Written by Malcolm Newdick, Managing Director.
Companies are naturally reluctant to admit security failures that might have jeopardised their customers’ security.
We know of an accountancy firm that was recently caught by Cryptolocker. One of their staff members mistakenly fell for a phishing e-mail and introduced Cryptolocker on to their network. All affected data had to be removed and good data restored from backup, a process that took days to complete. Costs to their business included direct IT costs for the recovery, lost productivity from their staff and loss of goodwill with their clients. And, of course, the cost of the additional security they put in place after the event.
The ‘Panama’ papers
The release of vast amounts of confidential data from Mossack Fonseca is a lesson for all of us. While we might sit back and gloat at their embarrassment and the consequences of all the revelations, we should also take stock of our own risks. What impact could there be on our businesses if a disgruntled employee decided to release all of our HR and client data?
Think about the potential scenarios in your business. Are you certain that no ex-employee still has access to your office network? Could someone still have the password to edit your web site if they wanted? Could they still order goods from one of your suppliers? How would you know?
What about current employees? How many could copy finance or client data? Could you detect that they had done so?
The lessons for the CIO
As CIO you can never achieve 100% security. You have to balance security and utility; there is no point being 100% secure if your business can’t function.
What you can do is put in place layers of security:
- Make sure your HR processes are good and guarantee security – eg ex-employees are blocked from all systems within hours of leaving, not days or weeks.
- Educate your users in IT security. Build it into their induction and hold refresher sessions on the latest threats.
- Belt and braces – anti-virus software on its own isn’t enough. For example, control the devices that can connect to your network, limit where remote users can connect from (do you really have any staff members who need access from Mongolia?). Make sure you use multi-factor authentication so your security doesn’t depend on a single password.
- Educate yourself! Security is a fast-changing landscape and you must keep up in a changing world. Make sure your own education is in your IT budget.
The role of the CIO
The CIO is no longer just the IT guru who delivers the complicated stuff. Now the CIO carries the can for their enterprise’s security. That is a major additional responsibility.
If you were the CIO of a decade ago, how would you have reacted if your boss added to your job description the responsibility for building security, telephone security, and global staff protection? With the advent of mobile working and 24×7 round-the-globe remote access, this is essentially what has happened. And quite rightly, because the traditional security team doesn’t even understand the problem.
That’s not an extra ball in your court, it’s a hand grenade lying there…