No business is impervious to hackers as Sony and eBay can attest, but basic knowledge can help
The massive Sony security breach and the other multiple well-publicized cyber attacks in 2014 demonstrate the shortcomings in corporate security governance and accountability. If companies are to better protect their assets, customers, employees, intellectual property, and suppliers and business partners, they need to proactively protect corporate and personal data.
The fact that so many breaches occur so often is a testament to the failure of many executives not satisfying their corporate fiduciary responsibilities. Small business owners and IT executives must re-examine their security policies, procedures and technology and take all reasonable steps to minimize corporate exposures.
2014 was another year in which failed security policies and procedures made headlines throughout the year. Sad to say the major breaches occurred at major corporations most people expected to have strong protection mechanisms in place.
Unfortunately, an analysis of the flaws that enabled the breaches shows that most of them could have been prevented. Some fixes require additional investments in technology but most of them do not.
Below is a checklist that executives can use to evaluate their current state, perform a gap analysis, and then develop plans for taking corrective actions.
The user-facing processes and policies that should be analyzed are as follows:
- Security awareness – all employees need to be aware of their information security responsibilities and treat them as a key part of their jobs. It is important for executives to remind staff of this responsibility, at a minimum at least annually.
- Clean desk policy – this policy needs to be enforced since many people cannot recall all of their passwords so they tend to post them on the office walls, leave them in the open on their desks, or put them in unlocked top drawers.
- Passwords – this is another old standby. Executives should reevaluate password length, numeric and special character usage, duration, 2-factor authentication, and other elements to ensure strong authentication security. It may require some additional tools to compel compliance but if it prevents one breach, it pays for itself. Policies for password resets need to be established that prevent the help desk staff from giving away access to pushy people pretending to be employees so that they can get in through the back door.
- BYOD and non-business use exposure – non-company devices and non-business use of client devices increases the risk exposure. Employees and others with access to corporate networks, applications and data need to be given guidelines on device usage and warned about the risks associated with accessing certain applications and Web sites. There are mobile device management (MDM) tools available to assist in this effort as well as Web site blacklists that can stop certain sites from being accessed.
- The HR component - New hires, consultants, termination, and job changes – potential new hires and consultants need vetting before being hired. While that goes without saying, it seems many companies fail to adequately do so, as demonstrated by the number of falsified resumes that come to light. Consultants and non-employees need to be re-authorized at least every six months so that their accounts do not stay active beyond necessary.
When an individual is terminated, the access rights need to be cut off immediately – before the individual can get back into systems and destroy, steal, or tamper with data. Access rights should be tied to particular jobs and when an individual changes jobs, his access rights need to be adjusted to allow for only those applications and data relevant to the new position.
- Monitoring and reporting – the best way to ensure compliance is to measure and monitor all aspects of security and report the status to corporate management monthly.
Technology also plays a key role in breach protection.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.