It could be banks, universities, business-outsourcing firms, a giant internet portal/search engine (remember what happened to Yahoo!?), or even political campaign headquarters. None of these entities are safe from data breaches or information security breaches from hackers. Companies must always remain a step ahead of any possible attempts to breach information security.
Your company is just a medium-sized enterprise, but you’re already managing data and personal information from thousands of clients. You’re IT team is still relatively small. The recent meeting with the executive leadership team mandates that the company must now take immediate steps to prevent data breaches. The idea of hiring a chief information security officer or CISO has been floated. Are there other steps that you need to take to avoid violations of cybersecurity?
Here are a few ideas to consider:
A Brief Background of Data Breaches and Cybersecurity
There was Yahoo!, of course, back in 2013 and 2014. It was said that all three billion user accounts fell prey to a hacker attack, reportedly with ties to the Russian government.
But this and others like it weren’t the ones that got to you and everyone else in the company, about becoming a victim of unscrupulous hackers. Dave Winder, writing for Forbes, warns that your routine cyber-hacker is lazy. He said that they rely merely on running online scripts that might casually penetrate unprotected databases, and many of these happen regularly without making it to the cover of the newspapers.
Protecting Your Data
Hiring a CISO is a step in the right direction. But everyone in the organization, especially members of the leadership, must provide a clear mandate of the CSO’s responsibility. Part of the CISO’s task is to set policies that govern information and data protection. Recent laws passed in many countries, like the EU’s General Data Protection Regulation (GDPR), carries stiff penalties for the company. A similar law in the Philippines can send a CEO to jail. So here’s a list of things to consider:
- It starts with people. Yes, implementing those high-end anti-virus and malware detectors are parts of the solutions. But training people and curbing their “unsafe” behavior will prevent data breaches. Yahoo happened because one employee was baited and unmindfully clicked a link that sent data from three billion accounts to the hands of hackers. One report indicates that 93% of the attacks happen because of human error. Locking down USB ports and disallowing the use of personal external devices like thumb drives will be annoying to some employees; that is why they need to be trained.
- Vendor compliance. Some projects require third-party vendors. Do not allow them access to information that is unnecessary or not aligned to the task they should be accomplishing.
- Post-attack plan. You need a plan to prevent attacks from happening. But you must also have a plan in place to mitigate the situation after an attack occurs. Did you give away information-a name, address, or email of your customer-because of the attack? Do not delay the communication to the customer. Check what the law says. Data breaches also have to be reported to the proper government authorities within a prescribed period.
Encryption protocols, hard-to-crack passwords, and multi-factor authentication are some of the things that should govern your company‘s cybersecurity. Your CISO must lead be vigilant in training people to adhere to policies.