The pressure is on for CIOs and company board members alike, as large-scale cyber security breaches continue to hound big-time corporations. Hackers are taking the world by storm, acting on their agenda, and targeting vulnerabilities.
On December 23 last year, Ukraine fell prey to an overall blackout, which caused an electric company Prykarpattyaoblenergo to lose 30 substations, inflicting great distress to people in return. A malware, also called “Killdisk,” was reportedly used by hackers to erase critical files.
Meanwhile, in other parts of the world, board members are facing lawsuits in the aftermath of gargantuan cyber security breaches since security breakdowns are automatically considered a failure to fulfill fiduciary obligations.
This, more than ever, stresses a CIO’s duty to communicate a cyber security strategy to board members and enable them to understand how cybersecurity failures can impact the business.
Measures such as scheduled security assessments by IT infrastructure services and internal IT teams should be in place. Results should be reviewed regularly by the CIO with board members so they can discuss necessary actions to safeguard their company from cybersecurity risks.
Given the current situation, cyber security defense appears to be a fight against a major crime, and CIOs should be at the front line of the battle by understanding cybersecurity, as well as doing the best they can to prevent personal liability.
The Most Common Security Vulnerabilities in Every Organization
A critical area in the job of a CIO is to be fully aware of all vulnerabilities in every business process of their organization, including resources that may not be obvious targets at first.
Unfortunately there are still some areas that can be overlooked because most often, companies tend to assume that hackers will go after assets that have direct access to viable data. Keep in mind that they will exploit every vulnerability there is, even if it will take them a few more steps to reach their target. Here are the most common vulnerabilities that are still being used.
Unsecured Mobile Data
Employees, customers, contractors, and systems are all connected like never before across a multitude of devices, platforms and technologies.
As this connection fosters insight, these sprawling and overlapping networks pose daunting security challenges. What poses a significant threat are mobile devices issued by companies to employees which they take with them almost everywhere.
To safeguard this threat, businesses must invest in technology to secure devices within a network environment, as well as train their workforce to use work-connected smartphones and tablets responsibly.
Setting up remote wipe capabilities and turning on the “find my device” GPS feature on each smartphone and tablet ensures businesses that if a piece of equipment is misplaced, its data will remain safe from prying eyes.
Transferring Legal Documents
Companies are required to produce documents requested by a second party during a process known as discovery.
Alarmingly, this process or collection and exchange of documents lacks security measures. Companies fail to safeguard their legal documents, throwing it around without due encryption which makes it susceptible to prying eyes and cyber criminals.
One way to patch up this hole is to centralize document collection and dissemination. A security portal like Logikull automates the process of discovery, which in turn, protects legal documents and streamlines the entire process.
When a business doesn’t patch a system, especially when it operates within an on-site server infrastructure or one that is cloud-based, it can become vulnerable to a security breach. Server operating systems should be set to automatically grab the latest security patches from Microsoft.
In addition to server safety, businesses should ensure that each piece of software they use is regularly being patched, particularly if the software is used to transmit sensitive customer data. CIOs should actively research threats and work to protect a business’s servers against them.
External Hard Drives
Plenty of businesses are unaware of the benefits of cloud technology, failing to replace external hard drives. The problem with these devices is that they may contain sensitive data about a business’s clients.
It’s important for businesses to confiscate any external drives and make sure they’re both password protected and encrypted or, better yet, replaced with a cloud-based alternative.
Employees are still the biggest threat to a business’s systems—using weak passwords, telecommuting to work, leaving passwords exposed on desks.
Employee education should be a top priority among CIOs to encourage them to do their share of work in fighting cybercrime. This includes educating them on the importance of avoiding clicking on suspicious links in the email.
Employees should also be trained to safeguard customer information by sending items securely and entering information directly into the computer instead of writing it down on a piece of paper.
Cybersecurity Measures for 2016
Is a strong IT security even possible in the age of hyper-connectivity? Yes, but it takes a whole lot of change in fundamentals and processes. It is alarming, however, that efforts are not made by most companies to counter cybercrime.
For instance, a 2015 study reflects that only 40 percent of large companies, including many in the Fortune 500, don’t take the necessary measures to secure the mobile apps they build for customers. The same study reveals that 67 percent of companies allow employees to download non-vetted apps on their work devices.
The fact remains, there’s no getting around securing an enterprise involves commitment and vigilance. What’s more, changing a culture is hard. Then again, the task at hand is important. Strong security is the cost of staying in business, and achieving it is within reach.
These 15 essential security practices will greatly help a CIO achieve security intelligence.
1. Accept the inevitable. Your security will be compromised. So, plan for it.
Organizations that take a strategic approach to cybersecurity spending can build a more efficient cyber security practice, one that advances the ability to detect and quickly respond to incidents that are all but inevitable.
2. Foster a Culture of Risk-Awareness
Every single person can turn into a gateway for the enterprise, whether it’s from clicking a sketchy attachment, plugging in the wrong USB stick, or failing to install a security patch on a tablet.
The effort thus to create a secure enterprise must involve everyone. Building a risk-aware culture means defining the risks and goals, and educating all users by spreading the word.
3. Assess Incidents and Take Action
It is likely that two security incidents taking place are similar, so analyze parallels to see if they are related. This is impossible without the security intelligence needed to link them.
An important pattern—one that could indicate a potential incident—may go unnoticed. A company-wide effort to implement intelligent and cognitive analytics and automated response capabilities is essential.
Creating an automated and unified system will enable an enterprise to monitor its operations—and respond quickly as well.
4. Build a Layered Security
For example, using both strong firewalls and software that deal exclusively with monitoring data within the network.
Threat indicators can be buried very deep as tiny signals in vast data volumes, but they are worth investigating because they can provide the crucial information for cyber threats that already reside within the network.
5. Safeguard Your Workplace
Each connected device, whether it’s a laptop or a smart refrigerator, provides a potential opening for malicious attacks. The settings on each device must not be left up to individuals or autonomous groups. They must all be subject to centralized management and policy enforcement.
6. Unify and Control Network Access
Like urban crime, policing would be easier if every vehicle in a city carried a unique radio tag and traveled only along a handful of thoroughfares, each of them lined with sensors. The same holds true for data.
Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware.
7. Use a Cloud-backed Security
Cloud computing offers a lot of benefits through economies of scale. That said, it can come with some risk.
If an enterprise is migrating certain IT services to a public cloud data center, it will be in close quarters with lots of others—possibly including scam artists. In that sense, a cloud is like a hotel in which a certain percentage of the customers have bubonic plague.
To thrive in this environment, guests must have the tools and procedures to isolate themselves from others and monitor possible threats. In addition, as more and more employees use third-party cloud-based apps to share and access information, the enterprise needs visibility and control to protect its data.
8. Educate and Test Employees
Protocols for cyber breaches need to be clearly communicated to all employees. Organizations should carry out simulated cyber attack scenarios to uncover new vulnerabilities.
9. Consider Cybercrime Measures for All Projects
Consider cyber theft and cyber security a risk and proactive measure for all projects. Build it into your project management processes and methodology. Educate your PMO director and project managers on the importance of risk management and cyber security.
10. Hire a CISO
A Chief Information Security Officer is essential for any corporation. The main responsibility of an IT team is to ensure that systems are up and running, so security often takes a back seat to business continuity. A CISO will ensure that a strong cybersecurity strategy will be consistently implemented and maintained in the company.
Pay attention to cybercrime and cybersecurity now, and invest to build your security organization. It may mean the difference between survival and disposal.