A critical report from PricewaterhouseCoopers throws the spotlight back on companies that aren’t taking cyber threats seriously enough to do anything about them.The consultancy’s “ 2013 US State of Cybercrime Survey,” co-sponsored by the U.S. Secret Service, polled 500 executives and found that only 40 percent are able to determine the effectiveness of their companies’ security programs based on clear measures.“The survey results tell us that many organizational leaders do not know or appreciate what they are up against… and have made little headway in developing strategies to defend against both internal and external cyber-adversaries,” the report says.Okay, in-house counsel, here are five steps your company can take to change its leaky ways:1. Get the businesses in your supply chain on boardYour vendors and business partners—whether they are supplying components of your company’s IT infrastructure, or are facilitating the products and services you sell—may not have any cybersecurity practices in place. That means they can “increase cybercrime risks across any entity that partner or supplier touches,” the report says.PwC found that only 22 percent of respondents conduct incident response planning with third parties in their supply chain, and only 20 percent of respondents “evaluate the security of third parties more than once a year.”2. Identify your vulnerable assets—and who wants themIt’s hard to fend off threats to your company when you don’t know who they are or what they’re after. PwC defines threat awareness as “the ability to understand cyberthreat actors, capabilities, motivations, and objectives” – and says this should be a key starting point for developing your own cybersecurity strategy.Hackers and state-sponsored hackers aren’t the only ones targeting your company; trusted insiders know what corporate information is valuable, and they know where to find it. Still, 24 percent of respondents “who had suffered an insider attack did not know what the attack’s consequences were,” the report says, while 33 percent “had no formalized insider threat response plan.”Detecting and mitigating insider threats will require the legal department to collaborate with the company’s IT, information security, physical security, and HR departments.4. Read government security updates“A sensible approach to public-private partnerships should be a cornerstone of any cybersecurity strategy,” the report argues. But the survey indicates that companies aren’t taking advantage of the full range of threat intelligence available to them.While 71 percent of respondents said they monitor cybersecurity websites and email to keep up with trends, less than half (47 percent) say they use government websites and emails (other than the Department of Homeland Security), and only 24 percent said they get info about threats and vulnerabilities from DHS.The report cautions that security budgets should be set in line with business strategy, but it also notes that spending on information technology “does not appear to be keeping up with emerging threats.” Here are a couple examples of questions to ask:“Is [the company’s] current technology with a secure operating system and hardware, or did we choose the lowest cost alternative?”“Are the enterprise applications and their underlying databases current, or have we deferred maintenance and upgrades because they were highly customized, rendering the path to upgrade too costly to consider in our current economic client.”A browser or device that allows javascript is required to view this content.
Subscribe to Corporate Counsel
You must be signed in to comment on an articleSign In or Subscribe">
No comments:
Post a Comment