As more hacks, more attacks, more disruption, and more uncertainty take hold of the world, the emerging strategic weapon known as Governance, Risk Management, and Compliance (GRC) is becoming helpful for the good guys. Today, cybersecurity challenges are growing cloudier and more complex by the hour. Simple brute force attacks against individuals and small businesses are increasingly being replaced by sophisticated, financially-oriented ploys targeted at larger companies and organizations. It’s hardly news any more that hackers have turned to ever more creative cyber attacks targeted against governments, national infrastructures, and even political outcomes. But what you may not know is how exactly GRC is morphing into a strategic weapon to assist in this process and slated to become a security must.
GRC refers to an organization’s structured approach to governance, risk management, and compliance. Its premise is based on the notion that if an organization plans carefully enough, works systematically to mitigate risk, and ensures organizational compliance with defined procedures, their exposure to attack should be greatly minimized.
A well-designed GRC strategy has organizational impacts far beyond cybersecurity, but IT departments are increasingly viewing GRC as an important cornerstone of their security efforts. A London-hosted GRC Summit held in mid-November, 2018, focused on the benefits of GRC in the ongoing battle for cybersecurity. Check out these key takeaways:
Cybersecurity: no longer just for IT
The first and most important takeaway is that now, more than ever, it’s absolutely vital for all organizations to clearly recognize cyber attacks as a ongoing and critical threat to their success—and even their existence. Cyber hacks have long since passed the level of irritating nuisances and have now cost individuals their livelihoods, companies tens of millions of dollars, and nations fair and honest elections. Given the potential impact, cyber hacking is no longer simply a nuisance to be handed off to IT, but a strategic issue that must be addressed as an enterprise-wide priority from the top down. It’s no longer viable to view cybersecurity as an annoying add-on, deployed on an ad hoc basis in response to specific threats.
The basic tenets of GRC—making a plan, assessing and mitigating risks, and ensuring compliance—must be constantly and intelligently applied throughout organizations to create both the cybersecurity mindset and infrastructure necessary to confront today’s increasingly costly threats.
If it’s connected, it hackable
The second major takeaway is that the depth and breadth of targets is expanding at a breathtaking pace. Originally, victims were mostly business and home computers. But today, due to the incredible growth of internet-connected (IoT) devices, the range of vulnerable entry points is growing exponentially as more and more conveniences appear in our lives. These products and services include everything from smartphones, point-of-sale terminals, and ATMs to “smart home” devices like Amazon Echo, doorbells, thermostat controllers, and security cameras. And don’t forget routers, which were targeted earlier this year by Russian agents.
Hackers have attacked public utilities, commercial and military satellites, GPS systems, and even movie producers they don’t like, such as when in 2014 North Korean hackers attacked the network of Sony Films, successfully preventing the release of a film that depicted the assassination of North Korean leader Kim Jong Un. If it’s connected, it’s hackable, making the need for ever-tightening integration of cybersecurity and GRC even more critical in the ongoing battle to defeat cyber terrorism.
Hackers: no longer just misdirected loners and their friends
A final takeaway from the conference is the importance of adapting cybersecurity measures in GRC plans to the changing nature of cyber attackers. Digital crime is morphing from attacks by individuals and small “cyber gangs” to attacks by professional, highly organized criminal organizations and state-sponsored groups such as North Korean, Chinese, and Russian-backed hacking gangs. New avenues of attack are influencing entire nations, and in turn, global politics and economics by spreading false news with targeted disinformation campaigns.
State-sponsored hackers are attacking with increasingly creative and sophisticated weapons. For example, Russian agents recently hacked a Norwegian GPS system to demonstrate displeasure with a NATO-sponsored war game exercise. And it’s suspected that a Chinese-sponsored attack stole secret plans for a U.S. supersonic anti-ship missile among other military hardware designs.
The truth is, these threats will only continue to grow over time. But don’t give up hope. For every new form of attack, the good guys are fighting back, creating effective new methods to not only block, but to search out and defeat threats. Fortunately, a new strategic weapon, GRC is emerging as an increasingly powerful weapon in this ongoing battle.