Every day, we hear about new digital attacks wreaking havoc on individual companies (and, in some cases, even entire industries). Cyber criminals are increasingly sophisticated, and the impact a digital attack can have on an organization can be devastating.
As a business leader, it falls to you to make sure your company’s digital assets are protected 24/7. That’s true no matter what industry you’re in, what your product or service offerings are, how big your business is, or how many customers you serve.
My guess is that you know all this, though. You know that cybersecurity is crucial, you know that cyber attacks can have profound ramifications, and you know that it’s your job to try and stay one step ahead. What you may not know, though, is how to do that.
To get you started, let’s walk through some of the key concepts you must understand in order to protect your digital assets against cyber criminals. Each of these concepts—from taking an inventory of your assets to thinking through how you’ll respond to worst-case scenarios—are important in and of themselves. And, when combined together, they become extraordinarily powerful armor against anything an attacker might try.
#1: Know Thyself
The first step in creating any kind of ongoing, effective defense can be summed up in the 2,000-year-old idea of “know thyself.” Applied to a person, this concept alludes to a sense of introspection. It requires a degree of maturity and humility to understand exactly who you are—how you think, for example, or why you behave the way you do.
In the same way you must spend time in introspection in order to really understand who you are, you must be introspective about your organization in order to understand your digital space. What are all the assets on your network? What processes do you have in place to inventory those systems and applications? How often are they validated?
Truly knowing your digital space requires you to dig deep to answer these questions. It requires knowledge about who is scrutinizing your digital assets (outside of the owner of those assets), because there should be some level of independence in your process. And, it requires understanding how all these factors influence the risk your organization might be in.
#2: Go Beyond the Obvious
Answering all those questions is a good start. But what about beyond that? What about your brand? How about partnerships you have with other organizations that contractually represent you, but are outside of your direct control?
Taking an inventory of your digital assets helps you think through your digital space from an attack-vector perspective and a threat profile perspective. However, you need to go beyond the obvious and think through how you might be attacked in the cyber realm in less-traditional ways.
To start, think through your reputation in cybersecurity. How are you being represented? What partnerships do you have with vendors? How are those vendors behaving? Does that behavior reflect your corporate culture? How about your position and your brand?
The point here is that protecting your digital assets—and, ultimately, your organization—on a 24/7 basis will require you to go far beyond the classic security operations center. You can’t just monitor your assets; you also need to monitor your social media and keep an eye on what people are saying about your brand.
#3: Work Through Attack Scenarios
If this sounds like a lot, it is. But unless you know and monitor every aspect of your digital space, you’ll never be truly safe. You need to think about legal ramifications, marketing ramifications, and brand ramifications if an attack happens. Bottom line, in today’s world, you can spend years building your company’s reputation, and it can be ruined in a matter of moments.
To mitigate this risk, build teams who think through attack scenarios, both traditional and non-traditional. This will help you prepare for what you would do in a worst-case scenario. For example, what would you do if someone launched a disinformation campaign saying you did something unethical in some part of the world?
These kinds of attacks are more common than you might think—so if it happens to you, how will you respond? When do you engage with your executives? When do you get the board involved? What happens when media outlets start to get involved? Who should speak to them, and have those people been trained in how to talk to the media?
Don’t stop there, of course. A big part of your crisis management team exercise is looking at classic attacks, too. Same thing here: what would you do if there was a terrorist attack or a ransomware attack? The idea is to keep going and try to come up with a plan for all the curve balls that might get thrown at you.
#4: Listen for the Uncomfortable Pauses
If you aren’t sure how to get started, then my suggestion is to start by bringing your team together and brainstorming. Read through the news and then talk about how you could respond if something you read about happens to your company.
It comes down to asking yourselves the tough questions. Where are the uncomfortable pauses, when you and your team don’t know the answers to the questions? What are the unpleasant things that keep you awake at night, hoping that they never happen? Bring those things up and out into the open, then spend time teasing out answers until you have a solid response plan.
I like to think of this as the opposite of “slippery slope” thinking. Slippery slope thinking is when you take one step in one direction, and suddenly you have a bunch of problems. This kind of preparation, on the other hand, is great thinking. In other words, this is where the dose makes the poison.
You can manage that dose and thereby avoid the poison by getting clear on your strengths, weaknesses, and opportunities. You can work through potential threats, your organization’s risk tolerance, and your team’s ability to think quickly and respond. Addressing those uncomfortable pauses will help you balance discipline and execution with creative improvisation, which is the key to keeping your digital assets protected.
Build Organizational Resilience
Taking the time to identify all of your digital assets, then thinking about how you would respond to potential threats to them, is the foundation of protecting those assets on a constant basis. Engaging in these exercises regularly (every three to six months) helps you build organizational resilience, and it helps you prepare for problems you haven’t encountered before.
Every team in your organization should engage in these exercises. Multidisciplinary teams that include people from marketing, legal, security, technology, and compliance, for example, are better equipped to come up with a holistic solution to an attack. Together, they can create a playbook for how to respond to each scenario, and the playbook can include who is accountable for each piece.
Of course, there are organizations who specialize in crisis management. They help you think through real-life scenarios they’ve encountered that you may not have thought about. As your organization gets larger and more mature, it may be worth hiring a specialist like this to help you. But, remember, this problem doesn’t just impact large organizations. So start preparing now, so you’re ready to respond when the next attack comes.
—
For more advice on how to protect your company’s digital assets, you can find Cyber War…and Peace on Amazon.
Nick Shevelyov is a specialist in cybersecurity, information technology, data privacy, and risk management with experience in multiple industries—from an engineering to executive and board advisory level. See his LinkedIn profile for career history. A guest speaker at a variety of industry events, Nick has an undergraduate degree in economics, an executive MBA, and CISSP, CIPP, and CISM industry certifications.
