In light of so many prominent businesses being breached, is there any business owner out there who still believes his/her business is secure and will not be hacked? If so, can I interest you in a bridge in Brooklyn?
Which statement sounds more believable?
- The companies breached had very poor security and didn’t really put the time, money and effort into securing their data.
- Despite the money, time, and effort these companies expended (and in some cases, the implementation of very sophisticated security), they still were breached.
I am going to put my money on the latter. With that said, claiming your security is better than the other guy’s and that you will not be breached is pretty arrogant, right? In reality, you have probably already been breached and don’t even know it. In that case, you might think, “If I have been breached, don’t even know it, and have not seen an impact, then why should I care?” Because you are one breach or one lost identity away from a lawsuit that may completely crush your company, that’s why! On average, a data breach costs a small business $8700, according to the U.S. Small Business Administration.
Why do security vendors continue to advertise that their product is the best, the silver bullet for security, and claim — as in the PC Matic® commercial — that they will keep you secure? Because companies continue to believe vendors and buy their products. Now, a lot of these products are very good and are very necessary, but let’s face it — there is no silver bullet when it comes to security. If there was some piece of software, hardware, or technique that would keep everything secure, then certainly all of these companies, especially JP Morgan, would have used it.
Cyber security is a risk management issue. Let me say that again. Cyber security is a risk management issue. IT is part of the overall risk and must be managed but the assessment of risk, recognition of risk, and management of the risk must come from the top — the leadership, the CEO. If your company is breached, do you, as the CEO, believe for one minute the lawsuits will name the IT department or the IT company you hired? Do you believe that the customers will point fingers at IT, or that shareholders or the board will ask for an explanation from the IT department? No, no, and no. Cyber security is a risk that must be assessed and managed from the top. Delegating the responsibility to those who work for you is not an acceptable form of risk management.
I considered providing tips about which products to use or which good techniques to implement, however, too many companies have fallen into the set and forget mentality when it comes to security and rely exclusively on one or multiple pieces of software and techniques. Security is a process that must be monitored and managed. The best thing that an owner or leader of a company can do is understand the company. In order to truly protect your data, have the answers to these questions:
- How does data flow across your organization?
- Do you understand what data you have, where it is, how it is protected, and how hackers try to get to it?
- Can you articulate the steps your company took to protect the data if asked by customers, media, or a court?
Your primary response should not be, “I hired an IT company to protect my data,” or “Ask my IT department.” If you were asked for the company earnings from last year or the projected earnings for this year, you likely could provide a quick and accurate answer. The same should apply to how you are protecting customers’ personal information.
A few years ago, a business owner could claim ignorance when it came to cyber security and protecting data. Those days are gone. It is now your fiduciary responsibility to protect the company and the sensitive data you hold. So, turn the organization upside down and start asking questions:
- How does data flow?
- Where does it enter and exit?
- Who has access to it?
- How is it secured?
- What vendors have access to your data?
- What is their level of security?
- Have they ever had a security audit?
- Is data in the cloud? If yes, how secure is it?
- Do you know who has access to your network?
- Does your system provide a log of access controls to include who is on and when?
- Do employees take data home or on the road?
- What will you do if you find out tomorrow your company has suffered a breach?
- Who do you call?
- How do you react?
- What do you tell employees, customers, media?
- How will you handle a lawsuit?
These are just a few of the questions that must be asked and answered. Start asking now. Don’t get blindsided.
Managing Risk in Information Systems