A recent article had the headline, “Cybercrime market sells servers for as little as $6 to launch attacks.” The article stated that “criminals are selling access to more than 70,000 compromised servers that would allow a buyer built-in capability to carry out widespread attacks.” It informed us that not only are the “bad guys” winning, but they have implemented operational excellence strategies in doing so.
How do executives and business owners react to media reports such as this?” Do they think “I could be next” or “I’m glad we are secure and it’s not us.” The truth is that nobody is immune from being targeted and attacked. As that reality hits home to business owners, we see more and more of them vetting their business partners and asking tough questions regarding their security control activities. Businesses can no longer do nothing.
This past January, the State of California’s Attorney General came out with a mandate that every company in the state is required to protect consumer information at a reasonable due care level. It won’t be long before other states follow suit. Your company should be prepared and create a security plan for how they will secure their data and what they will do to mitigate the damage to the company should a compromise occur.
The first and most important step in developing a security plan is to define what are the biggest risks to you and/or your industry. A great resource for this is Verizon’s “Annual Data Breach Investigations Report” which is freely downloadable. This report investigates a sampling of security breaches over the past year and provides information to the reader about what the “bad guys” are doing. It should be used as part of a company’s risk assessment to help define some of the threats that need to be addressed. A small highlight of some of the statistics included in the 2016 report include:
- No locale, industry or organization is bulletproof when it comes to the compromise of data.
- 89% of security breaches had a financial or espionage motive.
- 63% of confirmed data breaches involved weak, default or stolen passwords.
- 97% of breaches featuring use of stolen credentials used legitimate 3rd party partner access to complete the hacking action.\
- New vulnerabilities come out every day.
The second step in developing a security plan is to then decide how you will protect yourself from the risks you defined in step one. There are many security frameworks that document best practices, policies and procedures to mitigate security risks. These can be used to define best practices when it comes to deciding how you will protect yourself from various security risks. Some FREE valuable frameworks to consider include:
- National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4
- NIST Framework for Improving Critical Infrastructure Cybersecurity
- Center for Internet Security (CIS) Critical Security Controls for effective Cyber Defense Version 6
These frameworks can be overwhelming in length and approach. Staying focused on the top priority risks defined in step one above will help keep you on track. Remember that a business can’t do everything to protect themselves from security risks, but they can’t do nothing either.
Reports of security breaches occur on a daily basis, and no company wants to see their name in the headlines as a result. Are you prepared in the event that it happens to you? A security plan will help to mitigate some of the risks and protect your assets, and can also prepare you for what must happen in the event an incident does occur.
If you don’t currently have a security plan, the professionals in Olsen Thielen’s Technology Guidance for Executives practice area can help. Contact Lisa Dunnigan, MCTS, at 651-483-4521 for more information.