Making Sure Cyber Criminals Can't Hack ItOnline security vet provides corporate tips for staying safe online 3/11/2013 12:01:00 AM Eastern
The White House's regulatory regimes
of cybersecurity best practices
won’t kick in for a year or more, and
even then they will be voluntary—two eyeroll
realities made that much more disturbing
when one considers that a year is an eternity in
In the meantime, cyber hackers continue to
have a field day, highlighted by reports that
China has been on a break-in binge across a
range of companies that include news outlets
(charges that China denies).
Congress will hold numerous hearings—including one last week. But
those wheels grind slow too, and the short-term question remains: What
should company technology chiefs at Internet service providers and
others be doing to keep from becoming tomorrow’s hacking headline?
Harriett Pearson, a partner with international law firm Hogan Lovells
and former IBM chief privacy officer, provides these useful cybersecurity
tips that go beyond “Make sure to trash emails from the Sudan that
begin, ‘Hello, My Dear.’”
Understand the threats that are specific to your business. Every
organization is different. Each has its own risk profile, based on the
type of assets handled, the locations in which the business operates
and other factors. To protect itself, a company needs to know the likely
sources of risk—Is it criminals? State-sponsored actors? Political activists?
Disgruntled employees? Careless employees managing data and IT
haphazardly?—and prioritize its actions.
Form a team. Security is a team sport. It’s not just the CIO or the IT
security director’s job. It’s the COO and CFO who must be convinced
to fund and support risk mitigation initiatives. It’s the chief legal officer
who can help guide the assessment of legal and reputational risks and
advise on smart ways to document the company’s efforts so they stand
up to scrutiny. And it’s the human resources and communications leaders
who can help educate employees and strengthen corporate culture
to value security.
Prepare to respond. No security program is perfect; incidents will
happen. The key to handling them well is preparation, the kind that
can prevent an incident from turning into a crisis. Make sure people
know whom to report an incident; rehearse your response if possible.
At least know the lawyer and technical experts you will involve if something
unusual is detected.
Watch over your vendors. The weakest link is sometimes outside
of your own shop. Pay the most attention to your vendors who handle
important data or operations, and for them require certain demonstrations
of security competence. Write requirements into contracts.
Document your program. Let’s say something happens. When you
are asked what did you do to prevent it, have a thoughtful answer that
is backed up by a written description of your efforts to identify threats
and defend against them.