No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Building a House of Bricks: How to Build the Strongest Cyber Security Program

by James L. Ervin Jr.
April 28, 2015
in Risk
cyber security

In the children’s story, “The Three Little Pigs,” the Big Bad Wolf tried a frontal assault by blowing the first two pigs’ houses down. By the end of the story, the pigs had come together, and through the preparation and efforts of the third pig building a house of bricks, taken refuge in the brick house and withstood the Wolf’s attack. In today’s world with a global economy, e-commerce, and utilization of technology to do business, the Big Bad Wolf will not knock on the front door. Instead, the Big Bad Wolf sits at home in its den using a computer to hack the data network and steal customer information, back accounts, social security numbers, and money. A brick house in today’s business environment is a strong and robust cybersecurity program. From direct deposits and online shopping to phishing and identify theft, the benefits and risks from increasing reliance on electronics and technology add another lawyer of compliance that businesses, ownership, management, and industries must not only recognize but immediately integrate and sustain for continued success and survival. This is why cybersecurity programs are necessary and invaluable to any company’s success and survival.

Cybersecurity is no longer a concern for just financial institutions, government agencies, or multi-national conglomerates. Any business involved in utilizing technology and electronics to engage with its customers and enter the business marketplace is subject to attack. Every day thousands of companies big and small and in various market and industry sectors are besieged by cybercriminals. By being proactive, committed, and vested in cybersecurity, a company, regardless of size, market, or industry, can prepare, implement, and sustain best practices, policies, and procedures that will help it defend against cyberattacks. Although not exhaustive, and priorities can change dependent upon risk and exposure, three primary areas a company can start with are active monitoring and assessments, implementation of the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) Cybersecurity (CS) Framework, and employee training.

While this article does not go into the breadth and depth of all elements necessary for a substantive program for addressing and managing cybersecurity risks, the first area that is extremely vital to a cybersecurity program involves monitoring and risk assessments. The success of any cybersecurity program can be determined by the risk assessments it performs on an ongoing and active basis. Monitoring and risk assessments are not limited to the most critical areas of a company, but, rather, risk assessments should be comprehensive, expansive, and utilized to identify and quantify risk in real-world settings and scenarios. A solid and strong cybersecurity program will have monitoring and risk assessments that involve and include all systems, sub-systems, devices, assets, and the workforce to determine what vulnerabilities are present. This tool is important for any business because it leads to the discovery and analysis of cybersecurity weaknesses. Further, through monitoring and risk assessments, an organization can evaluate and emphasize the potential consequences that it faces. This helps add an additional layer of mitigation and protection against a potential cybersecurity attack.

The second critical area for addressing cybersecurity is following and implementing the NIST CS Framework. The CS Framework is the result of a February 2013 Executive Order signed by President Obama titled “Improving Critical Infrastructure Cybersecurity,” as well as a near year-long effort of, and input from, thousands of security professionals from the public and private sectors. See Federal Register, Executive Order 13636—Improving Critical Infrastructure Cybersecurity, February 19, 2013 (EO 13636). The CS Framework comprises a risk-based compilation of guidelines that can help organizations, public and private, big and small, identify, implement and improve cybersecurity practices, and create a common language for internal and external communication of cybersecurity issues. As EO 13636 states, “[i]t is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyberenvironment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Through the creation of the CS Framework, a set of industry standards and best practices has been created. However, these standards and practices are not static. The CS Framework is designed to evolve and adapt to the changes and developments in cybersecurity threats, technology, processes, and advances.

The CS Framework’s application to a business places a focus on the business to lead and guide cybersecurity activities and risks as part of that organization’s compliance practices and risk management processes. The CS Framework consists of three parts: (1) the CS Framework Core; (2) the CS Framework Profile, and; (3) the CS Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references common across critical infrastructure sectors, and provides detailed guidance for developing individual organizational Profiles. The use of the CS Framework Profiles helps a business align its cybersecurity activities with its business requirements, risk tolerances, and resources. The CS Framework Implementation Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. Pursuant to EO 13636, a business’ CS Framework must include a methodology to protect individual privacy and civil liberties as part of its overall program.

Once the CS Framework is established, its core Functions are five-fold: (1) identify, (2) protect, (3) detect, (4) respond, and (5) report. These five functions establish what a CS Framework must be and should be doing and achieving. It is important to note, however, the five functions are not static; rather, these functions are the pathway to continued compliance, implementation of best practices, and achieving an ongoing culture focused on cybersecurity.

