What CEOs Can Learn From the Sony Cyberattack

2. Insufficient physical access controls. Hackers and thieves with ready access to company offices can easily steal equipment containing access codes and passwords.

3. Poor third-party security:

• The cloud. There are many stories of private data and photographs downloaded from insecure public and private clouds. Also, unintentional “leakage” of data from one customer to another has been documented.

“Companies must ensure that business partners maintain the same (or stronger) levels of security control and they must continually monitor data inputs.”

• Systems development, maintenance, testing and operations. Third-party contractors usually require access to company computers. Plus, sensitive data in the hands of third-party contractors is always a risk. Third-party security controls that are at least as strong as those for employees must be contractually established. A restricted-development environment, as well as additional monitoring, may also be necessary.

• Infrastructure. Outside infrastructure providers must be governed by strong security controls.

• Facilities. Third-party contractors who maintain your facilities (building personnel, cleaning people, etc.) must also be governed by strong security controls.

4. Insufficient business-partner access controls. In today’s integrated supply chain, business partners are connected electronically and pass forecast-to-order-to-cash data back and forth, over the wire, to company systems. Malware can easily be inserted in these transmissions. Companies must ensure that business partners maintain the same (or stronger) levels of security control and they must continually monitor data inputs.

5. Weak employee onboarding (vetting) and termination processes. Stopping the problem at the door is critical. Personnel with checkered backgrounds must not be allowed access to the computer systems. The access and information possessed by exiting employees must be immediately neutered.

6. Poor personnel training and awareness. Employees, contractors and other personnel must attend frequent awareness and training sessions to be reminded constantly of their risk mitigation obligations, especially new people. All must be advised of new hacking techniques as they emerge.

7. Poor equipment disposal processes. When disposed of, computers and mobile devices must be electronically “wiped clean” of all data, access and security codes. This is especially challenging for BYOD (bring your own devices) environments.