7 Policy Changes to Prevent Corporate Breaches
OR...Head-In-The-Sand Is NOT A Security Posture
Home Depot and Target could not prevent corporate breaches, losing almost 100 million credit card records because of failed cybersecurity policy (Read about these breaches here). To this day, some people refuse to use their cards in either store. Losing trust is palpable, and insurance reimbursements, remediation, firings, and apologies can’t atone.
Every day, new exploits and breaches are reported. IT Staff run in constant fear of the breach that will end their careers. Policy has left many IT departments, CIOs, and consumers shaking their heads. As business leaders, policy can and should be a living document, changing with constant threats.
Here are seven key policy changes to help your business stay ahead of cybercriminals.
Brighter Days Ahead
Corporate IT employees are typically not content with the same job roles over time. The best way to keep Help Desk employees happy is to let them dream of a promotion path that could someday lead to the CIO’s desk. Not everyone is mentally equipped for that position, nor really want it, but having options keeps the troops engaged and the secure machine running smoothly. An idle mind is the devil’s playground.
Let IT Hire IT
Human Resources may play an integral role in the hiring process, but they should never decide which resumes warrant moving to the next phase of recruiting. Far too many resumes are exaggerated, especially in IT. A quick questionnaire or phone conversation will eliminate most paper tigers. Tightening up the posted job requirement will also narrow the responses. Be sure to give special attention to security certifications and training. Simply listing all current technologies or vendor products not only casts too wide a net but provides outsiders a blueprint of your internal IT systems.
Fight Fire with Fire
Some have reported offers of $1 Million to provide a single file from Fortune 500 companies. This could be snapshots of SalesForce data downloaded by an administrator, or an employee list, or detailed customer info, or the security schedule and procedures. $1 Million for a Fortune 500 company isn’t much. But how much would it cost to lose any of that information if it led to a data breach or loss of market share to competitors? To fight that temptation, offer everyone, not just executives and IT staff, annual bonuses or special events for following security regulations that prevent breaches. Money is a wonderful motivator. So are free hot dogs.
Keep them Honest
Standard hiring practices include background, drug, and credit checks on incoming employees. Background and credit checks should accompany random, regular drug tests. Things change, and those in a financial crisis are statistically more likely to listen to financial offers from the outside. Policy must dictate all IT employees have some security training and certification. Certification is maintained through continuous learning and testing, which means a budget for training and travel. This is most important for contractors. Administrative privileges over sensitive data are removed if IT staff or contractors cannot maintain the requirements. This is how the military and government handle access to classified information. Is your data less important?
Know Your Audience
You didn’t hire your staff this morning from the Office Depot parking lot to work for just today. Regardless of business trends, staff is not infinitely replaceable. The unemployment rate means nothing when you cannot find qualified and willing staff. Sure, corporations of all sizes have unproductive elements. But they show up. And while the level may not be optimal, it is consistent and measurable. You don’t need to applaud mediocrity, but you should at least acknowledge their continued presence, regardless of the reason. It’s not loyalty, but it can be. Everyone in the company is in this together. You must train everyone from the mailroom to the boardroom to recognize and avoid cybersecurity threats at work and at home.
Focus on Security
Start at the top. Top management must come forward and acknowledge that, yes, cybersecurity is difficult and less productive, but “we take the security of our data and employees seriously at ABC Corp.” Security isn’t just for guards or IT. Security isn’t lip service to pass compliance, and technology alone cannot help. You must have the correct combination of Policy, Education, and Technology to activate every employee as a security monitor. Start by showing leadership’s commitment. No exceptions. Hire a Chief Information Security Officer (CISO). You cannot afford to NOT hire someone whose sole purpose is to focus on cybersecurity. You cannot add it as a task to the CIO, CTO, or VP. Consider contracting a vetted, referenced expert. Constant vigilance is required from the outhouse to the penthouse.
Change the Culture
No more sticky notes on monitors. Train all employees regularly. Implement phishing campaigns and provide additional training where needed. Ask an outside security consultant to scan the enterprise regularly and offer suggestions. New exploits appear daily. IT cannot be expected to shoulder the load alone. After all, the company is everyone employed, and a threat to the company is a threat to each individual.
Doesn’t matter your industry – butcher, baker, ball bearing maker – threat actors exploit vulnerabilities. Head-in-the-sand is not a security posture. Show that security is there for safety, not to ensure employee productivity. There are no chains attaching people to desks. If employees have poor attitudes toward security, that’s leadership’s fault. But you can change that (Read about Consumer Breaches here).
Home Depot didn’t learn from Target’s mistake. You have hundreds, if not thousands, of examples of what NOT to do. Will you learn the hard way?