Information security is not IT’s job
Expecting your IT professional to handle cybersecurity is like seeing a cardiologist for severe knee pain
As a business leader, there are three words you do not want to hear: “We’ve been breached.”
History shows that most breaches are reported to the business that has been breached by the impacted individuals or by law enforcement. This is a terrifying statement, but this is reality. How would you know that you’ve been breached? You wouldn’t want to find out from your client, law enforcement, the IRS, a regulating body or the actual hacker.
If you’re a business leader, then you’re responsible for the protection of sensitive data in your organization. Do you know where your data lives? Is it in e-mail? Are there copies all over your network? Do many employees have access to the same sensitive data? Paper records everywhere? Do you have strong credentials and account controls in place? Can your network be accessed from anywhere by any device? These are all important questions to address.
Do you have an information security program in place that includes the proper technical and administrative controls? Is your network perimeter and internal environment being properly monitored and protected 24×7?
So here you are, a small business owner. You’re a victim of a data breach, and you’re responsible for client information that is now in the hands of hackers. Assembled around the table is your incident response team. You’re the one being grilled with questions about what exactly happened. It could be your attorney, cyber insurance provider, third-party incident response experts, forensics team, law enforcement, etc. They want the facts ASAP so they can contain the situation, support your defense strategy and satisfy any reporting requirements.
Your first response is, “I thought IT was handling that.”
Your wide-eyed IT resource is nervously explaining something about only having basic anti-virus software and a firewall in place. Questions about monitoring, logging, training, security layers and administrative controls are getting blank looks in return, and you know that you don’t have the right answers. You quickly realize that there’s a technical chasm here that you don’t understand. How did you get here? To start, you likely placed an unfair burden on your IT resource. Let’s look at the difference:
Primary focus of the typical IT professional: Stability, availability and efficiency of your technical environment to support your business. Response services required to support your employees. Most likely some systems administration, systems engineering and network engineering. Potentially support for line of business applications. Basic data security measures probably exist in the form of anti-virus, a firewall and basic system patching. This is a high-level list.
Primary focus of the typical information security professional: Putting your business in a defensible position via the construction of an information security program. This includes reducing risk for your organization by building in depth technical and administrative defenses. A focus that includes internal and external vulnerability management, data flow protections, information security awareness training and testing, account management based on role-based access, log generation and monitoring, technical compliance management that includes the creation and implementation of policies and procedures that align with your business requirements. This is also a high-level list.
Would you visit a personal injury lawyer for an immigration law issue? They both are attorneys. Would you talk to your investment advisor when you know that you need a CPA that specializes in forensic accounting? They both have accounting degrees. Would you see your cardiologist for severe knee pain? OK, I’ve made my point.
Without an information security program in place, you most likely won’t know about a security incident until it’s too late and a breach has taken place. What would it mean if your business experienced a data breach? Fines? Regulatory penalties? Downtime? Loss of customers, business volume and revenue? Unplanned recovery costs in time and fees? Diminished reputation and trust? Decreased competitive ability and opportunity reduction?
If you think “IT is taking care of that,” take a critical look and have an honest conversation with your IT professional or provider. Reduce risk to your organization and put your business in a defensible position by working with an information security specialist who will work with you to Implement an Information Security program for your business.
Jason Golden is chief information security officer at Mainstay Technologies, Belmont and Manchester.