Blog posts by Christopher Schuetze
Addressing cybersecurity within a company often occurs in response to an incident which impacts a business’ operations. A cyber incident could be a data breach or malicious disclosure of internal information to the public. Ideally a company starts thinking about cybersecurity before they are forced to act by an incident. Preparations for a cyber incident can be made through an internal or external benchmarking of the cybersecurity landscape.
What to expect from a benchmarking exercise
To ensure a benchmarking preparation offers real value to the company, the expectations and outcome of the exercise should be clearly defined. An initial step should be to establish a standardized process for a company which allows it to repeat the process and to measure improvements. Benchmarking should provide an indication whether the current environment is ready for a future cyber incident or not. Being ready means having an open architecture which uses standards and is extensible. But it is not sufficient for a company to only look at technological aspects; the benchmarking exercise should provide a deeper insight into organizational topics. Every assessment should show if there are some organizational gaps and help to create a roadmap to fix them soon.
Benchmarking should focus on technology and organization
From our experience, discussions between KuppingerCole representatives and the many relevant stakeholders within an organization improve the quality of the resulting benchmarking tool. Stakeholders are architects, managers, developers, (internal) customers up to the C-Levels, because they all have different perspectives on cybersecurity and other requirements that need to be united. Bringing the varied stakeholders together means discussing various areas of the company. Usually we use our 12 categories for that - 6 organizational aspects and 6 technological aspects.
Focusing on these areas ensures that cybersecurity is seen from the beginning to the end and gaps within a single or multiple areas can be discovered.
Collect information, compare, and define concrete measures
After knowing the relevant areas that are decisive for benchmarking, the next step is to collect the information. There are various documents and guidelines to be evaluated, but also many interviews with teams and stakeholders must be carried out. The best result can be achieved with a set of good questions covering the various areas, with answers from different people, which can be rated by each category.
A graphical visualization with a spider graph allows an easy and fast overview of strengths and weaknesses. One goal of the benchmarking exercise is to create comparable results. This could be done with peers, between maturity levels, or with old benchmarking results. Quality comparative data is quite difficult to generate internally, and it is recommended to have external support.
Understand the result and define a roadmap
The spider graph and the documented benchmarking gives a good insight into the weaknesses of a company. In this example the company has weaknesses in Network Security, Application Security and Risk Management, so the next step should be to prioritize the open topics in those areas. This company should take a deeper look into what is missing and what needs to be improved while also focusing on future requirements. Doing this allows a company to create both a general and a detailed roadmap for planning the next steps to improve the cybersecurity within your company.
Benchmarking the cybersecurity landscape is a complex process and it is difficult to define a metric internally where you can compare yourself to. If you want to benefit from the experience and knowledge of KuppingerCole, our methodology, and our comparable data, feel free to ask for assistance. We can support you!
Nowadays, it seems that no month goes by without a large cyber-attack on a company becoming public. Usually, these attacks not only affect revenue of the attacked company but reputation as well. Nevertheless, this is still a completely underestimated topic in some companies. In the United Kingdom 43% of businesses experienced a cybersecurity breach in the past twelve months, according to the 2018 UK Cyber Security Breaches Survey. On the other hand, 74% say that cybersecurity is a high priority for them. So where is the gap, and why does it exist? The gap exists between the decision to prioritize cybersecurity and the reality of handling cyber incidents. It is critical to have a well-prepared plan, because cyber incidents will happen to you. Only 27% of UK businesses have a formal cyber incident management process. Does your company have one?
How do cyber-attacks affect your business?
To understand the need for a formal process and the potential threats, a company must be aware of the impact an incident could have. It could lead to a damage or loss of customers, or in the worst case to insolvency of the whole company. In many publicly known data breaches like the ones Facebook or PlayStation Networks had, the companies needed significant time to recover. Some would say, they still haven’t recovered. The loss of brand image, reputation and trust of a company can be enormous. To prevent your company from experiencing such critical issues and be able to handle incidents in a reasonable way, a good cyber incident plan must be implemented.
The characteristics of a good plan for cyber incidents
Such a plan should describe the processes, actions and steps which must be taken after a cyber-attack incident. The first step is categorization, which is essential to handle an incident in a well-defined way. If an incident is identified, it must be clear who will be contacted to react to this incident. This person or team is then responsible to categorize the incident and estimate the impact for the company.
The next step is to identify in detail which data has been compromised and what immediate actions can be taken to limit the damage. Subsequently, the plan must describe how to contact the staff needed and what they must do to prevent further harm and to recover. Responsibilities have to be allocated clearly to prevent a duplication of efforts when time is short. In a recent webinar KuppingerCole Principal Analyst Martin Kuppinger made the point, that IT teams responsible for cybersecurity should shift their focus from protection to recovery. While a lot of investments in cybersecurity nowadays still go into protection, this is not enough anymore. “You need to be able to restart your business and critical services rapidly,” Martin explained.
Cyber-attacks are not an IT-only job
Apart from the necessary actions described above which will be executed by IT and cybersecurity professionals, a process must be defined which lays out how corporate communications deals with an attack. In big companies there is an explicit top-down information chain. If a grave cyber-attack occurs, the Chief Communications Officer (CCO) has to be informed. Imagine the CCO not knowing anything about the incident being called in the morning by a journalist. This puts the company into a weak place where it loses control over crisis communication. Depending on the severity of the incident, a press release must be send out and customers must be informed. It is always better when companies are confident and show the public that they care instead of waiting until public pressure urges them to act.
Can companies deal with cybercrime all by themselves?
When it comes to personal user data being compromised, cyber-attacks can have legal consequences. Then it is wise to consult internal or external lawyers. External support from dedicated experts for specific cyber incidents are usually part of an action plan, too. To react as quickly as possible, a list with experts for external support categorized by topic should be created, containing contact persons and their availability.
Since cyber-attacks can never be entirely prevented, it is of utmost importance to have a plan and to know exactly how to react. This can prevent a lot of potential mistakes which are often made after incident has already been identified. In the end, it can prevent the company from losing customer confidence and revenues.
To understand and learn this process, to build necessary awareness and know how to deal with cybercrime in detail, you can attend our Incident Response Boot Camp on November 12 in Berlin.
Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]