October is National Cyber Security Awareness Month, but with the constant drum beat of headline-grabbing data breaches, I could argue at this point that every month is National Cyber Security Awareness Month. Equifax and the U.S. Securities and Exchange Commission (SEC) are the latest big organizations to fall victim to cyber criminals. My colleagues recently shared insights into the Equifax hack because the ramifications of breaches like these ripple through the entire business, consumer and regulatory ecosystem. We are constantly monitoring these attacks so that we can stay ahead of the criminals.
One of the many downsides of the daily breach headlines is that we’re becoming numb to their dire consequences. “Yet another breach,” readers have started to say to themselves as they move on to the next headline.
Cyber Vulnerability Goes Deep
The cyber security awareness we’d like to focus on this year is the depth of the problem. Businesses that are approaching cyber security in a comprehensive way dedicate extensive resources on a daily basis to keep their data and intellectual property safe.
Why? According to the Identity Theft Resource Center, there have been more than 1,000 data breaches and more than 160 million sensitive personal records exposed this year to date. Businesses that haven’t experienced a breach yet know that it’s not a matter of if but when they become a target.
In other words, the Equifaxes and SECs of the world get hacked and make huge headlines. But the reality is that your local Municipal Hospital in Any Town, USA and your corner bakery are also vulnerable to breaches. They might not make news in USA Today, but the consequences for them are equally devastating.
No business, large or small, is safe. And with digital transformation – businesses are increasingly using IoT, adopting the cloud, and incorporating SaaS applications – come ever-expanding responsibilities in cyber security.
The Every-Day View of Cyber Security
With these persistent threats, the problem can seem daunting. But as with any big challenge, you can break down enterprise security into manageable components that work together to mitigate the risk.
Here are some basics that enterprises are using to approach cyber security:
-They train their employees. Employees are often the weakest link in a business’s security strategy. Our annual Data Threat Reports, for which we survey IT decision makers globally, consistently identify insiders as their biggest threat to their businesses’ cyber security plans. The headline news confirms this, as many of the breaches we see can be traced back to compromised user credentials. Part of the answer here is to provide clear, concrete training to employees across the organization so that they know just how important a role they play in the protection of their organization’s data.
-They empower a Chief Information Security Officer. Simply put, there's no way for a business's cyber security plan to be successful if the responsibility is dispersed. The Chief Information Security Officer (CISO) bridges the divide that has historically existed between Information Technology (IT) and the business's decision makers. I shared thoughts earlier this year on the board room's increasing concern over data breaches. The CISO is a great start in allaying those concerns. But even smaller organizations need a point person for security – otherwise no one will be in a position to make crucial – and potentially business-saving – decisions.
-They master the regulatory and compliance landscape – and probably write their own policies. Data-privacy and security compliance is fractured, to say the least. Businesses might have to conform to industry-specific regulations – like the financial industry’s Payment Card Industry Data Security Standard (PCI DSS) or the U.S. health care industry’s HIPAA laws, to name just a couple. There might be data-sovereignty requirements, as well.
It’s a dizzying outlook. The businesses that master data-privacy and security compliance often write their own policies that go beyond mandated standards, anticipating needs specific to their business model. This approach pays off, especially when it comes to the staggering penalties for non-compliance.
-They use encryption in a comprehensive security strategy. Naturally we believe that encryption plays a critical role in a complete data-security strategy because it the surest way to secure data at rest, data in use and data in motion. But we also partner with the best of the best in the industry and are part of key alliances to acknowledge that data security is a complex issue with a range of key players. To us, that’s what National Cyber Security Awareness Month is about. What is the full picture of cyber security as it stands today? Who is doing what? Where does the conversation need to go? Businesses looking to create a superior cyber security strategy have a similar point of view.
Tune into our social media channels and blog throughout National Cyber Security Awareness Month.