The recent data breach at US credit reporting firm Equifax provides a valuable lesson.
In a massive breach, hackers accessed systems exposing personal information on more than 145 million Americans. It’s just been revealed that the vulnerability to cyber-attack was known months before the hack actually occurred.
So, why weren’t steps taken to prevent this disaster well before it actually happened?
Under-investment in information security or inaction, is a serious matter with the potential for disastrous results. Implications can include:
- Reputational damage – imagine customers not only ceasing to do further business with your organisation, but also taking legal action. If customers are not confident that their private information is secure and protected, can you continue to operate? How would you rebuild your credibility?
- C-level careers – accountability rests here. Over the last few months the senior management structure at Equifax has been decimated. Imagine losing your CIO and CSO (Chief Security Officer) “effective immediately” only to be followed 2 weeks later by the resignation of your CEO.
- Legal action – imagine spending months, possibly years, in the courts, defending your organisation. The resources required would impact everyday operations and there may be significant fines imposed, further impacting revenues.
- Forced audits – accommodating an external party or parties to conduct a full review of your technology and processes would also impact the current team and productivity.
This is about basic risk management. Today, all organisations operate in a changing information security environment. Therefore, risk management is critical and time is precious.
Act now to minimise your risk by taking the following steps:
- Acknowledge and advise your leadership group that the risk of data breach does exist. There may be a known risk (identified by an auditor or your team) such as a lack of user education, an out-of-date technical solution (eg a system which requires patching), or a gap that requires the implementation of a software solution.
- Ask and then answer the question; Do you have all the required policies and procedures in place and effectively implemented? For example, you might identify that the Appropriate Use Policy needs updating for all computer users, or that IT require a clear and up to date procedure for Special Access Rights to be developed and implemented.
- Action a good solution which includes documentation and education from a professional services company, and have that provider get started on the work asap.
Effective adoption of policies and procedures requires well written documents supported by executive sponsorship. Getting this work done can be a challenge for IT departments. Not all technical departments have people with strong technical writing skills. We have seen highly skilled infrastructure experts investing significant hours, valiantly trying to progress the writing of documentation. The work then stops and starts and the information becomes out of date. The task, which can be sizable also takes time and focus away from other priorities.
In addition, many organisations have in recent times reduced their workforce to focus on core business activities whether selling products or providing services. They now often do not have the “people” resources to deliver this type of work.
To ensure you mitigate your security risks, consider partnering with expert professional service providers to work with your leadership team to clearly define strong adoption of policies. Executive sponsorship is easier to obtain and approvals more smoothly managed, if documentation is well written and structured.
When compared with addressing all of the implications of a breach after it’s occurred, action and investment now will certainly result in savings of time and budget. It will also certainly minimise risk and may successfully avoid privacy breaches impacting your customers or clients, reputational damage to your organisation, job losses and associated costs.
Don’t wait until a breach has occurred – begin a conversation today on the ways your organisation can reduce risk and protect your information.