Warning: ignoring data security can seriously undermine your financial position
Information security issues are a Board's responsibility
The average number of days a hacker has access to your network before being discovered is estimated at 267 days (A1). As a senior officer of the company you need to appreciate that the hacker is generally not there to disrupt, but rather is fishing for key information going in and out that could be financially rewarding to them.
Any financial reward they gain will be a loss to your shareholders, customers and business partners. The Sony attack is still very fresh in everyone’s mind, but seriously there are so many instances of hackers profiting from poorly protected corporate systems one wonders just what is discussed around the board table on "how are we placed when it comes to the risk of being hacked?".
Of course there is the line - "we hiring a Chief Information Security Officer" or "we are updating our Security Policy to ensure that we are well protected" - REALLY?
6 key security related questions to ask IT about
I suggest that these six security related questions need to be answered before tackling the re-write of your Security Policy.
- When was our IT infrastructure reviewed from a data security perspective? By whom? and more to the point how rigorous was the review?
- The obvious discussion points here are how objective was the review and were the people conducting the review independent and experienced?
- Is our company using encrypted data transmission for all critical and financially sensitive information and is it held in an encrypted data base?
- Are we protected during our B2B message transmission as well as in our data storage repositories?
- Do our systems Administrator/Support personnel access to this critical and financially sensitive information?
- What is our exposure to data loss from within the organization?
- How technically competent in the area of data security and protection are our IT people
- Should we be considering employing a senior security specialist to provide guidance and support to the executive and the board?
- What is the current budget? What level of protection does this afford?
- What levels of insurance for data loss does the company currently hold, Given that the average cost in the US of a data loss incident is $5.5 million is the current policy adequate? What specifically does the insurance cover? Business interruption and ongoing loss of revenue cover based on a worst case scenario? Does it include recovery or the cost of non-recovery?
So armed with the answers from the information security check list write a security policy that covers the positive steps from 1 to 6. This should include:
- Where and what information is stored on which servers.
- Plans for recovery from any attack and the publicity surrounding leaked data
- How to mitigate effects
- Firms responsibility to clients
- Process for risk assessment and continual upgrading
- Mapping of firm’s technology resources
How aware are you of the potential risks your organisation is exposed to? If your organisation has been hacked would you want to sweep it under the carpet or share the experience so that others don't fall into the trap? Your comments appreciated.
Looking for a solution that is designed to protect your critical data during transmission as well as in storage?
Add your comments: