The Network GRC Blog
Risks in the Ether
March 28 2012
Jimmy Lin, VP, Product Management & Corporate Development, The Network
We’ve all seen and heard about “cyber attacks,” companies getting their data systems hacked into or individuals knowingly or unwittingly compromising data security. It’s a real problem that companies must consider in their business plans and activities, from their social media policies to training on protecting a company’s assets to what needs to happen should a data breach occur.
Effectively managing risk in the age of cyber threats is not only a vital part of today’s corporate landscape – it’s also the name of a new white paper from Deloitte. “Risk Intelligent governance in the age of cyber threats” talks about how companies must look at data security from a risk management perspective, in terms of what Deloitte calls “risk intelligence maturity.”
Risks from social media are wide and varied. From an inside-out view, you want to make sure your employees don’t knowingly leak information or disparage your company via a social media outlet. From the outside-in, you also need to apply security measures to prevent loss due to social-engineered cyber attacks by building a strong culture and training on what to look for in social engineered threats.
As the white paper says, “It’s not who gets in but what gets out.” Having a strong cyber security posture that works to prevent unauthorized access isn’t enough anymore . Your must also acknowledge that through other methods, such as social engineering, the wrong people can come to have “authorized” access to your data. Your code of conduct, policies and training can help your employees to be on the lookout for signs of unauthorized access as well as attempts to gain “allowed” access to their personal information.
To get to Stage 3 (“Top-down”) on Deloitte’s of Cyber Threat Risk Management Maturity scale, tone from the top is essential to communicating the importance of protection via your people. It’s not just relying on technology and processes—your employees and partners have to take an active role as well. To get to this mid-point on the scale also requires a standardized level of metrics (such as reporting and analytics) and monitoring.
The Risk Ownership section (the functional level) for Stage 3 prescribes consistent and effective enterprise-wide training and communication to all employees. Here, integrated training with policy dissemination gives employees effective examples of social-engineered attacks while describing acceptable use of company and non-company owned technology and software.
Cyber security is more important now than ever before, and something that compliance officers and IT security folks alike must address.
BLOG: GRC: Come Together, Right Here, Right Now – Part 3 (March 16, 2012)
BLOG: The Intersection of Data Privacy & Ethics (February 9, 2012)
ARTICLE: House Cybersecurity Bill Proposes Information Swaps, Eric Engleman and Chris Stroh, Bloomberg BusinessWeek. (March 27, 2012)
POPULAR COMPLIANCE TOPICS
THE NETWORK BLOGROLL
- GRC 20/20
- FCPA Blog
- FCPA Professor Blog
- FCPA Compliance and Ethics Blog
- HR Bartender
- Meet the Boss
- The GRC Group Blog
- Forrester GRC Security & Risk Blog
- Marks on Governance
- The Business Ethics Blog
- UKAB Blog
- Privacy & Security Matters
- Hunton & Williams Privacy and Information Security Law Blog
- Corruption, Crime & Compliance Blog (M. Volkov)
- Ruderfinn Ethics Blog
- Corporate Compliance Insights
- WSJ Corruption Currents