President Obama addressed cyber security issues in his 2015 State of the Union Address Tuesday night, urging Congress to “finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft and protect our children’s information.” While many companies are now beginning to understand how real these threats are, most are still ill-prepared to defend against them.
If your company is like many, the C-suite may be feeling okay about the security of its computer network based on deployment of a prevention strategy including anti-virus software, a firewall and perhaps other precautions.
If so, leadership should reconsider. Even with the best prevention measures in place, intruders can still find their way into your network. And once they are there, they often have plenty of time to create damaging data breaches.
Consider this statistic: in security incidents reported in 2013, intruders posing a persistent threat were able to reside on compromised networks for a median of 229 days before detection. And two-thirds of those breaches were not even discovered by the companies themselves, they were reported by third parties, such as customers.
If you need evidence of the impact of a long-undetected data breach, just recall the intrusion into Target’s system. The theft of massive amounts of credit card data cost the company millions of dollars and significant damage to its reputation. It also cost Target’s CEO his job.
At many companies, intrusions are more damaging than they need to be because of a failure to implement a multi-pronged security strategy that not only features prevention but also includes comprehensive detection measures and a robust response plan.
Here’s a more detailed look at some elements of a multi-pronged approach:
While no prevention strategy can expect to achieve 100 percent success, you can raise your company’s batting average by going beyond the basics of anti-virus software and a firewall. Among the measures to consider:
Tighter controls on access to the network. Require stronger passwords, but don’t rely on that alone. Introduce dual authentication, which means that another factor in addition to a password is required for access, such as a fingerprint, the answer to a secret question or a code generated by a “token,” which is a small portable device.
Consider increasing the sensitivity of spam filters. One of the most common ways intruders find entry into a network is by enticing a user to click on a bad link in an email. While spam filters probably won’t catch everything, increasing their sensitivity can reduce the volume of suspect emails.
Make sure your software has been developed with security in mind. This especially goes for programs that may have been written in-house.
Consistently apply security patches. These are often regularly produced by the vendors of software you run.
Educate users about safe computing. Enlist them to be more security-conscious when using a company computer system and/or handling sensitive data.
Deploy intrusion monitoring technology. Make sure it includes a threat intelligence feature to reduce the number of false positives.
Monitor what is happening on your network. All sorts of logs are generated by the various components of your network, and these can provide signals of intrusive activity. Centralize your log reporting and review it regularly.
Use Netflow software. This tool allows you to monitor the volume of communication between various components of your network. Unusual volumes or categories of traffic can be an indicator of trouble.
Conduct penetration testing. Engage a third-party to try to hack into your system. Weaknesses may be identified.
Generate regular reports for leadership. C-suite support clearly is necessary for a consistently strong security program. One of the best ways to generate that support is with metrics about intrusion attempts that demonstrate an ongoing threat.
Create a response plan and update it regularly. Define how to evaluate the threat posed by an intrusion and specify responses.
Involve your legal and communications folks. If you fall victim to a significant data breach, you may need to take quick legal action. And how will you minimize damage to your company’s reputation? It is vital to have a strong communications plan that identifies information about the breach needed by various stakeholder groups.
Get to know relevant local law enforcement officials. The FBI and state and local police agencies can be invaluable sources of information and support. It’s best not to have to meet them for the first time when a breach occurs.
While it’s true that an ounce of prevention can be worth a pound of cure, that ounce alone is not enough when it comes to securing your data. A robust approach that also includes detection and response is what you need.
Jason Riddle is a practice leader in Security and Risk Services at LBMC, the largest regional accounting and financial services family of companies based in Tennessee. Contact him at email@example.com or 615/690-1984. LBMC’s Security and Risk Services practice provide a wide range of services, including Compliance and IT Security Services to organizations of all sizes, without geographic restriction.
As featured in TSCPA.