Compared to the past practices, every business has been adopting digital technology in how they do business. And now, companies have responded to the coronavirus pandemic by moving as many processes as possible to digital formats. However, the pandemic merely accelerated the ongoing movement of businesses transforming their business processes to a digital format which started decades ago. This process is a digital transformation, and as a result, new risks to the company arise. These new risks from digital transformation comes in the form of cyber risk.
To combat cyber risk, companies should bolster their cyber security efforts. Cybersecurity is fundamental to the digital transformation because it ensures that the new business processes are safe from malicious attacks. Furthermore, the expectation from customers is that new, digital business processes are done safely and securely.
Cybersecurity begins with mindset, being mindful about your fiduciary responsibility towards your customers, their data, their information, their assets–all of which have been entrusted to you. Cybersecurity is not about tools and technology—tools and technology are means to achieve that mindset. Just as securing your physical property begins with accepting the need to secure them and using locks and security systems as tools and technology to meet those objectives.
Cybersecurity is not about technology but it is fundamental capability of the businesses to be adaptive and resilient to changing business processes and ever-changing threat landscape.
NIST Cybersecurity Framework to deliver on the value proposition
I have been studying the NIST Cybersecurity Framework and applying the framework to organizations. The goal is to help businesses incorporate cybersecurity into all aspects of their digital practices.
The framework is outcome driven and provides activities that the organization needs to perform to achieve those outcomes. Since the framework does not mandate how an organization must achieve those outcomes, it enables scalability. A small organization with a low cybersecurity budget is able to approach the outcome in a way that is feasible for them.
Every business already has some host of security practices—for example, passwords on email accounts are ubiquitous. The key however is identifying the gaps between, where they the company is now,
current profile, and where it should be,
aspirational - target profile. We work with businesses to develop a plan or a roadmap to achieve their target profile, to ensure that cybersecurity is an integral part of all business practices from workflow, external and internal communications and that there is a corporate culture of acceptance of cybersecurity as a value-add business proposition.
All organizations have gaps in their cybersecurity practices. The goal is to identify those gaps by creating and comparing the current profiles with target profiles and to work iteratively to narrow those gaps.
Awareness Education - employees tend to be the weakest link
The threat landscape has evolved over time. In the past, hackers and criminals were looking for vulnerabilities in the systems–networks vulnerabilities. Hackers penetrated the system by attacking the systems. Now, they prey on people and thereby gain access to the systems. People are easier to target. Hackers first introduce malware in the system through phishing emails and gain control over the organization’s assets and then through ransomware, blackmail or extort payments. Therefore, people are the weakest link falling easy prey to phishing, spear phishing, social engineering. Awareness education drives a culture of employees becoming deterrent to cyber-attacks and thereby making organizations, cyber resilient.