Jan 29 2014, 11:50pm CST | by Forbes
Many American executives are out of touch with their IT department, putting them at risk for security issues and data loss. When surveyed by PricewaterhouseCoopers, more than 9,300 high-ranking executives gave answers that were often vastly different from what officials found.
The survey was conducted in 2012 in a cooperative effort between the US Secret Service, the FBI, and Carnegie-Mellon’s software engineering institute. While executives were polled in 128 different countries, most of the respondents were located either in America or Europe. Overall, there were discrepencies in almost every category between what respondents believed and what was true. For instance, more than 42 percent of those questioned stated that they considered their organizations front-runners in the area of IT security. However, when compared to requirements set by the group coordinating the survey, only 8 percent qualified as true leaders.
These differences are notable because, as the survey revealed, corporations are putting less resources into IT security, with spending on training and in-house IT security expertise down. While the number of breach instances were down during the period this survey covered, the recent security breaches at major retailers show that attacks often happen when businesses least expect it.
Whether your business is a massive corporation or an SMB that outsources its IT security to a cloud services provider, it’s important that you remain aware of your business’s IT security operations at all times. If PricewaterhouseCoopers quizzed you this year about your company’s security procedures, how would your answers measure up?
IT security is an important issue to busineses today. There are several measures you can take to boost your awareness of your IT department’s activities, while also reducing your chance of a disastrous security breach.
Have Written Policies
Every organization should have a set of written security policies in place that extend beyond the IT department. Department heads across the organization should be on board with these policies, passing them down to every team member. These policies should reviewed on an annual basis to address any new issues that have arisen as technology within the organization has changed.
In cases where storage and data recovery processes are outsourced to a third party, written policies are more important, not less. Your contract with the vendor should cover your individual needs, but you should also have in-house policies regarding password security, restricted access to crucial systems, and personal devices on the network. You should also check with your cloud services provider on any third-party services they use.
Set Server-Level Restrictions
High-level executives have the power to request certain restrictrictions that can be set at the server level. When a business’s leadership works side by side with IT staff, policies can be put in place that force certain security measures. When users change passwords every 90 days, for instance, they can be required to choose a strong password , consisting of a combination of a certain number of letters, numbers, and special characters. For mobile device users, your server administrators can set up a policy that remotely wipes a smartphone or tablet that has been stolen or misplaced.
Since many security breaches occur at the hands of an organization’s own employees, fully trusting employees is a mistake. Internal security risks are often unintentional, caused by human error. When measures are put in place to protect an organization against these mistakes, a business can dramatically reduce its risks.
Executives may be at an even greater risk than they realize. As the ultimate overseer of a business, CEOs and presidents are often the go-to people when something goes wrong. “I didn’t know” isn’t considered a valid defense, since business owners are expected to know the day-to-day activities of each of their departments.
When a HIPAA breach occurs, responsibility now extends to the Chief Executive, as well as any business associate contractors and subcontractors involved. Even in instances where government regulations aren’t at play, business leaders are often the parties who must answer questions when something goes wrong.
Of course, the ultimate danger to any business that has a data breach is that business’s survival. According to Symantec , the avereage cost of a data breach is $7.2 million, averaging out to $214 per compromised record. After a data breach, a business often experiences a loss of trust from its valued customers, with many of those customers potentially never returning. A company the size of Target may be able to recover due to a long, positive track record, but a smaller business with a shorter history may have to shut its doors completely.
Have a Disaster Recovery Policy
In addition to protecting against data breaches, businesses should also consider the impact of a disaster. Whether a company faces threats from hurricanes, tornadoes, earthquakes, floods, fires, or a combination of any of the above, no building is 100 percent safe. Servers should be backed up regularly with data stored off site in a secure, disaster-protected facility. The disaster recovery plan should outline a contingency plan, as well, in the event a business’s office is uninhabitable for several weeks. Will employees be able to work from home? Is there an alternate location where temporary operations can be set up?
Like other written IT policies, the disaster recovery plan should be revisited on an annual basis. Some businesses bring in an outside consultant to help with creating and maintaining the plan, bringing years of expertise as well as an objective party into the process. For businesses interested in tackling the task on their own, the Small Business Administration provides a step-by-step guide that can help.
While hiring the right IT security professionals is vital, simply putting experts in place and stepping away isn’t sufficient for today’s volatile technology environment. Executives must work closely with technology experts to ensure the best interests of the business are being represented. When both sides work together to craft written policies, these policies not only ensure they’re working together, but they’ll also provide a document that can be passed on to employees, contractors, and investors.
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.
blog comments powered by Disqus
News | Business | Labor | Law | Electronic commerce | Security | Computer security | Password | Computer network security | National security | Crime prevention | Management | Disaster recovery | Data privacy | Privacy law | Health Insurance Portability and Accountability Act | Information Risk Management | Business continuity planning