An organization’s public image can be greatly affected by a negative headline. Imagine making organizational decisions for what technology services providers will be used, and one of the selected vendors is breached. Will the organization remain with that vendor? Or, will leadership and board members demand a change? Earlier this year, an entity that marketed on its “secure” transfers was breached, losing an unknown amount of data on thousands of affected systems. A person in charge of vendor management at affected organizations will likely immediately begin to search for other resources.
Now, stakeholders of all organizations should evaluate the scenario of being breached to assess the impact of that breach being publicly broadcast. This is “reputational risk,” and it must be considered. Now ask, “Who does reputational risk belong to?” The answer: This and all other risk the organization faces belong to management, the board, and any other key stakeholders. Assessing and evaluating plans to address the reputational damage of a breach is just one part of scenario testing, more commonly known as incident response tabletop exercises.
During these exercises, many things are happening. Training for the incident response team is one of the most important as it is vital that the response team is “responding” and not “reacting.” Response teams must be fully aware of their primary and backup responsibilities should an incident or breach occur. They should be like well-trained firefighters when an alarm sounds at the station, grabbing gear and falling quickly into place to respond, as that is what firefighters do—respond, not react.
Tabletop exercises provide department managers, leadership, IT, and any other key departments the opportunity to discuss and walk through recovery and remediation steps to evaluate if they will indeed work as planned. They also provide management the opportunity to voice their expectations and assess if the staff is actually capable of meeting those expectations, such as recovery time.
As the news reflects almost daily, ransomware is an ongoing threat to all organizations. Many times, managers and owners of small to midsize institutions feel they are not a target due to their size, but it is proven that more often than not, small to midsize organizations are targeted much more than larger companies.1 Why is this happening? Because hackers know smaller organizations likely do not have the resources to properly secure their networks.
To help reduce the risk of a ransomware attack or other breach, management must begin with an information security risk assessment to aid in identifying threats. According to the National Institute of Standards and Technology (NIST), a threat is any circumstance or event with the potential to create loss. A threat can be a natural occurrence, technology or physical failure, a person with intent to harm, or a person who unintentionally causes harm. Information about threats is available from public and private sources. Public sources include the news media, blogs, government publications and announcements, and various websites. Private sources include information security vendors and information-sharing organizations. Basically, NIST is saying management must address risk, and this is done with a risk assessment.
A risk assessment, simply stated, is a prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the organization, its customers or clients, and their data. Once these potential disruptions are listed, controls should be identified to help reduce the risk. These controls result in the heart of the organization’s information security policy. The analysis and controls are the foundation of any information security program, and while there are many others, this is the first major step to helping reduce the likelihood of a breach.
If you and your organization need help constructing a risk assessment and assistance with supporting security policies, please fill out the Contact Us form below or reach out to the IT Risk & Compliance team at Forvis Mazars.
- 1“Small Businesses Are More Frequent Targets of Cyberattacks Than Larger Companies: New Report,” forbes.com, March 16, 2022.