As organizations assess whether their information security program will overcome the 2020 threat landscape, we often hear a lot of confusion and frustration about frameworks modifying their requirements, the cost of audits rising, the cost of pen tests rising, scopes getting larger, and testing being more difficult. There’s a reason for this – the threats are advancing. Your data and systems need more protection than they did in 2019 or 2018. When pricing, scope, or frequency of testing increases, here’s what we’re really asking you: Don’t you want more protection in 2020 than you had in 2019?
Annual Checklist for Your Information Security Program
What are you going to do about the threats coming in 2020? How are you going to modify your information security and cybersecurity efforts to adapt to new requirements? Here are a few areas to consider as we head into a new year.
When was the last time you performed a risk assessment? Do you have your next one scheduled? A formal risk assessment should be conducted every year, and especially after any significant changes in your organization. A risk assessment is a proactive way that organizations can identify and assess organizational risk, getting ahead of the threats for 2020.
Incident Response Plan
IBM reports that when an organization’s incident response team extensively tests their incident response plan, the average organization saves $1.23 million when a data breach does occur. Testing is incredibly crucial to the success of an incident response plan and can be done through tabletop exercises or simulations. Have you tested your incident response plan within the last year?
Business Continuity Plan
Just like incident response plans, business continuity plans must be tested to ensure they actually work. There’s no telling how extreme a disaster will be, so practicing different scenarios on a regular basis should be a top priority each year – especially if you live in areas prone to natural disasters.
Policy Review and Acknowledgement
Because of the amount of policies your organization must have and their importance not only day-to-day but also during an audit, your policies and employee handbook should be reviewed and updated annually. After those updates, you should require employee acknowledgement to ensure that all changes are communicated to your personnel.
Security Awareness Training
It’s hard to admit, but employees are the weakest link when it comes to information security and privacy – no matter what department they are or high they are on the org chart. How will you hold them accountable if you don’t require annual security awareness training? At a minimum, this training should cover what the encounter on a day-to-day basis, like weak passwords, what a phishing email looks like, social engineering examples, and physical security policies.
Security Automation Tools
Organizations that do not utilize automated security tools will experience 95% higher data breach costs than organizations that do, according to IBM. What security automation tools would be a valuable investment for your organization? With all the new technology available to identify and contain an attack, it’s worth a conversation about which tools could be valuable for your organization.
Do you need to change what type of pen testing you receive, how frequently you do it, or who performs the testing? Do your compliance obligations require a more-frequent pen testing schedule? Investing in pen testing is one way to show clients, prospects, and competitors that you are willing to take every step necessary to safeguard the data that has been entrusted to you. At KirkpatrickPrice, we offer seven different types of advanced pen tests as well as code review and social engineering.
Information Security or Privacy Audits
Do any of your upcoming deals rely on a SOC 2 report? Have you taken on new clients that require HIPAA compliance from you? Are your competitors going through privacy audits? These are all things to consider as you plan how your information security program needs to adapt. The benefit of using our Online Audit Manager is that it can gauge how much crossover there is between specific audits so you know how much additional effort a second, third, or fourth audit would require from your team.
The global average cost of a data breach in 2019 landed at $3.9 million, usually impacting 25,575 records. In 2020, we expect to see that cost rise just as it has year after year. Do you want to fall victim to financial and reputational damage of new threats, hackers, malicious insiders, and internal weaknesses this year? Performing an annual risk assessment, updating and testing your incident response and business continuity plans, performing policy review, requiring security awareness training, and determining which tools, pen tests, and audits you need will help defend your organization. Let’s work together to create the best information security program for your organization.