A CISO's Perspective - The impact of a breach

Reputation and trust are vital assets for any business as it touches every aspect of business, and if compromised, it cannot be fixed easily.

Warren Buffet rightly said,

"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you will do things differently."

With the massive increase in hacked and breached data, cybersecurity breaches have become a day-to-day struggle for organizations. I'm dating myself here, but I remember the primitive malware in the pre-2000 era to today's most advanced attack that can swiftly compromise the whole network in just a few hours, and the attack sophistication has come a long way. The potential repercussions of cyberattacks are significantly higher.

Let's look at some of the major security breaches over the last five years. We see that the companies not only suffered financial loss such as in compliance fines, but also reputational damage that has caused the drop in their stock and profits, losses of customers, loss of sales, and their ability to win back the customers' trust. Once trust is lost, many customers will leave and never return.

The impact of cyberattacks breaches can be broadly categorized as financial, reputational, and legal, with reputational damage potentially being the number one risk. 

Customers provide personal information such as name, email, phone numbers, credit card numbers, health information, social security numbers, etc., which is high-value assets for both the enterprise and cybercriminals. Any successful cyberattacks will expose data, and when that happens, customers feel betrayed and will most probably take their business elsewhere. Such a condition is devastating for any business.

In general, those who collect personal information are responsible for protecting it against unauthorized disclosure. Therefore, securing trust is critical to sustaining long-term value in businesses.

Best practices to manage reputational damage

Brand and reputation are inextricably connected to how an organization manages and mitigates its cyber risk. So, it is no surprise that cyber risk and reputational damage go hand in hand. Also, it is not a matter of "if" but "when" an organization will come under cyberattack. Thus, it is crucial to formulate cybersecurity strategies to spot the threat, mitigate the threat, and manage defenses before it is too late to recover.

But the truth is, it is impossible to prevent all cyberattacks. So, organizations need to take some of the critical considerations into account to mitigate cyber risk.

Management support

Many organizations are unable to build a cyber-resilient infrastructure needed to maintain the trust of their customers. This could be because the executive management is not aware of the real problems that might occur due to cyber breaches. But the thing is, they are ultimately responsible for ensuring security and for practicing due care and due diligence. 

It's imperative to educate management about the cyberattacks, risk of a breach, the damage that a cyberattack or system outage can have on brand/reputation and stock prices, and the support CISO requires toward building a cyber-resilient environment.

Identify, classify, and harden assets

Determine the most valuable assets, their location, assess access criteria and the likelihood of compromise, attack propagation, and prioritize protection based on your organization's risk tolerance.

Apply stringent security controls to protect susceptible and critical assets. So, design and execute a cybersecurity program that considers cyber-attacks. Deploy various techniques to protect assets such as zero-trust architecture, SDN and micro-segmentation, tokenization, encryption, identity, and access management, etc.

Minimize human error

According to a study by IBM, 95% of cybersecurity breaches are caused due to human error. If the human error was somehow eliminated, 19 out of 20 cyber breaches might not have taken place at all.

Even the best security teams are likely to make mistakes and inadvertently weaken the organization's security. So, the organization needs to take a step to remove, if possible, else minimize human error with automated solutions that are supported and executed across the enterprise.

• Invest in breakthrough solutions: Apply defense-in-depth and invest in breakthrough technologies that can make a difference. Such as AI-powered solutions like AI-driven IAM tools, SIEM with SOAR/XSOAR and UEBA integration, next-generation XDR/DLPs/IDS/IPS, breach and attack simulations, etc.

Reduce product clutter

Disorganized security solutions and products with loose integration can pose a serious cybersecurity risk. And, as the network grows, organizations add more products to their security stack to improve their cyber-posture and reduce the attack surface. With this, the business environment is getting highly interlinked, and cyberspace is getting increasingly complex to manage, which further expands the attack surface.

Hence, it is high time for organizations to re-evaluate the cybersecurity strategy and reduce product clutter/complexity. 

Enhance the quality of service

As service quality is tightly coupled with reputation and brand value, the perceived quality of service and customer satisfaction significantly affect an organization's value, image, and reputation. Also, service quality directly affects the customer's attrition rate. 

Hence, high-quality service and customer satisfaction are indispensable components in preserving a company's reputation.

Maintain secure supply chain

A secure supply chain ensures that all of the vendors in the chain are reliable, trustworthy, responsible, and accountable. For this,

• Perform an independent third-party audit to provide an unbiased review and report on different security control so as to ensure that the vendors have validated and certified security policies and procedures in place.
• Establish minimum security requirements for all acquisitions and mergers in the security policy. Also, review any service-level agreement (SLA) to ensure that security is a prescribed component of the contracted services.

Test incident response plan regularly

Ensure that a robust incident response plan is in place to prepare for any possible breach or disruption. Practice, pressure-test, and verify the effectiveness of such a plan after it gets approved by management.

Create a security attitude and security culture

If people in an organization think that the security department is the only one responsible for security, then there is a problem. For sustainable security, it is crucial to instill the concept that security belongs to everyone. Change the attitude of how employees feel about security. Ensure that everyone is held accountable and liable when it comes to security.

Follow best security practices

The organization needs to ensure that the necessary security practices and policies are in place and are continuously assessed to evaluate the security posture.

Some security policies to implement are password and access control policy, remote access policy, firewall and IDS/IPS management, email security policy, patch management, acceptable use policy, etc.

Conduct red team testing, attack simulations, penetration testing, vulnerability assessment, threat intelligence and threat hunting, security audits, etc., to assess the overall cyber risk profile and identify the damage that could happen due to a cyberattack.