As mentioned in the first installment of this blog series, cyber risk management has become a mission-critical activity for a long-term viability of any organization, which should be driven by leadership and involve all technology users. But often, building and implementing a cybersecurity risk management plan is quite challenging for non-technical executives. To help, in our last post, we identified five common, proven workplace safety culture strategies with which most organizations are likely familiar and can use to improve their cybersecurity risk management plan. Here are four more proven best practices.
1. Workplace Safety Culture Strategy: Near-miss Investigations
The best-in-class risk and safety management efforts include an analysis of all near-miss incidents. If an employee was almost hit by a falling object, that incident should be investigated as thoroughly as if the employee was actually injured. This allows the root-cause to be uncovered and allows corrective actions to be taken. Then, you should share the lesson learned company-wide to avoid a repeat incident BEFORE it results in a large loss.
Cybersecurity Risk Management Plan: Ongoing Preventive Cybersecurity Awareness Efforts
With the increasing number of cyber security threats, most businesses have already experienced some type of event that could have resulted in a cybersecurity failure. In some cases, a cyber-savvy employee was the hero; in other cases, perhaps it was pure luck that a major cyber failure was avoided. Sharing the lessons learned from these near-miss incidences with your employees helps them develop a heightened awareness and an understanding of how to protect your organization from potential cyber incidences during their daily activities.
2. Workplace Safety Culture Strategy: Post-Incident Investigation
When an injury or accident does occur, a root-cause incident investigation should typically be conducted, which analyses the chain of events. It often uncovers several issues that cumulatively caused the accident. With this information in hand, you can prevent future incidents from reoccurring by implementing corrective actions to all contributing factors.
Cybersecurity Risk Management Plan: Incident Response Planning – Lessons Learned
Every organization should have a documented Incident Response Plan (IRP) that provides guidance during a privacy event or cyber incident. I highly recommend developing your IRP in close coordination with legal counsel experienced in cyber security, data and privacy laws and regulations. A good plan typically includes a section dedicated to Lessons Learned, as well as other critical elements, including incident response team roles and responsibilities, detection, incident assessment, communications strategy, and recovery.
The Lessons Learned section helps the organization look back at an incident and determine what happened, how it happened, how your organization was impacted and what you could do to prevent a similar incident. It is important to share with leadership the information gathered post-incident and the resulting corrective actions. Make sure you also discuss these cases during your regular employee cybersecurity awareness trainings. Case studies of actual incidents can even be included in the organization’s IRP as playbooks to help the organization quickly respond to similar events in the future.
3. Workplace Safety Culture Strategy: Create aSafety Committee
An effective safety committee allows input from all stakeholders in the company at all levels, including vendors and subcontractors. These meetings are an opportunity to get feedback and implement preventive measures. Additionally, an effective committee improves both communication and understanding of expectations. As needed, sub-committees can be developed to work on specific projects (e.g.: ergonomics, fleet safety, etc.).
Cybersecurity Risk Management Plan: Identify Cyber Champions
Cyber champions are individuals from each business unit within the organization that helps spread and reinforce the cyber risk management philosophy of the organization from the bottom up. They can be the same individuals serving on the cyber security policy development team or different individuals serving as an extension of the team. Cyber champions are included in cyber risk management briefings and should meet as a group on a regular basis. Their responsibilities should be clearly defined, and everyone in the organization should know the individuals serving in this role.
4. Employee Safety Strategy: Site Surveys/Audits
The old adage, “Trust, but verify” is appropriate here. Site surveys and audits allow you to verify that the processes you have are effective. As you identify weaknesses, you can implement corrective actions.
Cybersecurity Risk Management Plan: Cyber Risk Review, Assessments and Vulnerability Scanning
An important step required to improve cybersecurity risk management plan is to identify the essential technology and digital assets that need to be protected, and the business implications if a critical asset is exposed, damaged or disrupted. As part of this step, most organizations should conduct:
- A high-level risk review, which helps key stakeholders begin to build a cyber risk profile for the organization and focus on the possible business impacts.
- Cyber risk assessments, which take a deeper and more thorough dive into the cyber risk management capabilities and exposures of an organization to help identify possible weaknesses and provide more complete information about where improvements should be made.
- Vulnerability scans, which help automate the process of searching for known weaknesses in technology before they are found by a malicious actor.
These reviews, assessments, and scans should be conducted on a regular basis to help your organization improve cyber risk management activities. Many of these practices are becoming more common, as they are being required by regulations such as the Health Information Portability and Accountability Act (HIPAA), New York Department of Financial Services Cyber Security Regulation, Payment Card Industry Data Security Standard (PCI DSS), and others.
If you need any assistance with building and implementing a cybersecurity risk management plan, contact jnapp@psafinancial.com. For questions related to employee safety, contact spomponi@psafinancial.com.