Environmentally friendly. Sustainability. When you hear these words, you start thinking about how they impact oceans, landscapes, and temperatures.
“But wait, I’m a totally clean business. I use solar energy and recycle. What does this have to do with information security?”
Everything. The data you collect and use during daily business operations creates a data environment that mirrors the physical environment. You’re thinking about environment in terms of the physical, now you need to apply that approach to the digital.
Every day, information leaks create “data dumps,” i.e. login and password information leaks on the dark web, that can contaminate your data environment. Protecting yourself, and lowering your cybersecurity insurance premiums means using a security-first compliance approach to create a sustainable security environment.
Two recents studies expose the disconnect between environmental and cybersecurity sustainability. 87% of millennials are willing to adjust purchasing decisions based on a company’s environmental sustainability practices. Meanwhile, another study explains that 51% of millennials suffered photo and data loss from their smartphones while 18% do not use a password to protect their devices. Moreover, the increasing number of passwords used in the workplace increases and cyber hygiene remains a problem.
The solution to protecting data lies in creating a sustainable cybersecurity environment, paralleling the environmental sustainability movement, to continuously protect information.
Environmental sustainability focuses on economic, social, and environmental development. By keeping resources from being depleted, we can continue to feed ourselves and expand businesses responsibly.
Sustainable cybersecurity mirrors that in the digital environment. You need to think about your entire data environment the same way you think about the physical environment.
You’re using a recyclable water bottle to prevent non-biodegradable plastics from contaminating landfills. In the same way, you want to protect your data environment from malware, ransomware, and hacker database contamination. Published in 2016, the University of Illinois Law Review Article “Sustainable Cybersecurity: Applying Lessons from the Green Movement to Managing Cyber Attacks” explains the important role continuous cybersecurity monitoring plays for creating sustainable cybersecurity. The article argues that the same way rivers become unusable from overfishing, spam messages an attacker pollutes a data environment either through a distributed-denial-of-service (DDoS) attack or phishing by depleting limited bandwidth.
In other words, maintaining a sustainable environment - physical and digital - requires leadership proactively monitoring the environment to ensure that resources remain accessible.
Sustainability is expensive. Although increasingly affordable, electric cars still average a higher list price than conventional cars. Although they are considered to have a better overall lifecycle cost efficiency, the initial capital outlay means fewer people buy them. Cybersecurity has the same problem.
Protecting your data environment can be expensive. Creating a continuous monitoring strategy for information security means hiring employees to maintain your vision. Most small and mid-sized business struggle to find qualified cybersecurity professionals to protect their data. In fact, the United States currently faces a cybersecurity skills gap crisis. With too few professionals, the demand far outpaces the supply which makes hiring skilled cybersecurity professionals expensive. This skills gap out-prices most small and mid-sized businesses from finding the right people to protect their data.
However, just like with hybrid cars, you need to think about the life cycle of your continuous monitoring strategy. More and more small and mid-sized businesses risk being breached. You might feel as though hackers would target large businesses because they control a vast amount of data. Unfortunately, while large businesses may make the news more often, mall-to-medium sized businesses appeal to malicious actors precisely because they don’t have the money to strengthen their cybersecurity posture.
Small- and mid-sized businesses lose an average of $120,000 per cyber incident. When a small-to-medium sized business experiences a data breach, the continuing costs that occur after the breach can lead to bankruptcy.
In short, the life cycle of a sustainable security program ultimately saves money, similar to buying a hybrid car, despite the initial capital output.
A security-first compliance approach begins by focusing on securing your data and then reviewing what additional controls you need to ensure compliance. Using this approach, you’re working towards continuous monitoring, compliance, and audit over your environment to protect data, document that protection, and prove it meets the requirements established in standards and regulations.
For example, the National Institute of Technology and Standards (NIST) Cybersecurity Framework (CSF) focuses on reviewing the risks to your data environment and then suggests controls. The NIST continuous monitoring requirement means you need to be aware of new vulnerabilities such as ransomware variants or previously unknown vulnerabilities affecting your systems, networks, and software, also called “zero-day” attack.
However, more importantly, security-first’s continuous monitoring approach allows you to create a corporate culture focused on sustainable security. As hackers continue to evolve their attack methods, you need insight into how to maintain a secure data environment. IT monitoring software allows you, as the leader, insight into security weaknesses and gives you control over protecting your data assets. To enable a sustainable security strategy, you need to deploy continuous monitoring tools that provide insight into the threats facing your information environment. For small- and mid-sized enterprises, automation provides a sustainable security solution.
Environmental protection provides another analogy here, as well. In the 1980’s, insurance companies found themselves liable for cleanup costs associated with a variety of environmental regulations. From underground water tables to big spills to asbestos, the insurance community struggled to place a value on premiums for many companies. While large companies posed a clear risk, small companies posed a hidden risk. Zero-tolerance regulatory requirements created a strict liability standard where all companies linked to the physical site were 100% liable and had to negotiate amongst themselves to determine the proportion of their liability. Today’s data regulations mimic this zero-tolerance approach. Your entire supply chain, both upstream and downstream, is responsible for a data leak.
But just like with environmental hazards, insurance companies know that larger organizations like credit card companies and healthcare insurance providers have the resources to protect data. Those firms have the resources to enforce a continuous monitoring policy; and historical data exists to help define potential risk.
Small- and mid-sized businesses do not have the same easy-to-define profile. You’re doing your best to protect your data environment. Your data is just as important to hackers, but your resources are limited. In fact, many small-to-medium sized businesses may think their firewall or encryption protect them but lack the insight needed to maintain secure networks as the corporate technical architecture evolves. Daily, multiple alerts suggest new software or system updates necessary to protecting your information. However, triaging the most important ones can become overwhelming. Insurance companies don’t know how to evaluate that risk appropriately since human error, often the cause of a data breach, is not easily quantifiable.
With the appropriate security-first automation enabling continuous cybersecurity monitoring, you can prove your controls work, even if you can’t afford to hire a cybersecurity professional.
At Zeguro, we value transparency. We know that you are balancing an overwhelming number of tasks and may not have the resources necessary to creating a stand-alone cybersecurity department. We also know that corporate responsibility is important to you and your customers. With a sustainable security program underscored by a security-first compliance approach, you can conserve your resources rather than deplete them.
To truly automate your cybersecurity monitoring, check out our risk management platform or contact us at Zeguro to learn more.