Data security breaches damage companies. Occasionally, they even ruin them. With compliance regulations chasing far behind the inciting event, it’s up to your chief information officer (CIO) to protect the security and privacy of your company’s data, and more notably, your customer’s.
But while hackers make splashy headlines in the papers and are portrayed as ingenious villains in feature films, the source of their information in the majority of cases is far more mundane: insufficient employee training and awareness of threats. In fact, in a recent survey conducted by Ernst & Young, 56% of all the CIOs interviewed identified “employee unawareness” as the primary threat to data security and privacy.
These breaches are routinely realized by the simplest of errors: a laptop forgotten at a restaurant, a password on a post-it note, an employee innocently responding to an email that claims to be verifying a user name and password, or a password that isn’t routinely changed. The list can sometimes feel endless, and as a result, it can be difficult to know where to start.
At Peak 10, information security is essential to our business, so we have devised some core principles that we thought we’d share.
- Establish an Information Security Policy. If you don’t have one, this should be your first and top priority. It should be a Board of Directors-level effort to ensure comprehensiveness.Identify what you are trying to protect, review all possible solutions, and research industry regulations for compliance and best practices before making decisions. For example, the strictness with which Peak 10 enforces our own policy affects every security measure we employ, from firewalls, passwords, access, monitoring and encryption to our background checks for employment.
- Develop Procedures and Implement Controls – And Live By Them. Even the basics must be addressed, reviewed and monitored to ensure all employees adhere to the rules, all the time. That includes minimum password lengths and maximum password age.
- Hire Only Trained and Certified Information Security Professionals. Information security is a separate role from others in IT. It requires hefty training and multiple certifications. Only by hiring professionals with those certifications can you amply protect your facilities, customer data and company data.
- Commit Yourself to Ongoing Employee Training. An uninformed employee is a terrible risk. Many hacks start with social engineering – getting your employees to do something by either threatening them or offering rewards. The awareness you raise among your employees today will only help to heighten their awareness and caution tomorrow.
- Schedule and Maintain Regular Risk Assessments. Thebiggestchallenge for many mid-sized businesses is in strict maintenance of policies. Routinely study the latest trends in security threats. Raise awareness of them. Devise and implement controls. Train your people how to respond.
- Pay Special Attention to Data Privacy Requirements When Outsourcing. Determine what your data privacy requirements are and be sure to ask the relevant questions of a potential provider to ensure they can meet them.
Data security may arguably be the most challenging responsibility a CIO has because it’s akin to herding cats. Data is constantly going out, more is coming in, and each exchange exposes the company to threats, from careless as well as surreptitious hackers. Identifying your limits, adopt a set of best practices can prove a useful and routine resource.
Ernst & Young GM Limited “The DNA of the CIO: Opening the door to the C-suite” © 2014.