Breach incidents are in the news weekly.  Some of the breaches are pretty serious, like the recent OPM breach; others a bit less, like the breach of the password manager LastPass.    Either way, organizations and executives are on high alert (or at least, they should be).  In addition to a clear awareness of the value data holds, there are deeper lessons C-level executives can take from the occurring incidents they see on the news every day to help them improve their security posture.

 

Information security is not a one stop destination.  For as much as you can wish there were a silver bullet to stop intruders, there is not.  CIOs need to communicate this notion to the CEO and the board.  If a communication disconnect is still ongoing within your enterprise, this is the first obstacle that you need to be overcome.  If not, the following tips will be of little use to your organization.

 

When you take a look at the OPM breach it is clear that the right security measures were not in place.  In order to have an eye on your vulnerabilities you need to set up an ongoing monitoring system.  Without eyes on your network and the physical surroundings of your organization you can’t spot a whole, a broken link in your security.

 

Your security software programs are not enough to secure your data.  LastPass is a perfect example of what can happen when you rely on one program, in this case a password management system, to keep sensitive information safe.  The need to keep everything important in one place, for organizational and control purposes is normal due to the limitedness of manpower and resources; however, that makes the storage area of those passwords and data a target (and your most prone to risk asset).

 

Add to the need of having the right people with a high level of security expertise on deck, the need of having an incident response plan in place.  The first 24 to 48 hours of a breach investigation are the most crucial.  Without a plan that allows you to act immediately, your expert security professionals may lose out on reducing the extent of the breach’s damage (in which case your company risks more than just bad press).

 

Hiring a temporary CSO or CIO can be an affordable solution, but if you’re serious about security it will be a temporary solution.  Your long-term solution should include having a strong IT security team and making risk management part of your business process.  If you don’t have the necessary resources for a high level team to ensure your organization’s security posture, your next option is having a partner risk management company.  One who not only ensures you have a holistic security posture set up across your organization, but who you can also call on a moment’s notice to assist you in that crucial time-frame of potential breach or spotted vulnerability.

 

Ending up like Sony might not seem like that big of a deal, but are you willing to take that risk?  Also, are you so sure that your company could make it out of a post-breach situation that will take years to resolve between lawsuits, security fixes to your posture, and board members changing (after all, the CEO and CIO are held accountable once a breach occurs; and as we saw with Target, theirs was gone shortly after the breach)?  Not to mention the customers and business you will lose in the immediate aftermath and until you can regain public trust.

 

Some of the news coverage on security makes it seem like the media wants to sensationalize breach, that businesses in the industry are trying to get you to spend money on their next security product or service; and while some might have that objective, this doesn’t make breach any less serious, nor your data any less valuable.  It all comes down to how important your business and customers are to you.

 

Ensuring your risk management posture is where it needs to be to face security threats isn’t something you should take lightly.  An assessment or security consultation doesn’t take up much of your time, and ultimately it’s an action you should want to take if you want to have some idea of how prepared you are in case someone is already trying to get ahold of your sensitive data.

 

Hackers are always hard at work, are you? Is your security ready?

 

Photo courtesy of Tashatuvango