When a data breach or other form of cyber attack occurs, many organizations (including nonprofits and social enterprise) have difficulty moving from detecting a threat to responding before those threats disrupt a business. But minimizing that time can be critical and as my conversation with Joe Rogalski of eSentire reveals, there are many strategies that nonprofits and social enterprise organizations can execute to minimize those threads that go beyond mere prevention
To paraphrase Joe Rogalski's statements in his Cyber Security Chicago presentation around Minimizing The Detection to Recovery Time Frame, "Prevention is futile unless it's tied to detection and response capability."
As part of the service they offer to midsized clients, eSentire provides monitoring, detection, and response to cyber attacks on various organizations, including a small number of nonprofits and professional associations. Actively watching and monitoring networks, eSentire looks for events and endpoints that lay outside the norm. (Joe Rogalski referred to a "dirty dozen" of potential cyber attack incidents which include malware attacks, lost or stolen devices, and internal & external data extrusion) According to Joe Rogalski, many cyber attacks happen in the context of a "perfect storm" of conditions...
...And these conditions can result in disrupting an organization's business processes. Upon experiencing a cyber attack, an organization's response moves from shock and denial to depression and anger. Then arises a period of "blamestorming" and scapegoating, which is then followed by administrative issues like insurance claims and litigation. With more organizations being the target of cyber attacks (an estimated five to seven cyber attacks occur every day), it is imperative that organizations adopt consistent policies and procedures to ensure a relatively smooth response after such an attack.
The other reason for adopting a consistent response policy is that cyber attacks can have a negative financial impact on an organization. A compromised user account, for example, can result in a $750 loss on a company. Compromise an organization's business system, and that impact rises to $25,000. An all-out data breach on a mid-sized company can result in a $122,000 loss. (You can find impact data on specific fields as well as general information via eSentire's Resource page). Businesses could experience a total loss of approximately $500,000 as a result of a coordinated cyberattack. But as stated previously, prevention alone will not suffice.
But how can organizations minimize the risk, and ensure a relatively smooth transition from detection to response? During our conversation, Joe Rogalski outlined some basic principles and strategies that any organization can adopt:
- Executives must understand the importance of privacy and cybersecurity in their organization, as organizational leadership plays a key role in driving these policies (and may potentially be liable when a breach occurs);
- Conducting regular risk assessments and tabletop scenarios to determine and articulate what strategies are needed (and what will occur through inaction);
- Software patch management is also critical, as keeping software and network tools updated can often assist organizations in recovery from data breaches; and
- For nonprofits and social enterprise organizations, data breaches and other cyber attacks can not only have an adverse impact on their financial status but also on their reputation as well.
We will conclude our coverage of Cyber Security Chicago with a more global discussion of cybersecurity issues with Colin McKinty of BAE Systems. Please feel free to join the conversation on our Facebook page or in the section below. If you want to e-mail me directly, please use my contact form.
And see you tomorrow!