The data breach at Equifax that was revealed in September affected up to 143 million consumers. It is considered one of the worst such breaches ever, based on the sensitivity of the data that was stolen.
In the two months since then, data breaches have been reported at the US Securities and Exchange Commission, Whole Foods Market, Hyatt Hotels, and Deloitte. Ironically, Deloitte was ranked as the number-one security consulting company in the world this year by revenue, according to Gartner.
As far as I’m concerned, there’s never a bad time to talk about the importance of IT security, and compliance and now might be a better time than ever.
Needless to say, ensuring IT security is a lot more challenging in recent years with the dramatic rise in the use of mobile devices, employee-owned hardware, third-party apps, and cloud-based data storage.
In this post we’ll look at some of the biggest current threats to your organization’s IT security, focusing on the challenges brought by the trend toward the decentralization of IT operations.
Your business continuity program is worth more than you think—download this free guide to help you prove it.
From the business continuity perspective, we divide IT security issues into five categories. I’ll talk about each below.
1. Your employees
Studies have found that some employees would give away their password to their company’s computer network for as little as five dollars. The key to making sure your employees are helping keep your organization safe rather than exposing it to danger is hiring the right people and training them properly. And make sure that the training you do extends from down to the very lowest squares on your org chart. Too often I see lower-level workers left out of the training they need to help you protect your company.
2. Your employees’ personal devices
I see more and more that companies are allowing employees to bring their own devices to the office and use them for work. This includes laptops, cell phones, and tablets, as well as the desktops they might use when working at home. I’ve noticed three things about this trend. First, it’s great from the point of view of business efficiency and flexibility. Second, it’s here to stay. Third, the increase in the use of employee-owned devices creates a lot of new challenges from the security point of view. In the old days of centralized computer resources, a company’s IT was like a castle with one big gate that needed guarding. In the new world of employees working on their own phones and computers, the castle has developed a thousand gates, each of which is a potential point of vulnerability to the company.
3. Your cloud service
I have noticed something funny when it comes to the cloud: People tend to assume that the cloud is security nirvana. They assume that the people running their cloud service are highly compliant and that because the cloud company might be bigger than their own organization, it must therefore be more secure. None of these things is true. The cloud is just another data center, just another piece of technology. You should vet your cloud company just like you would any other third-party provider. Think: “people,” “process,” and “technology.” You should vet your cloud company for all three. Are the cloud company’s employees in the US or offshore? What type of training do they receive? Is the company compliant with the regulations and requirements that you need to be compliant with? The warning “Caveat emptor” applies just as much to the cloud as in terrestrial transactions.
4. Your third-party apps
The vulnerabilities of the third-party apps your company uses are basically the same as those of your cloud service. Beyond that, the rise in the use of third-party apps presents some very interesting issues. The availability of dependable, high-performing third-party apps to do things like store and process information, handle customers, and handle phone calls and messaging is truly amazing. But when the business depends on the app, the business is only as secure as the app.
Another thing I see is business units going around their IT departments to sign up with third-party apps. (IT departments tend to be conservative and focused on defense; the business units tend to be aggressive and focused on playing offense.) The trouble arises when there’s a problem with the app and the business unit asks their IT department to help iron it out. If the IT department was not in on the original decision to use the app, they might be less than eager to help untangle its problems. Ideally, your IT department should be committed to helping your business units bring home the bacon, and your business units should be sympathetic to IT’s responsibility for defending the company.
Here we are talking about such standards as PCI (for credit cards), HIPAA (for medical information), and HITECH (for health information technology). If your company has to meet the standard, then any system or device you do business on has to meet the standard. I’ve noticed that when it comes to IT compliance standards, a lot of people are satisfied with doing the minimum. But I find that when you do that, you’re always playing catch-up. Standards often change, and usually they get more stringent. I advise my clients to stay ahead of the game by doing their best to fully comply.
What are some steps you can take to reap the benefits of the new world of decentralized computing while minimizing the risks? Here are a few:
- Subscribe to the standards you are obliged to meet.
- Keep tabs on the providers of your cloud services and third-party apps. If you see in the news that one of your providers is having problems, you will have a head start on finding an alternative.
- Make sure your cloud service and third-party app providers have a SOC 1 (System and Organization Controls) report. And since the thoroughness of an audit depends on the person doing it, validate the report. Look at the areas that are critical to you (for example, physical security, disaster recovery, or information protection). If you’re not comfortable with the responses you receive in those areas, ask for more information or additional documentation.
Consider BCMMetrics™ Business Continuity Management Tools
The software tools developed by BCMMetrics can help you ensure that your organization is IT compliant. Our cloud-based solutions facilitate compliance across your business continuity program and include tools to help with:
- Evaluating standards compliance. Compliance Confidence (C2) makes it simple to assess your program’s level of compliance against key industry standards. It also gives you a “FICO-like” score that helps identify areas for improvement.
- Conducting BIAs. BIA On-Demand (BIAOD) gives you all the right questions to ask for every BIA interview. It also organizes the data to provide insights and easily share with your team.
- Assessing your program’s residual risk. Residual Risk (R2) quantitatively identifies where pockets of residual risk exist and helps you evaluate how to handle them.
We also offer eight hours of free consulting in the first year to help with each tool to make sure you’re getting everything you want out of it. Our tools are intuitive, secure, and get the job done. If that’s what you’re looking for in a business continuity management system, schedule a free demo of our software today.