The growing sophistication of cyberthreats and the recent news that some of the world's largest data aggregators were hacked have likely alerted business and IT leaders to the importance of cybersecurity. However, October is a good month to evaluate data protection and network safeguards for another reason: It's National Cybersecurity Awareness Month.
This is a particularly special milestone for NCSAM, as it marks the 10th year that it has been officially recognized in the United States. The goal of the initiative is to raise awareness among organizations and consumers, and StaySafeOnline has separated this October into several different themes:
- October 1 - 6: Time to reflect on past advances in cybersecurity and take stock of current measures and practices
- October 7 - 13: Focus on the cybersecurity implications of mobile technology
- October 14 - 20: Understand the importance of developing effective education and awareness programs so that tomorrow's cybersecurity leaders are well equipped to handle the risks they will face
- October 21 - 27: Identify current cyberthreats and how to safeguard against them
- October 28 - 31: Address the implications that an increasingly connected world has on critical infrastructure
It being early in the month, it's a good time to explore how organizations are currently handling IT security. Unfortunately, a report by PricewaterhouseCoopers from earlier this year has shown that the landscape is filled with overconfidence. Forty-two percent of survey respondents said they were information security "front runners," though statistics would suggest otherwise.
"The odds, however, are not in their favor," the report's authors wrote. "Too often - and for too many organizations - diminished budgets have resulted in degraded security programs. Risks are neither well understood nor properly addressed. The number of security incidents is on the rise."
It is also important to keep in mind that hope is not lost. If anything, these comments highlight the importance that a cybersecurity awareness month can have in improving business as well as consumer habits. This signals a need to conduct honest evaluations of business policies and implemented solutions. PwC identified several core attributes that are necessary for mitigating risk, including:
- A comprehensive and unified IT strategy surrounding cybersecurity
- Direct executive involvement, such as a chief information security officer (CISO)
- Annual evaluation of implemented security measures and practices
- An understanding of the past year's security events and what they mean for the business
Based on these pillars, PWC noted that only 8 percent of respondents could truly be called leaders in information security, suggesting that many organizations would benefit from a more thorough review of their own practices.
Assessing risk in supply chain management
One of the areas organizations may need to pay special attention to is the supply chain. The amount of data and diverse nature of business partners' security environments can make it difficult to fully assess risk. However, IT security gaps in the supply chain can have far-reaching ramifications. Supply Chain Management contributor and SureCloud CEO Richard Hibbert recently noted that the U.K.'s Information Commissioner's Office can fine organizations up to £500,000 (approximately $800,000) for failing to prevent a data breach.
The penalties can easily stack up, particularly for organizations that are subject to multiple regulations. Payment card brands, for example, can fine acquiring banks as much as $100,000 per month for ongoing PCI violations, and these costs are usually passed on to offending merchants.
One of the common issues facing supply chain management risk is a lack of standardization. Assessors that do not have a unified standard by which to evaluate business partners can not adequately determine whether there are problems that need to be addressed.
"The most common way to assess potential supplier risk is to issue questionnaires in spreadsheet format and distribute via email," Hibbert wrote. "Questions may relate to regulatory standards like ISO27001, the payment card industry data security standard (PCI DSS) as well as internal practices and requirements that are specific to each organisation. The absence of any universal standard for supplier assessment questionnaires makes the task of auditing suppliers extremely time-consuming and inefficient."
Furthermore, the number of manual processes involved in collecting questionnaire data from multiple partners can bog companies down in administrative duties. As Hibbert noted, this also makes it more difficult for auditors to determine every entity's compliance standing.
While Hibbert recommended a cloud-based approach, the key takeaway from his advice is the need for a centralized platform from which compliance requirements and IT security practices can be easily evaluated. Particularly for supply chains, B2B integration and managed file transfer solutions can provide additional value by ensuring that all partners' practices and implemented solutions are also able to meet industry demand.
With Cybersecurity Awareness Month kicking off, now is a perfect time to start these kinds of evaluations - not only to ensure complete visibility over operations but to implement solutions that enable that high degree of visibility.
Do you know if your business is secure? Check off the list: