Pratum Blog

Image of Pratum's vCISO Jeff Hudgens with overlaid quote

If you could put a CISO on your team for one week, where would they set your cybersecurity priorities? Pratum’s Jeff Hudgens gave his answer on a recent cybersecurity panel hosted by Iowa’s Secretary of State. Jeff, an experienced cybersecurity pro now serving clients as a Pratum vCISO, framed the advice he gives clients into two categories:

  • 4 first steps for setting your information security strategy
  • 5 areas to guide your cybersecurity priorities

4 First Steps in Cybersecurity Strategy

If Jeff were starting his own company today, he’d start setting cybersecurity priorities with these four fundamental steps:

1. Develop A Committed Mindset

Too often, Jeff sees organizations fumble the follow-through on their public statements about cybersecurity. Social engineering training provides a common example. “Leadership sets the tone,” Jeff says. “The C-suite can’t be exempt from testing or skip the training.”

Leaders also must commit to taking security frameworks seriously, which means choosing the framework that actually fits your business. “Controls are there because they’re right for your business, not just because they’re something you do to simply check a box. Make sure the controls you select are reasonable for what you do.”

2. Understand ALL of Your Assets

“Most people focus conversations around data, which is a key piece. But think about the systems the data is on.” Jeff frequently hears clients talking about protecting their data, but they balk at spending money to update the 8-year-old servers the data sits on. “You’re kind of stuck on what you can do with that,” Jeff says, “and you’ll introduce vulnerabilities around that.”

Staff time represents another asset to manage carefully. Jeff points to the example of a CIO who is personally making changes in Active Directory, which means the CIO ISN’T thinking about strategic direction. It makes business sense to invest in some entry-level help to free up leaders to lead the organization.

3. Let Your Actual Risks Drive Your Investments

“You have a limited budget for IT and security,” Jeff says. “If you’re not doing risk assessments and keeping a risk register, then you’re not using facts to drive your program and where you put your effort.” Make sure your program for identifying and ranking risks is driving your decisions.

4. Focus on Progress, Not Perfection

Set manageable goals. “I see a lot of organizations try to pack five years worth of work into a year and a half, and that just stresses the team,” Jeff says. He recommends turning a large portfolio of risks into ranked priorities that you can tackle and cross off the list. “Let’s just move the ball down the field rather than trying to score a touchdown.”

Best Practices for
Information Security Risk Assessments

How to Get the Most From An Information Security Risk Assessment Paper
This free 16-page guide provides everything you need to know about this essential review from planning to execution to follow-up.
Get it Now

How to Set Cybersecurity Priorities

With the right first steps, you can turn to five areas that Jeff recommends as a focus for your limited resources.

1. Assess and Measure Risks

Start with a comprehensive information security risk assessment, which forms the cornerstone for your entire security program. During a risk assessment, an experienced consultant takes a deep dive into every corner of your information security approach, including written policies, software updates, employee habits and more.

Along with that risk assessment (which many companies conduct annually in order to keep up with changes in the organization), be sure to include ongoing vulnerability scanning and recurring pen tests in your plan. “Many people don’t put vuln scans and pen tests in the budget,” Jeff says. “But they provide some of the best returns on investment.” Vuln scanning provides automated recon that spots known vulnerabilities in your system. In a pen test, an ethical hacker acts like a threat actor and tests your defenses. Whether the test goes after your internal or external infrastructure, Jeff says you’ll get the most actionable information possible about your security posture.

He also recommends creating key metrics for measuring performance and potential risks over time, providing important benchmarks of your progress. (That kind of data is critical to securing ongoing budget for these tests.)

2. Develop High-Quality Policies and Plans

Many organizations lack written information security policies. And many policies are written in ways that are unenforceable. Jeff advises dedicating real thought to these key documents. “Think carefully about your policies. Make sure you cover what you want to cover. Make sure they’re actionable, but keep them reasonable and don’t let them get draconian.”

Jeff puts an especially heavy emphasis on developing a thorough incident response plan. “If I were focusing on one key piece, it would be an incident response plan.” A recent IBM study showed that companies that keep a written incident response plan and test it regularly reduced the cost of a data breach by an average of 55%.

3. Implement End-User Awareness and Training

Improving every employee’s security awareness clearly pays off, considering that about 80% of all data breaches involve some kind of social engineering. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work. Jeff emphasizes that organizational leaders should stop thinking of end users as the weak link in security programs and start enlisting them as frontline defenders.

4. Invest in Alerting and Monitoring

“If you can’t see it happening in your system, you can’t fix it,” Jeff says. That’s why he considers a monitoring solution such as SIEM essential—and a next-gen protection platform such as managed XDR even better. IBM’s study showed that organizations that had security AI and automation in place spend 80% less handling a breach.

5. Set Up Third-Party Vendor Management

Supply chain attacks have been growing exponentially for months. In attacks like the famous Kaseya breach of 2021, hackers slip malware into a supplier’s system, then let it quickly cascade out to all of their partners. And Jeff notes that small businesses shouldn’t count on their obscurity to protect them. Hackers often use small companies as their entry point into the larger companies that they serve through the supply chain.

To learn how Jeff or another Pratum vCISO can help set up your specific cybersecurity strategy, visit our vCISO service page.

IBM Cost of a Data Breach Report 2021 including 500+ data breaches studied worldwide text overlayed on image of cell phone with data map from IBM report

IBM recently released the 2021 Cost of a Data Breach Report, its annual deep dive into data breach costs, as reported by 500+ companies worldwide.

The report delivers a goldmine of data, but the numbers are so big that you could be tempted to ignore them. At $4 million-and-change, the global average data breach cost doesn’t translate well if your entire annual revenue is a fraction of that number. But the report offers a lot more than worldwide averages skewed by enterprise-level breaches. To help you find real-world ways to reduce data breach costs, we combed the data for underlying causes that point to top takeaways for organizations of any size.

Read on for our top insights from the 17th version of Big Blue’s much-anticipated yearly benchmark.

Top Trends in Data Breach Costs

  • Breaches got 10% more expensive this year – That’s the largest cost jump in the last seven years of IBM studies. But that doesn’t mean everyone suffers equally when hackers strike. As described below in the list of best practices, several widely recommended cybersecurity tools make an enormous difference. For example, organizations using advanced security such as artificial intelligence and zero-trust policies saw dramatically lower costs.
  • Ransomware attacks will cost you the most (even without the ransom) – It’s not just frequency that makes ransomware so concerning. When these attacks happen, their tab runs 9% more than other data breaches, without even counting the cost of a ransom. In fact, an actual ransom payment (which we don’t recommend paying) is usually one of the cheaper line items in the cost of an attack. Make sure your ransomware defense plan is up to par.
  • Lost business devastates your bottom line – In the breakdown of a breach’s total cost, 38% comes from factors such as losing customers, enduring system downtime and acquiring new customers to replace those who lost faith in you. That’s more than the straightforward cost of detection and escalation (29% of the total). And the impact of lost business will haunt you for months, and possibly even years, to come. So when you’re considering the ROI of a cybersecurity investment, the analysis should include far more than the simple cost of restoring data.
  • Customer information is the costliest loss – Many companies think mostly in terms of losing their intellectual property, which is undoubtedly damaging. But, on average, it costs you more when hackers get access to PII (personally identifiable information), with a price of $180 per record. Depending on your organization’s size and industry, breached PII could require you to make costly public notifications to everyone involved.

Notable Risk Factors

  • Remote workers increase exposure – You’ve been hearing since the pandemic began that a remote workforce greatly expands your attack surface and puts your data onto innumerable non-company devices. This year’s report has the data to back that up. Companies that had more than 50% of their employees working remotely took almost two months longer to identify and contain breaches. And breaches cost significantly more to fix when remote workers were involved.
  • Smaller organizations still have big risks – Twenty-five percent of the companies in the study had less than 1,000 employees. The total cost of a breach for those organizations was $2.98 million, up from $2.35 million last year.
  • Hackers lurk in your system a long time – It now takes an average of 212 days to identify a breach and another 75 to contain it. That cycle is a full week longer than in last year’s study. Translation: If you discover a breach in mid-October, it means, on average, that the hackers have been in your system since January 1.

How You Can Be More Secure

  • Protect those credentials – Compromised credentials (your username/password falling into the hands of a malicious actor) accounted for 20% of all breaches. That points to training your team better on spotting phishing attempts, not sharing login credentials with others, etc.
  • Use AI and security automation – Because hackers usually get months to explore your system before you spot them, there’s a clear need for next-gen detection and response tools such as managed XDR, which leverage AI and machine learning to spot and shut down suspicious activity far more quickly. IBM’s study found that organizations that had security AI and automation in place spend 80% less handling a breach. That makes AI/automation deployment the single most effective tools for cutting costs in this year’s survey.

4 Essentials for Every
Cybersecurity Plan

Four Essentials for Every Cybersecurity Plan Paper
Start reducing your chances of an expensive breach today by leveraging our best practices for password policies, network management, data security and social engineering.
Get it Now
  • Incident response plans pay off—significantly – Organizations with a written incident response plan and a process for regularly testing it reduced the cost of a breach by an average of 55%. This blog explains how to get started on your IR plan.
  • Zero-trust architecture works – Only 35% of the organizations in the study have deployed zero-trust in any form. But those with mature zero-trust implementations dropped their breach costs by 42%. Even an early stage zero-trust rollout cut costs by 13%.

If you’re ready to explore how the solutions identified here can protect your data—and your bottom line—contact Pratum today for a free consultation.

Whether you’re answering a steady stream of cybersecurity questions or asking your own suppliers to answer them, these documents have probably become a significant part of your job in the last year. The recent flood of cyber attacks has motivated most organizations to elevate third-party risk management to a top priority in 2021.

But even if the concept just appeared on many radar screens, it’s not a new issue. Every business of the past had to decide whether critical partners (from those supplying raw materials to those delivering finished goods) could reliably fulfill their contracts and protect what was entrusted to them. But the challenge has grown massively more complex with increasing integration and sharing of critical data. Government regulations raise the bar even more with breach notification laws and other rules that can make a vendor’s security problem a legal liability for everyone in the chain.

So proactive companies are quickly spinning up ways to get proof that every partner handles data securely. At this year’s Secure Iowa Conference, Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association reviewed the latest best practices in this quickly developing area. This post highlights top takeaways from her talk.

Julie Gaiaschi, Third Party Risk Association

Julie Gaiaschi, CEO & Co-Founder, Third Party Risk Association

Julie Gaiaschi, CISA, CISM, is the CEO & Co-Founder of the Third Party Risk Association (TPRA). She has over 14 years of technology and information security risk experience, with the last 10 years specializing in third party risk. In her role as CEO, she provides strategic direction for the non-profit, whose mission it is to further the third party risk profession through knowledge sharing and networking. She also has a passion for helping others enhance their own third party risk management programs.

Prior to co-founding the TPRA, Julie consulted on third party risk for a large bank. She also developed and led a large health payer organization’s Third Party Security program. There, she established and executed the third party risk assessment process, which included integration into the Procurement process. Prior to her role as the leader over Third Party Security, Julie was a Senior IT Auditor.

Forces Driving Change in Third-Party Risk Management

Julie highlighted several areas demanding fresh thinking about managing risk:

  • Increasingly complex threats – Everyone knows breaches are up dramatically this year, and many of the attacks are coming through third parties via software supply chain attacks such as the Kaseya breach in July 2021. That means your vendors’ security policies are, to a large extent, becoming your problem to manage.
  • Expanded reliance on third parties – It’s tempting to think that sending your data to a cloud vendor ensures someone else will take care of security for you. But Julie notes that, “Your cloud partner may provide the controls, but it’s up to you to turn those controls on properly.” Many businesses are also seeing increased exposure from heavy use of e-commerce shopping carts and payment processing.
  • New momentum for digital transformation projects –New tools such as smart predictive analysis, AI, and business process reengineering all enhance operations, but they also present a fresh set of risks to manage.
  • Additional regulatory scrutiny – State and federal laws continue to ramp up requirements for managing security and reporting breaches.

Best Practices to Remember

To effectively keep up with these changes, Julie recommends a third-party risk management program built on these five elements:

Third Party Risk Management Program Elements

As she walked through each of these core areas, Julie provided the following tips:

  • Look for hidden contracts at your company – Compiling a list of your existing contracts can be a tall order, especially since there are probably many you won’t even think of. Julie says, “When you go through the contract review stage, you may realize you have people in your organization that are clicking buttons as they do their work, which means they are often entering into contracts and don’t even know it.”
  • Visit your vendors – When you’re reviewing the security posture of key suppliers, take time to go see them. On-site visits provide essential insight into how your vendors are actually implementing what they wrote on paper. Plus, personal visits build relationships that will make your partners more inclined to spend time providing detailed answers to your questions in the future.
  • Get a voice in the contract review process –“You need a seat at the table with the team that drafts and reviews contracts,” Julie says. “You need to know the kinds of controls that need to be put into contracts, and you can suggest the kinds of alternative controls you can use if they don’t agree to your terms.” Someone with an eye for risk management can also help write contracts that include triggers related to changes in a vendor’s situation. If a supplier makes a big change like adding an offshore location, changing owners, changing data handling systems, etc. your contract may need to specify adjustments.
  • Join the business continuity/disaster response team – Your organization’s plans for recovering from data disasters have to account for your third-party relationships. Make a point of building relationships with the BC/DR crowd so that you can have a say in what goes into the plans.
  • Check the exact scope of reports you receive – Reports from SOC 2 auditors and penetration testers provide valuable insight into a system’s policies and defenses. But the reports help you only if they cover the areas you’re interested in. Read the scoping information carefully before agreeing that these reports will be sufficient.
  • Don’t overlook disengagement – Unless you want to be held hostage in a contract, you should be planning how to minimize the impact if it makes business sense to part ways with a given partner. Your disengagement plan should address issues such as ensuring all your data is returned or destroyed—and that you can validate that vendors did what they claimed.
  • Show leadership why your work matters – While the value you’re adding each week may be obvious to you, it probably isn’t to leaders who haven’t given this area much thought in the past. “If you’re starting this effort from scratch, you need metrics and reporting that show the value you’re adding,” Julie says. “Make sure they’re appropriate to the audience you’re talking to, whether those are executives, board members or a steering committee.”

You can download a copy of Julie’s full presentation here. You’ll get details such as 13 essential inherent risk questions to ask your vendors.

If you need help reviewing your third-party risk or handling questions from your customers, contact Pratum for a free consultation.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.