Buying a risky or vulnerable company is avoidable, and what you don't know can hurt you. Even with insurance or financial indemnification, cybersecurity breaches represent significant capital investment and brand risk. Cyber-related compliance requirements are often poorly understood, difficult to detect, introduce reputational risk, and cost time lost with outside auditors.
Incident Response (IR) is the way your team reacts to an occasion of data insecurity. In the least ambiguous sense, an "incident" is an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
One of the more difficult and time-consuming projects in info-sec is data classification. It’s especially difficult if you’re on a budget - which every company is. When an organization is fairly new to the security and risk driven mindset and must prioritize their efforts to achieve the most bang for their buck; Data Classification is often near the bottom of the list.
Before a company starts down the path of information security, there’s often a looming feeling that something isn’t right and that the steps to fix it will take effort. I liken it to a messy room that they’ve simply closed the door on, so they can try to forget there is a mess to clean up. Every time they walk by the room, they feel a twinge of embarrassment or a spark of motivation to tackle the problem; however, that emotion lessons every time they walk by until the feeling evaporates. Now the messy room has been “normalized.”
If you’re in the Department of Defense supply chain, you’ve become familiar with DFARS and the corresponding NIST SP 800-171 r1 over the last few years. It is a list of 110 controls that you need to be compliant with in order to continue supplying certain contracts.