As businesses become increasingly digital, the threat of cybersecurity breaches grows.
Companies like Aetna are changing their corporate mindset to include cybersecurity as a business risk, much like the threat of lawsuits or fluctuating currency rates. Cybersecurity has traditionally been treated as an IT problem that must be solved rather than an ongoing risk, according to the Wall Street Journal.
Hartford, Conn.-based Aetna's CISO Jim Routh makes a habit of checking the cybersecurity threats facing the company once per day and evaluating how those threats have changed. He observes changes in Aetna's ecosystem, translates those changes into a daily risk score and provides that score to company executives, according to the report.
Mr. Routh meets with his team every day and discusses new security threats and how Aetna can meet the challenge, maintaining the records on a simple spreadsheet of company security controls. For example, one category on the spreadsheet is called Inside Out Controls, which documents controls for data leaving the company along with behavioral information on Internet use, mobile apps, Secure File Transfer Protocol and email. There are dozens of these controls on Aetna's spreadsheet, according to the report.
After news of major attacks against other companies, Mr. Routh evaluates all the remediation packets he has underway to see if any need prioritization. Most companies do risk evaluations on a quarterly basis, with some doing it monthly; Mr. Routh said he was not aware of any other companies doing it daily, according to the report.
Not every company has the staff or resources to do an evaluation every day, Mr. Routh said. Most of Aetna's security controls have to do with good maintenance, but those basics do not address emerging technology and new threats. Companies should look at the basics of cybersecurity more frequently, such as deploying intrusion prevention systems, antivirus software and firewalls, he said.