What should a conscientious business owner/CEO know about cyber security and cyber hygiene?
Among all the other pressing issues CEOs deal with day to day, the physical and IT security
posture of their company has recently sifted to the top. Increasingly, the assets and good will
their company has accumulated over time is at risk from cyber thieves. Not to speak of the
protection of the employee’s digital world.
Regardless of their line of business and whether the company is a basic brick and mortar or a
sophisticated technical enterprise, the bad guys are aligned against you. For years IT security
was a subset of the IT department, and a red-headed stepchild at that. Budgeting for security was a line item buried in the IT budget, and often red lined in favor of that snazzy new CRM system for the sales department, or a new MRP roll-out for production. There was no clear ROI for investing in protection for digital assets, so the minimum expenditure was deemed ‘good enough’. It is always hard to spend on ‘what-if?’ scenarios.
Then several high-profile breaches made the news: Target, TJ Maxx, the Social Security
Administration. Closer to home - Equifax, who holds sensitive credit and personal data on
hundreds of millions of us, without our consent. Suddenly, security was more important. But,
how to approach the matter, and where to start? First, define corporate responsibility and that of the employees and stakeholders.
It can be posited that individual cyber health and that of the enterprise are intertwined.
Thousands or millions can be spent on securing corporate databases, facilities, and on-line
access only to have a key individual compromised and the security perimeter breached. It is of value to approach security as not only a benefit to the organization, but to the
employee/stakeholder as well. Like it or not, corporate and personal digital assets have been
mingled since the first ‘BYOD’ (Bring Your Own Device) craze more than a decade ago.
Here are some guidelines for basic personal/corporate security implementations that will
provide a first line of defense:
Password Management: Nearly all breaches that make the news are the result of credentials of a trusted employee being compromised. Many times, this is the result of a poor and often reused password. Ironically, simple passwords and constant reuse are the results of corporate policies that make logins frustrating to the end users. If security is screwed down tight, folks (most often executives) get angry and look for ways to circumvent controls. A well implemented password management platform will ensure that passwords are strong, secure, and easy to use for the individual. Audit and reporting are built in, and compliance is a natural and easy part of the puzzle.
Virtual Private Networks: As we begin to move outside our homes to interact once again, the dangers of conducting business on public networks resumes. For years, corporations have used Virtual Private Networks (VPN) to connect remote branch offices and mobile workers to the corporate network resources. Site to site VPNs were somewhat cumbersome, and individuals needed client software on every device they used to secure the connection over the public internet. Today, there are inexpensive and comprehensive VPN platforms that protect sensitive data traffic, location information, and personal/corporate information from prying eyes. Use of a VPN helps keep malware off user devices and out of corporate networks.
Endpoint Protection: Speaking of malware, a solid, centrally managed endpoint protection software system is a must for keeping both corporate and personal devices protected from various viruses, takeovers, and buried ransomware. Not only does this software secure the device, it helps IT operations manage far flung assets and provides audit and reporting services. Often, this can be provided to the employee as well as contractors, vendors, and suppliers as a benefit both to the company as well as the individual.
Secure WiFi: While the company cannot control where the employee connects while traveling or at home, the WiFi deployment at company locations can be secured and devices attaching to the network can be scanned, isolated, and quarantined if suspicious software or activity is detected. This is a service that can be administered in house or by an outside service provider.
Education: Often IT security training is regulated to a quick lecture from someone in IT as part of the onboarding process, and a paragraph in the inch-thick Employee Manual. Studies have shown that organizations that conduct brief but regular employee awareness and hands-on security training suffer far fewer security issues. Again, the instruction addresses both corporate policy and individual protections. Often this training is best delivered by outside resources that specialize not only in current and relevant content, but professional staff that know how to communicate the message in multiple ways.
While not comprehensive, these are a few of the steps an organization can take with direction from the executive office. It behooves an involved CEO and board to be aware of not only the threat landscape, but basic blocking and tackling measures to address the threat. Skilled operators inside or outside the organization should shoulder the load of defining, deploying and managing the security measures defined above. As a part of the fiduciary responsibility of serving the organization, the C-suite should identify and provide the proper budget for this level of protection.
ABOUT THE AUTHOR
Dave Casey is CEO of Calvus Consulting LLC, which provides both C-suite and boards of directors guidance in the areas of cloud migration, cyber security posture, and digital transformation. Casey has a 20+ year record of building technology companies, and experience in both SME as well as enterprise IT organizations.