I’m probably already in your network, and you don’t even know it
March 12, 2014
Can I get in your network? You betcha I can. As a matter of fact, there’s a good chance I’m already there. Now, here’s the really fun part: you let me in.
Your biggest risk for exposing your network to malicious activity comes from those most important to your network: your employees, your subcontractors and anyone else you trust or need enough that you give them the credentials they need to perform their duties but also to take down your network. Having fun so far?
Oh, I don’t mean any of these fine folks will do this because they want to do you and your organization harm. Mostly, it’ll happen because of some kind of big “oops” – the kind of oops that comes with sincere apologies and crestfallen faces, with a side order of a few million dollars in remediation costs and legal fees at your expense.
The $61 Million Question
Maybe you heard this cautionary tale? During the peak of holiday shopping late last year, a retail giant was hit by the largest-ever retail data breach. Reportedly, hackers broke in through a vendor’s stolen network credentials and used malware to expose the debit/credit card accounts of 40 million customers. That little incident came with a $61 million price tag to the company in the last quarter of 2013 – along with a side order of a scandalous marketing and public relations nightmare. And what happened to the information security team that made this possible? After the CIO resigned last week, I suspect that they’re probably at a business networking luncheon with the BP oil spill guy.
In any case, that cost was $1.50 per customer, just in the first round of accounting, and the tally’s not over. So you can be sure the CEO and CFO are reevaluating the budget requests from the CISO this year. I can assure you that the CISO’s budget was significantly less than the $100,000,000 cost of lost sales, evaluation, remediation and public relations they now have to incur. I’ve heard very smart information security professionals suggest “you can pay me a little today to prevent a breach or you can call me after a breach and pay me 100x more.” It’s your choice.
But What’s That Got to Do with You?
If you think a problem of this magnitude is out of your reach, think again. You might not care about customer credit card data because you don’t have any. However, if you’ve got a network, you’ve got something to protect. And someone else wants what you have. Therefore, to increase the security of your network, your first question is as follows:
What information or data would damage your business, reputation, ability to transact business if your competitors or the public at large had access to it? In other words, What is important to protect in your enterprise?
There is information within your network that is absolutely central to your organization. Every organization has personally identifiable information (PII) that could include:
- Contact Data
- Contract Data
- Performance Data
- Employee Data
No matter what kind of organization you operate, this is the kind of information that you absolutely want to protect. It is critical to the ongoing survival of your business.
If you take security for granted and let just anyone into your network, you are putting all sorts of troublesome scenarios into play. And that’s no fun at all. To protect your data and your network, here are three things to consider:
Business Processes – Your network and information security processes need to be integrated into every aspect of your business.
Change Control – What happens when an individual makes a change to a record? Maintaining control of this process will reduce risks that come from, for example, adding or deleting users or even from sharing password credentials by those who need to “make a quick change.” Do you have a system of approvals and a way of monitoring these changes? If not, you may have been secure yesterday, but today…eh, maybe not so much….
Objective Perspective – Engage an objective, professional, experienced, credentialed third party to do an annual health check of your information security program and environment.
There’s nothing fun about network breaches. They aren’t cheap either. But there’s a lot you can do to protect yourself and your network from the inevitable attempts at hacking. Prepare now to prevent data breaches.