A cyber attack Scrooged Christmas. Treat security as a process – not as a product!
In reading articles about the resent Christmas cyber attacks, the authors’ key take away is that global companies are extremely vulnerable to cyber-attacks and data losses. Guess what, so too are the small and medium size businesses. Every business, healthcare service, government agency and educational institution is vulnerable since they all use many of the same technology components. So who’s to blame
These last few weeks I have been asking the questions: “Who do you think should be held accountable for all the cyber breaches: the Merchants or the Technology companies?” The responses have been most enlightening. Some blame the business owners, others the IT managers, some the technology companies, and some say all the above.
The three realities are:
- Computer networks leak like a sieve.
- Privacy laws hold business owners liable for protecting customer’s information.
- The high costs of implementing security is not a defense.
- A cyber attack will happen to your business
Pointing fingers does no good since there are so many places and ways to steal data. It can be sophisticated cyber espionage from foreign governments to an employee falling for a social engineering attack. It can be physical or electronic theft. It can be from having no “data security policy” to a policy that is too cumbersome. The hard reality is that no matter what you do you may still be a data beach victim. So plan accordingly to mitigate the damage.
Here are some recommendations to help against a successful cyber attack :
- Technology companies need to certify that their products meet the required industry security standards through independent labs.
- Business owners and IT managers should only purchase products with industry recognized security certificates.
- Important and sensitive data needs to be encrypted and isolated from the rest of the network.
- Users must be fully authenticated before granting access past the firewall and again before granting access to sensitive data.
- Business owners can no longer sit back and tell IT they won’t pay for more security products. It is common for owners to say, “I can pay now, or maybe pay later. So I’d rather save money and pay later.” The problem is that payment later is many times more expensive.
- IT managers need to perform annual network security risk assessments. Use independent security specialist.
- Employees need to be educated on security risks and common attacks; and they need to know what to do if something seems suspicious.
- All the privacy laws are against business owners. So, you have better put security at the top of every board meetings.
Way too often security is implemented as an afterthought. More and more security patches are required as new vulnerabilities are identified. It’s now time to turn the cyber attack paradigm around. New products, business plans, employee orientation, etc. has to start from a point of security.
Remember, security is very cheap & easy to implement poorly; but very, very expensive to recover from after a cyber attack.