Summertime is fast approaching, and with it comes the inevitable barrage of articles about getting into beach season shape. Six weeks to the better you! Twenty days to a beach body! Ten killer exercises for ripped abs! With that as inspiration, here is the first of six articles collectively intended to get your company’s cybersecurity in fighting trim. Each article will give you one task to accomplish as a condition precedent to moving on to the next one. Let’s get started.
Part 1: The threat is real … so commit
By this time, everyone has seen the headlines about the large-scale data breaches at Target, Home Depot, J.P. Morgan Chase and Sony, and the fallout that each of those companies continues to face. Nevertheless, one of the most common questions we get from companies is this: “We’re not a retail store or a bank. We don’t have credit card numbers or social security numbers. So who would aim at us? Why do we have to worry about cybersecurity?”
What this view represents is a fundamental misunderstanding of what cybersecurity is all about. Cybersecurity threats exist in every kind of industry that uses computer networks and across all sizes and types of organizations. If you can name an industry, you can find an example of a significant breach of systems. Let’s try it: Health care? Anthem and 80 million customer records. Retail? The aforementioned Target and Home Depot, and Neiman Marcus’s 350,000 records. Telecommunications? AT&T and 280,000 records. Financial service? Chase’s 76 million records. Energy? Stolen proprietary records from Exxon and Shell. Government? The White House; Postal Service; and South Carolina, “the mother of all data breaches.” Education? School districts in Missouri, Texas, Long Island, Utah, Seattle and New Jersey. Utilities? Central Hudson and 300,000 records. Defense? Lockheed Martin and others. Get the idea?
Cyberattacks span every industry because there are many different sources for this kind of activity that are acting for many different reasons. In other words, just because an organization lacks credit card numbers or bank account numbers does not mean that it is not a viable target for cyberattacks. Criminal organizations may be after proprietary information, trade secrets and other sensitive data—which are the lifeblood of virtually every company. Activist groups may commit cyberattacks to make some type of a political statement. Other countries may be exploiting cybersecurity vulnerabilities for political motives, like the destructive attack on Sony, for example, or attacks on other U.S. corporations that are designed solely to cripple networks. There are cyber espionage incidents on critical infrastructure designed to underpinnings of day-to-day functionality. And don’t forget the internal risks that every organization faces, like cyber intrusions or data theft from disgruntled employees, like the former Coca Cola employee who caused the breach of 74,000 records by stealing one or more laptop computers.
External efforts to compromise your systems are also not the only risk that you need to be thinking about. Employee mistakes—whether negligent or made in good faith—also create significant cybersecurity risks. For example, it is estimated that 68 percent of data breaches in the health care industry arise from device loss or theft. The risk exists wherever employees are equipped with mobile devices like cell phones, tablets or laptop computers … or even when sensitive information is stored on CDs and then lost in the mail. Because we all value convenience over privacy, we tend to create security risks without intending to do so, like by sharing too much information on social media or reusing passwords on multiple different websites.
So why are we telling you all of this? Because the very first step is to make sure that your organization is committed to cybersecurity. Identifying the threats and the likelihood of harm will arm you with the information that you need to convince your board of directors, your CEO and other members of your management team that your organization needs to take cybersecurity threats seriously. Having just one person in your company who understands the threat is not enough, because you are going to need to take up some management time and deploy some resources that would otherwise be earmarked for other purposes. It is all too easy in an organization of any size to defer costs for projects that do not provide instantly tangible results. But much like it is second nature to lock your door when you leave your house or lock your car when you park it in the parking lot, cybersecurity has become something that also needs to be ingrained in every operation.
So much like the beginning of a workout program, your first task is to take the “fit test.” Answer these four questions:
- Do we have private information makes my company unique?
- Do we keep the information on a network?
- What would happen to us if this information is compromised?
- Do we know what to do if the information is compromised?
Your answers should tell you very quickly whether you need to start thinking about crafting, implementing or modifying your cybersecurity program—and should get you ready for the more intense parts of the workout to follow.