Luck isn’t a Cyber Security Strategy
Today is St. Patrick’s Day, a day that conjures up images of leprechauns and four-leaf clovers, which legend says can bring good fortune to those who find them. So today might be a good day to ask yourself this question: Are you relying on the luck of the Irish to keep your organization safe from cyber-attacks?
Survey after survey indicates that many organizations are doing just that, meaning they’re not being sufficiently proactive in taking steps that need to be taken to prevent successful attacks on their systems. “The Global State of Information Security Survey 2014” by Price Waterhouse Coopers, to cite just one example, found that only 24% of companies have their security programs assessed by an objective third party. Only about 47% said they periodically perform risk assessments.
This raises serious questions about the state of cyber security at many companies. How can the 53% of companies that fail to periodically perform risk assessments know what vulnerabilities exist in their systems? And if these organizations are unaware of their cyber security vulnerabilities, how can they expect to protect their systems from attackers? It’s also troubling that more than 75% of companies say they have not reached out to a third-party to have their security programs assessed. Without a truly objective third party assessment, an organization cannot determine if their security strategies are adequately protecting their systems from attackers or securing sensitive data from theft.
If you aren’t performing periodic risk assessments, you’re at risk of seeing your company in tomorrow’s headlines. The health insurance company Anthem learned first-hand what it’s like to see its name in the paper for all the wrong reasons after it suffered a security breach that resulted in the theft of the Social Security numbers and other information belonging to roughly 80 million people. Now Anthem’s customers are at risk of identity theft, which has forced the company to provide them with two years’ worth of free identity theft monitoring, no doubt at great expense. Anthem is also facing a potential fine of $1.5 million from the Department of Health and Human Services, not to mention the damage to its reputation that will likely result from having sensitive information belonging to millions of customers stolen. Anthem is hardly alone; companies such as Target and JPMorgan Chase have also experienced the financial and reputational damage caused by successful cyber-attacks.
Although it’s not possible to implement every cyber security measure available in the hopes of safeguarding against cyber-attacks, you should at least perform risk assessments and have third parties help review your security strategies to ensure that you are aware of the vulnerabilities that exist in your systems. Other security controls need to be implemented as needed, but risk assessments and security strategy reviews can help serve as a foundation for ensuring that your systems and the data they store are adequately protected. Don’t rely on luck to preserve your finances and reputation. Protect your sensitive data from malicious hackers.