"I'm the CEO - my CFO and IT guys have it covered." "I'm the CFO - my IT department takes care of that." "I'm the CIO - it's my responsibility and I have it covered." Sound familiar?
That's how many management teams at small to medium sized businesses think, until the unthinkable happens. Unfortunately, the unthinkable is happening more frequently in the world we live in. If you haven't guessed it yet, I am referring to the protection of your company's and your clients' electronic information and systems which are vital to the ongoing success and survivability of a business.
Your business may be impacted sooner than you anticipate as instances of cybertheft are increasing exponentially. Cyberthieves are growing in number due to the many recent publicized successes of data theft and the relatively easy access on the internet to the tools needed to execute cybercrimes. Keep in mind that these cyberthieves could include one of your current or former employees, a key competitor in your industry, a city-state hacker from any country around the world, or even an organized group of hackers. The motivation of each of these groups can vary, but the vast majority are looking to make easy money by stealing and selling your business information, holding that information ransom or leveraging it to perpetrate further theft.
You may ask, "What can I do about it? I've done as much as possible." If that's your thought process, you probably should reconsider. As an analogy, you may recall hearing about the days when homeowners felt safe leaving their doors open all day and all night. Or you might be lucky enough to have experienced those relatively carefree days. Today, you would be considered foolish if you left your house doors open and didn't expect someone to come in and take your valued possessions. So there's a very real possibility that you are unknowingly "leaving the doors wide open" to your business information. In the same way that you lock your doors and maybe install a home alarm, there are certain precautions that you should take to reduce the risk of cybertheft by the growing number of cyberthieves.
Precautions to take
1. As a company owner, CEO, CFO, or other non-IT senior business manager, you should meet with your CIO on a regular basis and take co-ownership of information security. Spend the time that is needed to gain an understanding of cybersecurity risks, and the potential solutions and costs associated with protecting your company's and your clients' critical information.
2. As the CIO or head of the IT department, be sure to engage the company's owners and non-IT senior managers to help them gain a better understanding of your current information security risks and the costs of mitigation. Consider implementing a "risk register" to sufficiently capture, assess and rank risks, and develop agreed-upon risk treatment plans.
3. You may have spent significant dollars on the latest technology (firewalls, IPS/IDS, anti-malware, DLP, etc.), but all of that technology requires people to properly operate, maintain and monitor your systems. Every company is at risk if it doesn't have a layer of manual controls over the technology environment to:
A. Monitor and respond to system alerts
B. Keep IT devices (servers, desktops, laptops, routers, firewalls, etc.) configured according to best practices
C. Keep user access to applications, data and IT assets restricted over time
D. Follow a formal process for testing and approving changes to system hardware or software
E. Monitor the system for vulnerabilities and respond to results of penetration testing
F. Make sure that software and data is backed up as intended by management, and periodically perform restore testing
• Mike Becker is partner at FGMK and leads the company's risk & controls practice. Contact him at firstname.lastname@example.org.