Cybersecurity refers to the collection of technologies, processes and practices designed to protect networks, computers, programs and data from attack. The security of these networks has always been a number one concern for IT and something that traditionally rolls up to the CTO. More and more though, the need for a C-level role responsible for security, separate from the technology umbrella, is making news. An interesting article I came across while putting this post together talks about how retail giant Target’s “lack of a CISO” was the root cause for the system breach in 2013, costing the company $252 Million.
The risks have changed, and the way we approach the security of our businesses has not quite kept up, in my opinion.
What’s at risk? Remember the “I love you” worm, circa 2000 – probably one of the most damaging worms ever. “I love you” infected millions of computers worldwide within a few hours of it being released. In September of that year, Jonathan James was charged and jailed, becoming the first juvenile to serve jail time for hacking. This attack wreaked havoc – it cost about $15 billion to remove the worm and did billions of dollars in damage – all for what could be equated to the new age of graffiti at the time. For all of the damage it did, it was just that, damage. There was no IP theft, just wide spread damage that crippled mail systems worldwide and infected over fifty million computers in just 10 days. It was a prank. A really, really successful one and a big problem for IT Security professionals everywhere – CEO’s allover, paid very close attention!
Now, hackers are in it for different reasons. Jonathan James was just a kid and didn’t do it for the money. The hacking “industry” today is responsible for $445 billion a year in trade theft, according to Bloomberg, and that number is growing. For reference, Coca Cola is a $46 billion dollar company. The 2016 PWC 19th Annual Global CEO Survey says that 61% of CEO’s site cybersecurity as a major concern both on the corporate and national level. Cybersecurity is definitely not just IT’s responsibility anymore!
Everything and everyone is online these days. Employers are encouraging BYOD and employees are getting access to valuable, confidential, and highly sensitive company intellectual property on their personal devices. How that data is being accessed by those employees needs to be a CEO problem. This is a business and process problem – not an IT problem. People think that because it is online or on their device that they own it. There are lots of technologies to detect and protect against hackers and attacks, but business processes need to be in place (best practices and codes of conduct) so that employees know the boundaries. Employees need to understand the consequences of breaching these codes and businesses need to understand that without these codes and processes, hackers and attackers could be willingly and unknowingly coming from within.
Emerging security technologies (network security, security intelligence, analytics and tracking, content management, document security) coupled with well communicated corporate policy on file sharing and access to confidential and sensitive information is today’s company’s best defense against data breach and loss of intellectual property. Tackle security from the inside out and from the top of the business down!
Is your company at a high risk of experiencing a data breach? Find out using our Risk Grader.