For any business, the ability to identify cybersecurity risks is imperative to proper and effective use of the CS Framework. It is necessary that an organization identify not only risks, but also its own business processes, market and industry changes, resources (e.g., economic, human capital, etc.), and organizational commitment (e.g., culture). The protect function mandates the development and implementation of the appropriate safeguards to ensure delivery of critical infrastructure services. By protecting itself, a business can have the ability to minimize, withstand, and contain the impact of potential cybersecurity attacks, breaches, and other cybercrimes. The detect function requires development and implementation of appropriate, and ongoing, processes, procedures, and internal controls that timely identify an event. The detect function is not simply about a major event, but rather, focus is given to anomalies, glitches, minor events, and significant breaches. The response function can mean the difference in millions of dollars of lost data, information, and assets, as well as the simple survival of the business. A company must develop and implement appropriate response procedures and protocols in order to address a cybersecurity event. The recover function requires the development and implementation of actions to maintain plans for continued operation and restoration of any services that may have been impaired, interrupted, or affected by a cybersecurity event. A proper recovery can achieve a return to normal operations as soon as possible, which includes not merely being functional, but returning to where the business was prior to the event. These five functions are the goals for an effective cybersecurity program.

Whether it is knowing what emails to open, websites to avoid, or appropriate documents to download, employees have to make daily and often time critical decisions that directly impact the company. As a result, employee training is crucial for a company to address and implement its cybersecurity program. While it is not an easy task, a delicate balance must be achieved between creating a secure environment and permitting employees a level of freedom and responsibility to perform their jobs. It is necessary to make sure employees understand their importance to an effective cybersecurity program, and the company’s overall security. Therefore, employees must know what to look for, how to respond, and how they stay aware of potential risks. Ongoing training can help keep employees on top of the types of threats that the company may be facing, and red flags they can look for throughout their day-to-day activities. It is important that training include all levels of an organization, including, but not limited to, ownership, executives, managers, employees, and agents or third-party representatives. All aspects of a company’s workforce (top to bottom) must participate in and continue in training.

With a consumer base more and more reliant upon technology to aide in its acquisition of goods or services, whether financial, retail, or industrial, it is incumbent that companies engaged in utilizing technology to interact with its customers, or simply conduct business, commit to implementing and sustaining cybersecurity policies, procedures, and best practices. Moreover, the necessity to address the constant threat of cyber liability from data breaches, identify theft, or other cybercrimes must be a top priority of any business, owner, executive, manager, and employee. Without an active cybersecurity program, the Big Bad Wolf will not have to huff and puff; it can simply push a button and blow your house down.

 


Previous Post

25 Reasons for Risk Management Failure

Next Post

The Board’s Role with Risk: 5 Considerations to Define a Healthy Balance Within ERM

James L. Ervin Jr.

James L. Ervin Jr.

James Ervin headshot 9-10-14James L. Ervin, Jr. is a Partner at Roetzel & Andress, where he focuses his practice on regulatory enforcement, white-collar criminal defense, business litigation and public law. Much of his legal work is centered on the Foreign Corrupt Practices Act, the False Claims Act, the UK Bribery Act and other anti-corruption laws both in the United States and abroad. Mr. Ervin has worked with clients to develop, train and implement policies, procedures and protocols related to corporate compliance practices and has also represented numerous clients in federal and state healthcare and fraud related matters. Mr. Ervin earned his law degree from Capital University Law School and his undergraduate degree from The University of Arizona. He can be reached at jervin@ralaw.com or 614-723-2081.

Related Posts

Fox_DOJ Speeches_f

Analysis of Recent DOJ Statements

by Corporate Compliance Insights
March 23, 2023

DOJ leaders provide insight into agency's plans. Analysis of Recent Statements DOJ Shaping the Future of Corporate Criminal Enforcement What’s...

Fox_2023 ECCP Update_f

2023 Evaluation of Corporate Compliance Programs

by Corporate Compliance Insights
March 23, 2023

Keeping up with 2023 changes to DOJ guidelines. Additions, Deletions & Changes From 2020 2023 Evaluation of Corporate Compliance Programs...

encompass update

Encompass Launches pKYC Maturity Model

by Corporate Compliance Insights
March 22, 2023

KYC automation platform Encompass has unveiled a new perpetual Know Your Customer (pKYC) maturity model designed to help banks improve...

consilio onna partnership

Consilio, Onna Seek to Streamline eDiscovery for Cloud Apps

by Corporate Compliance Insights
March 22, 2023

Legal technology provider Consilio has launched a new platform, Sightline Collect, powered by data management supplier Onna. The platform is...

Next Post
five erm

The Board’s Role with Risk: 5 Considerations to Define a Healthy Balance Within ERM

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT