Year after year, it becomes quite clear how valuable sensitive data; an organization’s network and systems; remote device access and control are to hackers. The move to a connected online world has made businesses of all types targets.  This is why information security and risk management are so important, but right now the good guys are losing. How do we know this?

 

For starters, medical records can be worth up to 20 times more than credit card numbers and when we look at breaches, even those not directed at healthcare providers, like the Sony hack, we see that as soon as attackers find health data they are ready to steal it.  In addition to medical data, medical devices are also a target.

 

Just last week, the FDA issued a warning over potential cybersecurity vulnerabilities in the Hospira Symbiq Infusion System.  The FDA report indicated that independent research and Hospira had confirmed that remote access to the medical device could be accessed through a hospital’s network.  This means that an unauthorized user could take control of the Hospira Symbiq Infusion System and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.

 

It’s also been noted how the automobile industry has problems of its own.  This was brought to the industry’s attention when two white hat hackers sitting on a living room couch used a laptop computer to take control of a Jeep from afar over the Internet.  The IoT isn’t any less scary in the number of ways hackers could create havoc, not to mention the energy sector and SCADA systems.  Anything that works over a network and remotely is a target.

 

The problem with advancing information security and risk management across the enterprise varies in nature.  We have the CEO and executives that lead organizations, who hold confidence in their IT team and the security measures they are taking to protect data.  Then there’s the CIO who doesn’t seem to be able to communicate the risks or security challenges their organization is facing (in a way that helps higher up to understand the imminent threats at hand).

 

This lack of understanding and inactive security steps need to stop, not only for the success of a company, but also for the safety of consumers and people at large.  A helpful checklist of the problems organizations need to overcome, can point executives and security pros in the right direction:

 

  • Stop thinking your security posture is perfect as is; information security is not a destination, it’s a process and one that takes continuous work.
  • Stop limiting your resources to security tools only.  Risk management involves technology, people, policies and operations.
  • CIOs stop communicating security risks in a way that the CEO doesn’t understand.
  • CEOs make room for your CIO to talk about risk management to the C-Suite and board.  Listen and ask questions when the message isn’t clear.
  • Cooperation across the entire organization on the status of your organization’s information security posture needs to take place on a regular basis.
  • Establish a risk management culture across your enterprise to diminish insider threats and help employees understand security in a way that they can apply throughout their workday.
  • Always remember that hackers are studying your security plan.  They know about your compliance requirements; they scout your network and systems for vulnerabilities; they are enticed to attempt penetrating an organization that claims to be impenetrable.
  • Reallocate your budget to ensure a holistic information security system is what your organization strives for because at the end of the day, you get what you pay for.
  • Stop thinking of information security as an expense, it’s an investment; one that will increase your ROI immediately and that will keep people and your business assets safe.
  • If you don’t want to value information security for the protective qualities it brings to your business, value it for the monetary savings it brings.  Breach is much more expensive to your business than a holistic information security posture will ever be.

 

Throughout our years of experience within the information security industry we see the dangers of bad security and why hackers continue to win the battle.  Industry reports by the Ponemon Institute and other reliable research institutions show where information security is lacking within organizations.  Bringing risk management to healthcare providers, financial institutions and other types of business entities enables those businesses to grow, while keeping their company and the people that depend on them safe.  Don’t let hackers get the best of you.

 
Are you ready to start changing the status quo of information security?  When you are, here’s a seven step guide to start the process: The 7 Deadly Sins of Information Security.

 

Photo courtesy of buttet