When the topic of cybersecurity comes up at your organization, I’m guessing your executives immediately look to the CIO – yourself included. After all, when you’re talking about data, about information access and about the technology needed to keep both safe from unwanted activities, you assume IT has it covered. And your organization isn’t the only one operating under this assumption – far from it.
According to a report by Kroll and Compliance Week, three-quarters of Compliance Officers have no involvement in managing cybersecurity risk. Plus, 44 percent of respondents revealed that their Chief Compliance Officer is only given responsibility for privacy compliance and breach disclosure after a security incident has taken place and plays zero part in addressing the risks beforehand.
Here’s the problem with that approach: many breaches are preventable. According to the 2013 Verizon “Data Breach Investigations Report,” 78 percent of initial intrusions are rated as “low difficulty.” Now, don’t get me wrong: hackers are extremely crafty and are scheming new tactics as I write this. But part of the reason they are able to get their hands on data that isn’t theirs is because organizations simply aren’t prepared.
The blasé “it will never happen to us” mentality still runs rampant, making companies all the more vulnerable to cyber attacks. This is surprising, considering that you don’t have to look far for frightening examples of mammoth data exploitations. Just weeks ago, we all heard about the largest known data breach to date, with a Russian crime ring stealing 1.2 billion usernames and passwords from 420,000 websites. If that doesn’t scare companies straight, I don’t know what will.
However, keeping malicious attacks at bay can feel much like swimming upstream, particularly with the onslaught of mobile devices and the movement to the cloud. According to Cisco’s Global Mobile Data Traffic Forecast, there are almost as many mobile devices (seven billion) on the planet as there are humans – a scary thought as most lack the proper security and mobile malware grew at a startling rate of 614 percent from 2012 to 2013.
Many companies find themselves either scrambling to secure employees’ mobile devices or resisting the BYOD movement for fear of a security breach. In fact, a McKinsey & Company survey (“The Rising Strategic Risks of Cyberattacks”) found that 70 percent of respondents had delayed the adoption of public cloud computing by a year or more due to security concerns, and 40 percent said such concerns delayed enterprise-mobility capabilities by a year or more.
Rather than holding your organization back from reaping the rewards that mobile and cloud computing have to offer, why not take robust measures to eliminate any weak links, protect your company from cyber risks and ensure your compliance standings aren’t impacted? Here are six places to start:
- Don’t trust anyone: Just because you choose to partner with a seemingly trustworthy, well-known name, doesn’t mean they are doing what’s required to keep your data safe. The 2014 Anti-Bribery and Corruption Benchmarking Report found that only 43 percent of organizations monitor compliance once a third-party relationship has started. Push IT for details on partnership SLAs, encryption levels, DLP integration and other security capabilities.
- Maintain complete cloud control: Find out exactly where your data will be stored and consider a private cloud deployment to maximize data security. Check out my previous article, “Be a Control Freak When it Comes to Your Enterprise Content” for recommendations on a Compliance Officer’s role when choosing a cloud solution.
- Put a stake in the ground: You want to make sure that IT carefully manages how employees access and share information. Your company should endorse one mobile file-sharing and collaboration solution for use enterprise-wide. If you don’t, employees could turn to consumer-class file sharing solutions and you lose control over how files are distributed and who has access – a breach in waiting.
- Make sure what’s lost isn’t found: Every 3.5 seconds someone in the U.S. loses a cell phone. Even if a lost smartphone or tablet does not hold confidential data, it might have apps or cached credentials that make it easy for criminals to hack into your organization’s network. Devices will inevitably get lost along the way, so it’s critical to have remote wiping capabilities to make sure that sensitive data doesn’t get into the wrong hands.
- Get serious about authentication: You want to give the right users access to the right information at the right time while keeping unauthorized individuals out. For any solutions that touch your confidential data, look for straightforward LDAP/multi-LDAP and AD integration, support for single sign-on and the ability to easily establish and reset password policies.
- Tell employees you’re watching: You’re likely already conducting internal security audits, so why share the results with your staff? Communicate anonymous details of who’s accessing what information, when and from where so users know that you’re paying close attention.
Significant cloud and mobile benefits are there for the taking, but you first need to team up with IT to keep your company’s data safe from unwanted eyes. While no one can predict where the next cyber attack will strike, you can do your part to make sure your organization doesn’t become the next breach headline.