I’m here to deliver bad news: Your company is going to get hacked.
From Yahoo! to HBO to Equifax, the global scene over the past 12 months alone has been littered with instances of poor corporate security.
Unfortunately, there are generally two prevailing schools of thought when it comes to cyberthreats: “it’s never going to happen to me” and “it’s going to happen no matter what, so why bother doing anything?”
While the first answer reflects pure denial, the second is a form of security nihilism that can be incredibly dangerous. Every time I get into the car, I know I might get into a car accident and the other person will left the scene of the accident, but for the same reason I also buy car insurance and buckle my seat belt.
Similarly, there are steps you and your organization can take to mitigate the impact of a security breach.
1. Make security a priority. The first and most important job of a CEO is to set the priorities for the organization. If you have never talked about security, you can bet it’s not being perceived as a top priority. Hiring the right people, such as a chief security officer, is important, but as a baseline there should be someone on your team who is tasked with security and given a platform to talk to your leadership team about it.
“If you have never talked about security, you can bet it’s not being perceived as a top priority.”
2. Know your industry’s standards. While it’s unlikely that you will know the details of security best practices, you should know that these standards affect your organization: ISO 27000 is a set of information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). For Personally Identifiable Information (PII), the Massachusetts Data Protection Law governs information that can be used to distinguish an individual’s identity (name, SSN, date and place of birth, mother’s maiden name, etc.). The people who are charged with keeping your company secure must be familiar with these standards and have some experience implementing them.
3. Understand where your risks are. There are a number of in-depth analyses that can be done to determine the ROI of securing your systems, but you can assess any potential hack based on four general levels of risk:
1. Public domain: Disclosure would cause no harm.
2. Restricted: Disclosure would cause minor embarrassment or minor operational inconvenience.
3. Confidential: Disclosure would have a significant short-term impact on operational or tactical objectives.
4. Secret: Disclosure would have a serious impact on long-term strategic objectives or put the survival of the organization at risk.
For example, the recent Equifax breach that exposed the personal data of 143 million people would be classified as secret. While the CEO of Equifax was not the one who should have personally secured that data, he bears ultimate responsibility for selecting the person who should have overseen the activity and for making security an ongoing corporate priority.
Any CEO knows that change is constant. Navigating the world of corporate security is much like driving in busy traffic: You should drive carefully, but no amount of driver’s ed can guarantee you won’t get into an accident. With driving, we are taught to buckle up and keep our cars insured, reducing the personal and financial repercussions of an accident. Good security is much the same. You are going to be hacked, but you can – and should – take steps to mitigate the damage.