[BreachExchange] Why Cybersecurity Should Be Every Company's Priority
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Mar 8 21:17:34 EST 2016
http://www.dailybusinessreview.com/id=1202751650247/Why-Cybersecurity-Should-Be-Every-Companys-Priority?slreturn=20160208164515
Corporations get no rest when it comes to electronic data breach incidents.
In 2014, Russian hackers stole millions of credit card numbers and
customers' personal information from Target Corp. Months later, another
company suffered public embarrassment after the theft and release of
confidential files and employee data. Then last year, a major corporation
faced a record fine after contractors accessed and stole the company's
customer list.
Though the breaches were different, the realities should raise alarms with
any company's chief information officer, CEO and board of directors. One
data breach incident was a long-threatened attack against which the company
apparently had done little to prepare for. At Target, information
technology workers reportedly ignored warnings from the malware detection
software installed to identify and thwart precisely the vulnerability that
led to the data theft.
Reputations were sullied. Investors were riled. Corporate executives and
boards of directors were left to answer hard questions. In some cases, such
breaches result in multimillion-dollar fines.
Whether through maliciousness or apathy, the actions of a few harmed entire
companies.
It's a common refrain among cybersecurity professionals. Two types of
corporate computer networks are used in the market today: Those that have
been compromised, and those that will be. How your company prepares today
for threats or attacks tomorrow could help determine how well the company
survives the event.
To-Do List
What can your company do to improve enterprise risk management, prevent
network breaches or data theft, and stem possible fallout?
• Recognize the ramifications beyond the actual breach. One data security
breach or theft of customer data or proprietary information can cause
widespread damage to a company's reputation and valuation. Some even can be
irreparable. Try telling a client that its confidential data fell into
unknown hands; or millions of customers that they should watch their credit
card statements for fraudulent transactions; or scared investors not to
dump the company stock — or sue the company board for negligence. With this
backdrop, imagine being the CIO or CEO facing down that angry board. The
imperative to bolster data security becomes clear.
• Create a culture of ownership. Preventing a network breach often has
little to do with data security itself, and more to do with the culture a
company imbues across the enterprise. It's not enough to have the best
anti-virus or malware detection software in place. The organization must
have an ethos of data security — a belief that data protection is
everybody's job. This can range from telling co-workers not to jot — or
share with others — their network passwords on sticky notes hung beside the
monitor, or reminding them to log out of the network when the day is done
(after all, how well do you know the after-hours janitorial crew?).
Besides, if the company has a data breach, employees' own data — Social
Security and driver's license numbers, and addresses, for example — is just
as enticing to criminals as the employer's secrets.
• Create a crisis plan. If your company experienced a data breach today,
how would you respond – especially when panic clouds thinking? From
tackling the breach itself, to managing the customer, media or investor
calls that may come when word gets out, having a crisis plan in place can
create a map to be followed. The plan should outline tasks, individuals
responsible for executing them, and professionals to be called in for
support — including law enforcement or legal teams to help mitigate the
fallout.
• Collaborate with your professionals. Beyond network security software
running round-the-clock, IT staff should work closely with IT vendors to
add a human layer to this web of protection — reportedly what Target failed
to follow up on. Once an attack is spotted, teams will identify and
neutralize the threat and dispatch legal and forensic experts to help track
down the culprit. Meanwhile, media relations and investor relations teams
will handle outside calls.
Preventing data threats often is a matter of corporate tone set from the
C-suite and flowing out to every employee, from the administrative offices
to the warehouse or the call center. Moreover, cybersecurity cannot be
viewed internally as some project subject to annual review. It's a 24/7
endeavor — a constant battle that's only as valuable as a company's
network, customers, stock price and reputation.
Put a price on that, and then you'll realize how important data security
has to be for your company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160308/bb2fd639/attachment.html>
More information about the BreachExchange
mailing list