[BreachExchange] Information security is not IT’s job

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jun 1 14:59:43 EDT 2018


http://www.nhbr.com/June-22-2018/Information-security-is-not-ITs-job/

As a business leader, there are three words you do not want to hear: “We’ve
been breached.”

History shows that most breaches are reported to the business that has been
breached by the impacted individuals or by law enforcement. This is a
terrifying statement, but this is reality. How would you know that you’ve
been breached? You wouldn’t want to find out from your client, law
enforcement, the IRS, a regulating body or the actual hacker.

If you’re a business leader, then you’re responsible for the protection of
sensitive data in your organization. Do you know where your data lives? Is
it in e-mail? Are there copies all over your network? Do many employees
have access to the same sensitive data? Paper records everywhere? Do you
have strong credentials and account controls in place? Can your network be
accessed from anywhere by any device? These are all important questions to
address.

Do you have an information security program in place that includes the
proper technical and administrative controls? Is your network perimeter and
internal environment being properly monitored and protected 24x7?

So here you are, a small business owner. You’re a victim of a data breach,
and you’re responsible for client information that is now in the hands of
hackers. Assembled around the table is your incident response team. You’re
the one being grilled with questions about what exactly happened. It could
be your attorney, cyber insurance provider, third-party incident response
experts, forensics team, law enforcement, etc. They want the facts ASAP so
they can contain the situation, support your defense strategy and satisfy
any reporting requirements.

Your first response is, “I thought IT was handling that.”

Your wide-eyed IT resource is nervously explaining something about only
having basic anti-virus software and a firewall in place. Questions about
monitoring, logging, training, security layers and administrative controls
are getting blank looks in return, and you know that you don’t have the
right answers. You quickly realize that there’s a technical chasm here that
you don’t understand. How did you get here? To start, you likely placed an
unfair burden on your IT resource. Let’s look at the difference:

Primary focus of the typical IT professional: Stability, availability and
efficiency of your technical environment to support your business. Response
services required to support your employees. Most likely some systems
administration, systems engineering and network engineering. Potentially
support for line of business applications. Basic data security measures
probably exist in the form of anti-virus, a firewall and basic system
patching. This is a high-level list.

Primary focus of the typical information security professional: Putting
your business in a defensible position via the construction of an
information security program. This includes reducing risk for your
organization by building in depth technical and administrative defenses. A
focus that includes internal and external vulnerability management, data
flow protections, information security awareness training and testing,
account management based on role-based access, log generation and
monitoring, technical compliance management that includes the creation and
implementation of policies and procedures that align with your business
requirements. This is also a high-level list.

Would you visit a personal injury lawyer for an immigration law issue? They
both are attorneys. Would you talk to your investment advisor when you know
that you need a CPA that specializes in forensic accounting? They both have
accounting degrees. Would you see your cardiologist for severe knee pain?
OK, I’ve made my point.

Without an information security program in place, you most likely won’t
know about a security incident until it’s too late and a breach has taken
place. What would it mean if your business experienced a data breach?
Fines? Regulatory penalties? Downtime? Loss of customers, business volume
and revenue? Unplanned recovery costs in time and fees? Diminished
reputation and trust? Decreased competitive ability and opportunity
reduction?

If you think “IT is taking care of that,” take a critical look and have an
honest conversation with your IT professional or provider. Reduce risk to
your organization and put your business in a defensible position by working
with an information security specialist who will work with you to Implement
an Information Security program for your business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180601/d13db2e7/attachment.html>


More information about the BreachExchange mailing list