The news about businesses getting breached is reported on a daily basis.  It might be due to the reporting requirement laws, but the reality is that breach happens (either way) and it seems organizations are still quite unprepared.

One incident that stood out quite a bit last week was the attack on three of the major medical device makers in the U.S.  Out of all the industries that need to step up their game, the healthcare industry is surely on top of the list.  The sensitive information they hold is so important to patients, and unfortunately, of great value to hackers because it gives these data thieves access to personal information that can lead to medical identity theft (and more).

Another incident showing just how unprepared enterprises are when it comes to their security is the recent Target breach.  They’re costs for the breach will be over $ 2 billion U.S. dollars, and you thought investing in security was expensive!

There is an obvious problem if the “big” companies, with the money to invest, are getting hacked to such a degree.  Ultimately, it seems business executives and decision makers are still underestimating the necessary requirements for businesses to maintain an effective security posture.  How is this possible?  Well, there are a couple of reasons that come to mind.

Executives think their security is in good standing because:

  • They invest in security technology and think “we’re done!”

  • They meet compliance and think “fines avoided!”

  • They implemented passwords and have indicated to personnel the importance of not sharing them, writing them down, or changing them; and think “that’s all set!”

The problem with these great first steps to business data security is:

  • Technology isn’t enough if you’re not continuously monitoring your vulnerabilities.

  • Compliance and fines are not the only problem (the genius hackers, hello?), nor are they an overall security plan (they are actually only a piece of the pie).

  • The problem is personnel will write it down and may lose devices or be victims of theft.  

Security professionals probably already know all this; some have even battled with their co-workers about writing down passwords or with their bosses about needing to implement more than just the compliance and technology requirements. But the bosses think “we’re fine!”

Hopefully business executives and security decision makers will wake up before breach happens to their enterprise.  And even though this awakening may be a result of the heightened news coverage regarding breach incidents (no one wants the bad publicity); better now than never.

What do you think is the biggest challenge your enterprise faces in taking the next steps to ensure a holistic information security plan?

Photo Courtesy of Annagen