If you were to ask a management-level executive about his organization’s biggest threats to information security, you’d probably hear terms like phishing, malware, and insider threats.
However, if you asked an information security executive for her opinion, she’d likely tell you that the greatest threat is management thinking it’s immune to these breaches. This means that often, critical safety protocols aren’t in place and, when that inevitable threat does occur, organizations lose money — often a lot of it.
According to the Ponemon Institute, which conducts independent research on privacy, data protection, and information security policy, 43 percent of companies experienced some type of breach in 2014. Of the companies surveyed, only 3 percent reviewed their data breach response plans each quarter.
These attacks are increasing in frequency and in the level of damage they can inflict. In the bring-your-own-device frontier of technology with digital data storage and employees working remotely, hackers are operating like it’s the Wild West. Information security experts caution against taking an isolationist approach to deflecting breaches. Never assume your castle walls are impenetrable. Rather, accept that it can happen to you, and take sensible steps to mitigate the damage that can be done.
Start With an Assessment of Your Information Security Controls
Are you covered as deeply or as extensively as you believe you are? Would an independent party be able to break your employees’ passwords, solicit a staff member for critical information, or entice someone into downloading malicious files? Even if you’re certain it can’t happen in your company, put your beliefs to the test. A third-party audit of your systems can validate that belief or instruct you on where your weaknesses are. Little inefficiencies can be eradicated. If controls are being circumvented, an external audit can educate you on how to correct this.
Next, begin differentiating between IT and security in your company. Security is not an IT issue; it’s an organizationwide issue. Until you make this mental shift regarding who is responsible for your security, you’ll fail to give it the credence it deserves. Your IT department can’t put all its resources toward the daily upkeep and maintenance of basic systems, such as staffing a help desk, doling out laptops to new staff members, and harnessing new software to make your website accessible on mobile platforms, and still be able to make security a top priority. With more than 90 percent of all data stored digitally these days, “security” needs to be its own department.
When it comes to your data’s security, don’t over-rely on monitoring software. Too many executives think that, because they installed an off-the-shelf product that promises to stop data breaches, they’re safe. You can’t protect your organization just by flipping on a switch. Having software that can alert you to an intrusion is great; however, that software can only do what people have taught it to do. This is why a layered approach of people, processes, and technology is the best defense. Last year a large chain store suffered a million-dollar breach. The company thought it had the security in place. But when the hackers got in and progressed through the system, the trip wires or controls that should have limited the overall exposure didn’t work. If processes are weak and people fail, then the technology doesn’t matter. If you want to protect the hard-earned profits and people at your company, it takes a common-sense approach. Have an independent party audit your controls, and place a greater emphasis on how your organization looks at its security. Everyone needs to be defensive, not just the IT team. Create a culture where your administrative, physical, and technical layers can work in collaboration. Realize that it can happen to you, but taking the right steps means you dramatically limit how exposed your company is to the wrong people.