The recent breach of Sony Pictures provides additional evidence of the importance of IT security and shows that no organization is safe.
The Sony hackers penetrated the company’s email systems, accessed sensitive employee data and put several as-yet-unreleased films on the Internet. The number of recent high-profile, high-impact breaches are causing information security professionals to question the effectiveness of current tools and techniques.
U.S. consumer cyber attacks in 2013 came at a price of $38 billion. Hackers today have become more focused and patient, learning new ways to infiltrate networks.
And while employees have ready access to company information, because of a lack of training they are often ignorant about how to detect and prevent breaches.
That means a cyber attack at your company is no longer a question of if, but when. The conversation in information security circles is shifting from avoiding a cyber attack to what to do when the attack occurs.
Sony, Target, Home Depot and J.P. Morgan Chase are only some of the companies that have recently been in the headlines due to cyber attacks. But there are countless other small- to mid-sized businesses that will become targets of attacks if they haven’t been already.
The Human Element
Without a doubt, people are the weakest link in the security chain. While businesses have done an excellent job in the last decade of improving the process and technology aspects of IT security, they’ve fallen short in training their own employees to defend and protect their company information.
The fallible nature of humans demands that companies train their employees on these matters. Employees must be motivated to think about and understand the security risks and consequences associated with their actions.
How can you train people to be more aware? Many of the recent breaches occurred as a result of a single person unwittingly installing malware on a computer that was then used as a gateway inside a company network.
The goal of an effective information security program should be to raise the awareness enterprise-wide. Consistency is key. Repeating a few simple tips over an extended period of time will help raise awareness.
Preparing for a Data Security Breach
The most significant cost reductions for organizations come from having a strong security posture and an incident response plan.
Start by having that plan in place to ensure appropriate action if security is breached. An effective plan will address preventative controls, timely detection of potential problems and rapid response to data security breaches.
The key components include:
• Incident Response Team – Build the team and make sure they know their roles.
• Data Classification – Base your response strategy on the type of data compromised by the breach.
• Communications Plan – Have your plan and procedures in place.
• Training – Don’t skimp on training the team.
• Testing – Test everything and then test it again.
It is critical that an organization be aware of the new risks and new ways to address them, allocating time regularly to exploring new threats and new controls. We will always be vulnerable, but how we prepare can help ease the pain when an attack hits.
David Barton is a managing director at UHY Advisors in Atlanta, and leads the internal audit, risk and compliance practice. Reach him at dbarton@uhy-us.com and follow him on Twitter at @ITcontrolsfreak.
About the Author
