CEOs: Don’t set up your IT department to fail
Protecting your organization, its reputation and its confidential data is of imperative importance
Before your eyes start to glaze over, think about this statistic: we create more data every two days than we created in the timespan between the dawn of civilization and 2003.
Client records. Trade secrets. Location metadata entwined in every photo you take with your smartphone. Employee security credentials. Your tweets. The office photocopier. The chat log from your Words With Friends games. Essentially, anything we do online (and sometimes, offline) has a record stored on a server somewhere. Those records can be incredibly valuable to the right person. And it’s your responsibility to make sure the data important to you and your company is secure.
The business of stealing data
“Information Security” is about protecting your valuable data, wherever it lives. The task of protecting this digitally is known as “cybersecurity.” Who wants the data? Enterprising thieves and the digital version of arsonists, known as hackers who profit from selling your and your clients’ data to people who want it (or who destroy or leak it, just for the fun). They may be unscrupulous competitors, dark web entrepreneurs, mischief-makers, or others with the skills and motivation to steal information that belongs to you or your customers.
The cost of having data stolen
Businesses across the Granite State are losing money to cybercriminals. Whether through phishing, connected devices, ransomware (like the recent WannaCry virus that held data hostage for ransom at thousands of companies) or through the negative public relations that follows any type of data breach (such as the recent Equifax breach which will have long-term and far-reaching negative consequences for the company), recovering from an InfoSec failure is difficult and expensive. You could face legal repercussions, hefty fines, stolen money and hits to your reputation.
It’s happening in New Hampshire
New Hampshire businesses aren’t just vulnerable. They’re being hacked now. At Mainstay Technologies, we’ve discovered hackers in New Hampshire business’ servers and found executives’ passwords on the dark web. We’ve discovered firewalls set up with default passwords and administrative users with extremely easily hacked passwords. (Tip: Password123 or TomBrady12 are not secure passwords!) We’ve uncovered technical control and staff vulnerabilities that would allow attackers to easily gain control of businesses here in our state.
Why this is happening
When Mainstay gets called in to perform incident response after a business has been hacked, we nearly always discover a lack of intentional focus on information security, and an assumption that security is “fine” and that the information technology (IT) folks handles security. IT and Information Security are not synonymous, and thinking so is a sure sign that your business might be at risk. Every business needs to think about its data, where it comes from, what’s sensitive, who can access it, where it’s stored, where it goes and whether it is properly protected – in both offline and digital state. A firewall and antivirus isn’t enough anymore. Not even close to enough. Technology is proliferating rapidly, and every touchpoint, from a card swipe to mobile browsing, creates a potential security risk you must address proactively.
What’s the solution?
Think about how medieval castles secured their valuables – surrounded by walls, a moat, and layers of protection. With guards, processes, training protocols, and checkpoints. They were intentional about analyzing threats and building in layers of defenses. That is how we need to think about Information Security (including cyber security) in the 21st century. Online, offline, people, processes, and technology must work together to protect the organization – and clearly that can’t be solely the responsibility of the IT department/professional! InfoSec can be complex and hard, but is always crucial. Our recommendation to business leaders is to recognize the world they live in and actively take part in intentional risk management for cyber threats.
If you’ve been on the receiving end of an attack, I empathize - it’s a terrible feeling. You feel exposed, vulnerable, and overwhelmed with how to keep it from happening again. For the rest of us, it’s time to wake up and address this proactively before it happens to us. It doesn’t have to be expensive – even with zero budget, you can increase security measurably by changing passwords and training staff!
To fellow business leaders
This is important. If you don’t know what your firm is proactively doing to protect client and company data, send this article to your colleagues. Educate yourself; identify partners or stakeholders that can help, and begin tackling the risk head-on, just as you would do with any other business threat.
Ryan Barton is CEO of Mainstay Technologies, an IT and information security company that serves businesses across Northern New England.