August 24, 2016 | Security and Risk | John Worrall
Last year Katherine Archuleta, director of the federal Office of Personnel Management, resigned in the wake of a breach exposing personal information of an estimated 20 million people, and in July 2016 Democratic National Committee Chairwoman Rep. Debbie Wasserman Schultz resigned following the leak of internal e-mails. In the private sector, cyber security failures have cost many executive leaders their jobs. They are not alone as noted in this CSO article that explores the fates of other executives post breach. A high-profile data breach can be a career-ending event for those in charge.
Organizations invest in cyber security technology, but too often they do not follow through with basic cyber security hygiene to address known or likely risks. More than a year after the OPM breach became public, a Government Accountability Office report concluded that the agency still needed to improve controls on critical information systems. The most recent Data Breach Investigations Report from Verizon found that the top 10 known vulnerabilities accounted for 85 percent of successful exploits studied. In the case of the DNC breach, numerous reports suggest that committee officials failed to heed advice from consultants to improve network security.
These breaches happen because leaders fail to prioritize cyber security and truly make it a part of organizational culture.
Pay attention to the basics
Very often it is small things left undone that facilitate breaches. Organizations invest in a variety of tools to help protect, monitor and analyze activity on networks. But you can’t forget to execute on the fundamentals. If you do, you leave a crack open for an attacker to enter.
Fundamentals include keeping security patches and software versions up-to-date, implementing and enforcing least-privilege access policies, using strong authentication as needed, and listening to auditors and consultants. Merely storing log data is not good security. Analyzing the data to identify and halt threats is better. If auditors identify security shortfalls, address them. Otherwise, your organization is exposed.
Institutionalizing security within your organization will add value to your investments in technology and the human resources. This is easier said than done, of course. Seemingly simple chores such as patching and updating software can be time-consuming and resource-intensive because of the need to thoroughly test changes. Effective policies require careful planning and broad buy-in from executives and others. Getting the resources needed to do the basics takes commitment at the highest levels of your organization.
Making the business case for cyber security
It is easy to appreciate the value of cyber security in the wake of an incident. It is much more valuable to make the business case for proactive cyber security. Here are a few points decision makers in your organization should keep in mind:
- Your organization is a target. Your systems contain sensitive information about your plans and activities, and about your customers, employees and partners. You are part of an extensive business chain that includes suppliers and customers, and even one weakness in this complex system can be exploited.
- Breaches have consequences. They are not merely an inconvenience. Victims incur direct expenses of detecting and responding to incidents and repairing damage, as well as the costs of downtime, damage to brand reputation and the threat to the jobs of those held accountable.
- Cyber security is a full-time concern. Protecting your information resources is not a project, a one-time expense or a check-off for regulatory compliance. It is an oangoing program that requires continuous attention not only of the IT and security staff, but also of decision-makers and C-level executives.
The stakes for cyber security are high and the competition is tough. A winning hand must include not only the right technology, but also a commitment to keeping your organization and its resources secure.