Senior Consultant, Information Security Services
United StatesContact Robert
Recently, a cyber attack group turned heads across the industrial world. Instead of simply attacking a company with ransomware, the outfit reportedly notified the SEC that the victim had failed to report the incident in a timely fashion. With news headlines focusing a lot of attention on the SEC tightening its discipline, this tactic was clever, timely, and damaging.
In addition to revealing a new way in which hackers can bring companies to their knees, this event also reiterated the need not just for cybersecurity best practices to help prevent attacks, but also for cybersecurity insurance to help cover incidents that go beyond the control of the victimized organization. These days, cybersecurity incidents need to be confronted with a pincer movement versus a concentration a single tactic. On one side is prevention and on the other side is protection.
Depending on which industry you are in, there are plenty of cybersecurity standards and frameworks to use to help protect your organization. Among these are:
- ISO 27001, an international standard for information security management systems
- HIPAA has facets pertaining to cybersecurity in the healthcare industry
- Defense contractors need to adhere in many cases to NIST SP 800-171
You can also use the NIST Cybersecurity Framework (NIST CSF) to establish a baseline of cybersecurity best practices and an incident response plan.
Whether or not there are mandatory guidelines in your industry at this time, it is a good idea to invest the time and training in a layer of defense. It is clear that cyber attackers are out there and are able to infiltrate companies large or small. While not every attack will be successfully prevented, using preventative best practices can at least allow for a faster recovery and less damage overall.
Working on preventing a cyber event does not assist in the recovery effort should an incident occur. Think about cybersecurity insurance as the armor that will protect your company while you battle to build your defenses. As has been discussed previously on this website, there are numerous benefits to investing in cybersecurity insurance. The primary advantage, however, is that it adds a layer of support and coverage that can serve an organization while it is working to strengthen its cybersecurity ecosystem.
There is one final reason to invest in cybersecurity insurance while working on prevention. The two tactics are no longer mutually exclusive. Many cybersecurity insurance application forms require numerous controls that align closely with standards like the NIST CSF and even ISO 27001. Working closely with an outside consultant can help you accomplish both prevention and coverage goals simultaneously. By meeting the standards of the insurance company in order to get coverage, your organization could also, without much additional work, achieve ISO certification or compliance with a standard like NIST 800-171.
Companies are coming to terms with the fact that regardless of size, cybersecurity threats are becoming more sophisticated and harder to prevent. By focusing on prevention together with coverage, the impact of an attack can be limited and recovery can be achieved faster and more effectively.
Contact us if you would like to review your organization’s current cybersecurity ecosystem to see what would be the best next step for your cyber protection.