurity frameworks available today (e.g. SOC 2, NIST 800-53, ISO 27001) and adopt the controls that make sense for their particular organization.
Frameworks such as SOC 2 provide a detailed list of requirements each organization should have in place to protect their assets. For example, one good security measure is to make sure that access to key systems is granted only to those who must have access in order to do their job. SOC 2-CC5.1.4 states that the organization should “utilize role based access to ensure that access is restricted based on job function.”
Thus, it could be a good idea for an organization to implement a cybersecurity framework like SOC 2 in preparation for a formal audit. This type of preparation will force you to inventory your strengths and weaknesses. You will educate yourself on modern best practices and the exercise can serve as a springboard to put in place or refine deficient controls and processes.
3. Conduct risk assessments annually
You need to conduct risk assessments regularly to make sure your controls are effectively mitigating the key risks. Risk assessments are a key input for creating relevant controls.
If a risk is both impactful enough and likely enough to materialize, you implement new controls to mitigate those risks down to an acceptable level. In fact, cybersecurity frameworks such as SOC 2 specifically require organizations to have a process in place for risk management that is documented in their Risk Assessment Policy (SOC2-CC2.1.1). SOC2-CC2.1.2 states that organizations should perform risk assessments on an annual basis.
4. Continuously monitor your controls
Because cyber threats are ever-present, you should have a process in place to detect threats and close security gaps on a continuous basis. Don’t rely solely on external audits to show you the health of your security program. Instead, you should continuously monitor your controls and conduct tests to make sure your processes are working as designed. Ideally, these tests are automated as opposed to manual. This reduces the chance of human error leaving your assets vulnerable.
For example, forgetting to revoke access privileges to critical systems when an employee quits will leave your organization open to threats. But it’s easy to forget to remove a departing employees’ access to certain systems if you have to do it manually each time. From a security standpoint, it’s much better if you can automate this process.
5. Invest in security and compliance tools
Having the right set of tools is critical to managing the above steps efficiently. Hyperproof’s recent IT Compliance Best Practices Survey (which is set to be published on January 21, 2020) asked respondents to estimate the percentage of their compliance budget their organization planned to spend in each of the following categories: Compliance audits, outsourcing, technology, and staff.
We found that on average, organizations plan to spend more on technology (e.g., information security tools, privacy management applications, assisting in the day-to-day operations of compliance projects) than any other spending category.
| Spending Categories | Average Spending Per Category |
| Compliance Audits (attestations, enforcements, monitoring and forensics) | 26% |
| Outsourcing (consultants to address risks, etc. ) | 18% |
| Technology (information technology, Privacy Management technology, GDPR, tech to assist with day to day operations, etc.) | 30% |
| Staff (management and training programs) | 25% |
| Other, please specify | 1% |
This data was collected in November 2019
To create an effective cybersecurity tech stack (and avoid overspending on tools), it is important to make sure you are designing a tech stack that reflects your business risk profile. For instance, companies that have valuable intellectual property to protect may be more interested in breach and encryption and similar kinds of security mechanisms. On the other hand, those firms that offer online services need to focus much more on DDoS protection to ensure their online business is up and running at all times and their revenue isn’t impacted.
Picking cybersecurity tools generally means addressing these five key areas with differing degrees of focus (via Technuf):
- Physical Security, Including Identity Access Management and Role-Based Access Control
- Intrusion Prevention, Detection, and Mitigation
- Data Loss/Leakage Prevention
- Incidence Response
- Forensic, eDiscovery, and Litigation
These areas align with the five functions of the widely-accepted American National Institute of Standards and Technology’s (NIST) framework for managing cybersecurity risk (identify, detect, protect, respond, and recover from threats). Companies can use the NIST framework to gain a better understanding of what capabilities they need to have. They should ask themselves two key questions when crafting their security tech stack:
- What are my needs in each of these categories?
- How do I select the right products to address what I need?
Additionally, experts agree that when building your cybersecurity tech stack, a multi-layered approach is required. In Hyperproof’s 2020 IT Compliance Best Practices Survey, we found that organizations are interested in deploying variety of tools to create a layered stack:
What technology are you interested in evaluating/adopting in order to increase productivity, efficiency and reduce the cost of compliance and to improve your organization’s security posture and ability to protect consumer privacy?
| Technology categories | % of respondents |
| Compliance management solution (also known as GRC solution or an audit management solution) | 41% |
| Security Incident Event Management (SEIM) | 40% |
| Security orchestration automation management (SOAR) | 34% |
| Change management software to track and document authentication and controls in our IT system | 35% |
| Data loss prevention (DLP) technology (e.g. Digital Guardian, Symantec, Forcepoint) | 39% |
| Privacy management and compliance software (e.g. OneTrust, TrustArc) | 38% |
| Identity and access management/single sign-on (e.g. Okta) | 27% |
| Application security platform (e.g. Whitehat Security) | 23% |
| Email security solution (e.g. Mimecast, Proofpoint, Microsoft Office 365 ATP) | 30% |
| Vulnerability assessment solutions (e.g. Tenable, Qualys, Tripwire) | 24% |
| Whistleblowing solutions (also known as issue management solution, helplines, hotlines, case management solutions or compliance reporting solutions) | 16% |
| Other, please specify | 1% |
This data was collected in November 2019
Conclusion
At this time, it is critical that organizations see cybercrime as a serious and growing business risk. Building an effective cybersecurity culture within an organization should be a priority for all businesses in 2020. Businesses should put in place robust security controls, conduct regular risk assessments and audits, and continuously monitor their control environment for weaknesses. Further, recognize that it is simply not possible to completely eliminate all cyber risks. Organizations should be prepared to face the worst by purchasing adequate cyber insurance coverage well before a security incident occurs.
Monthly Newsletter
Get the Latest on Compliance Operations.
