What Department Owns the Digital Risk Monitoring Program?

A digital risk monitoring program (DRM) is a new concept in the security and risk world. Digital risk monitoring is the process of monitoring social media and digital channels for security threats and business risks such as social engineering, external fraud, data loss, insider threat and reputation-based attacks.

Forrester recently published the Digital Risk Monitoring Wave report, naming ZeroFox a Leader and Top-Ranked in Strategy. Get your complimentary copy here.

Forrester analyst Nick Hayes, in the Digital Risk Monitoring, Wave Q3 2016 report, outlines three broad categories of digital risk. Categories include:

• Physical; including violence, insider threats, threats against people, threats against infrastructure
• Cyber; including phishing, malware, data loss
• Brand; including impersonations, slander and scams

ZeroFox breaks out a fourth category as well; risks to revenue. In this category, we consider piracy, counterfeit goods, financial scams targeting customers, etc. Risks, of course, can overlap. Compliance is one such risk than can have consequences for both revenue and brand.

Do I Need a Digital Risk Monitoring Program?

The short answer? Yes.

Almost every modern organization is at risk on digital channels, regardless of whether or not you own accounts related to your brand on each channel. In fact, brands that are inactive on social media and digital channels are easier to exploit: they don’t have a genuine presence to compete against and the attacker can rest assured that no one from the organization will find out what they are doing. Small and medium sized businesses are targeted for the same reasons.

Certain industries, however, have different types of risk with varying consequences. A few examples:

• Phishing and other cyber attacks: FinServe, Technology, Healthcare, Media, Retail, any company with sensitive data
• Customer scams: Technology (fake customer support), Media, Retail (fake coupons), FinServe (financial scams)
• Piracy: Media
• Counterfeit goods: Retail, Technology
• Compliance violations: Any highly-regulated industry, including FinServe, Law, and Healthcare
• Account hijacking: Highly active accounts, or accounts with large number of followers (Media, news outlets, celebrities, executives, VIPs)
• Physical threats: Large organizations, organizations who host or cover events (Media), controversial companies, companies with large amounts of sensitive data (Healthcare, FinServe)

Organizations' needs vary greatly based on their size, industry and the nature of their business. When DRM customers were asked what a digital risk monitoring program is to them and what are the most pressing issues, respondents listed “Monitor for brand and reputational and digital risk,” “Take down impersonating or fraudulent social accounts, apps, websites, etc,” and “Monitor for cyber risks” as the three most important capabilities for a DRM solution.

Who Owns a Digital Risk Monitoring Program?

Digital risks affect a variety of departments across the organization. Because the use cases vary as well, there is a wide scope of potential stakeholders in a digital risk monitoring program.

As such, the most successful digital risk departments that ZeroFox interacts with do a phenomenal job of getting the right stakeholders to the table. In almost every case, this involves infosec, risk and marketing, and, depending on the industry and use case, fraud, corporate security, compliance, and legal. The department running the digital risk monitoring program is general security and risk, although a team like fraud can be highly involved in the right circumstances.

These teams are sometimes amalgamated from existing people and departments. However, the most successful digital risk monitoring program will be led by a dedicated Digital Risk Officer. The Digital Risk Officer might be a one person show or they may boast a team of 50+ employees. It all depends on the priorities of the organization.

Any department can initiate or own a digital risk monitoring program. We have marketing customers who have seen risks and taken a proactive step at remediating them before they become a full fledge security concern. We have corporate security clients working with legal teams to protect executives from physical risk and compliance violations. We have security teams who bring marketing to the table to discuss security. We have fraud teams at FinServe organizations that take the charge, identifying scams & fraudulent activity. The work they do has spillover benefits for all others involved, including information security, marketing and corporate security.

The main point is this: a digital risk monitoring program is both mission-critical and difficult to do effectively. Depending on the industry and size of the company, the digital risk monitoring program will consider different use cases and involve different stakeholders.

So what matters most to your organization? What risks have you already seen? What risks are you missing as you read this? The very fact that you’re reading this post means you’re considering a digital risk monitoring program at your organization. The time has never been better to initiate the conversation and start protecting your business.

ZeroFox Digital Risk Monitoring Program Best Practices:

• Create a digital risk task force that spans departments. Either create a full FTE to manage the program or tap a security or risk executive.
• Map the digital landscape and identify top assets in need of protections and potential vulnerabilities
• Investigate risks impacting your organization and triage potential threats
• Invest in an automated DRM solution, like ZeroFox
• Meet regularly, we recommend to our customers at least once per week, and track key metrics around risk and reassess priorities and initiatives
• Educate employees on how to stay safe and compliance on social media and digital channels.

To learn more about digital risk monitoring or establishing a digital risk monitoring program at your organization, reach out a ZeroFox expert or get a demo or our product.