Have you seen the headlines lately? Target breached, Niemen Marcus breached, and along with them were Sears, the states of Utah and South Carolina, credit unions, credit bureaus, the Pentagon, Lockheed-Martin, RSA, other government agencies, and the list goes on and on. So, if you think your security is good enough to keep your company from being breached, well, I have a bridge I want to sell you!
Best advice: heed the words of Robert Mueller, former Director of the FBI, when he said, speaking at the RSA conference in 2012, “There are two types of companies, those that have been breached and those that will be breached.”
You could possibly fall into the category of about 73% of CEOs who believe their security is good. But, as a recent Wired magazine article entitled “Cyber Security Risk: Perception vs. Reality in Corporate America,” reveals, much of this is lack of knowledge and what is called “optimism bias.”
Trust me, there is no single piece of software, hardware, security standard, or procedure that will protect your company, and if anyone tries to tell you differently, run away quickly. There is NO silver bullet for security!
Now, before you get depressed and decide to do something rash, there is a light at the end of the tunnel. There are three things you can do to lower the risk of a breach, reduce and even possibly eliminate your potential liability, and protect your company’s reputation when a breach does occur: assess risk, implement policies, and train the workforce. And, most importantly, make sure you, as the head honcho, can articulate what you did to secure your organization.
Assess risk.
You must understand the risks to your company and the information you collect, process, and store. The only way to do this is to understand the flow of data across your organization and how it is secured, whether being collected, in transit, in storage, or being pushed out the door.
Implement the policy.
Write and implement the policies necessary to explain how information is secured and how that security is implemented. Address compliance requirements and inform employees of their responsibilities.
Train the workforce.
Train your employees on cybersecurity awareness annually, and implement a program that reminds employees at least once or twice a month of the importance of protecting information.
Cybersecurity, which has become a risk management function, is no longer an IT function or exercise. Instead, it’s one for the company leadership. Yes, you, the CEO, and other officers.
If your company suffers a breach and you cannot explain what you did to secure information, your liability goes through the roof. The response, “I don’t know, ask our IT guys or ask the IT company we hired,” won’t cut it.
As the leadership in the company, you have a responsibility to protect the company financially. Hackers are looking for money and information they can sell. Your shareholders, employees, and customers are all expecting you to do the best you can to protect their personal information. When you fail at this, YOU look bad—not the IT department or the IT company you have hired. YOU!
When a breach occurs, and trust me it will, you want to sound like this:
“As a company, we did X, Y, and Z to ensure all sensitive information was secured. We have policies that we have implemented. All employees have read and signed and are intimately aware of those policies. Additionally, we conduct monthly training to keep employees abreast of the latest threats, changes to policies, and how to keep information secure.”
In this statement, you sound like you are in control, understand the security of your company, and are taking control of the situation. Now, take action and implement. Not sure what to do? Then hire someone who does—not someone who wants to sell you software, hardware, or managed services, but someone who can walk you through the process.
Related Resources
Recorded Webinar: Why Your Company Should Have a Risk Management Program
Related Courses
Cyber Security Compliance & Mobility Course (CSCMC)
Managing Risk in Information Systems
CISM Prep Course
Cybersecurity Foundations