The #1 Threat To Security

The #1 Threat To Security

It happens in a variety of ways.

A conscientious employee has trouble remembering her password. So she keeps it on a post-it note located under her keyboard.

The marketing manager, who’s been with the company for more than a decade, has new ideas to bring in more clients. But he can’t do his job effectively with the old systems in place. The new app he found works perfectly; he has his entire sales team download it and use it every day.

Even the executive team isn’t immune. They listen to the message IT brings to the table. They issue letters and emails with their names at the bottom. But consequences for when the worst happens rarely materialize.

IT managers today have a difficult job. On one hand, they offer flexibility to ensure business gets done. On the other, they must create an environment that not only prevents existing threats from happening, but also to anticipate future threats that may occur. They know threats are very real. They also know where the biggest problems exist:

  • Vulnerable applications are used every day, in every department
  • Security patches are often out of date or not downloaded at all
  • Encryption isn’t used in appropriate places
  • Passwords are weak and vulnerable
  • Employees simply aren’t aware of the threats around them

Yes, even though the news is filled with stories about hackers infiltrating company systems and wrecking havoc throughout, a company’s largest threat continues to be from within. And there is only one way to decrease the risk; enforce stricter policies from bottom to top.

Employees Are The Weakest Link

People never intend to jeopardize their company’s security. People are simply creatures of habit and want to do their jobs the easiest way possible. They don’t want to forget passwords, so they stick with the familiar and store them in easy to find places. They ignore emails and updates about threats and risks, especially when they don’t understand the steps they’ll have to take.

Mid-Level Managers Focus On Results

Mid-level managers have jobs to perform and quotas to meet. They have to produce quality work on time and on budget every day. And if a new program or app makes that job easier, so be it. It can be frustrating to wait for IT to give their approval. And if their teams are using their own smartphones or tablets anyway, why should they worry about getting approval before downloading and using it? Shadow IT is a real problem and can open up unlimited vulnerabilities with a company’s data. It may take an uncompromising stance to stop shadow IT in its tracks, but it’s the best way to keep information safe.

C-Level Managers Must Set The Tone

C-level management hires a team for their experience and expertise. And when push comes to shove, they must support everything they do. For IT security to be effective, a company’s policies must be outlined and defined. When rules are broken, consequences must be faced. That means C-level must be behind it, support it, and enforce it.

For IT to be effective, it takes the entire team. From development to enforcement, it requires positive action to not only get the job done, but to do so securely. There are no exceptions. If you let your guard down even one time, that’s all a hacker needs.

Do Your Policies and Procedures Really Promote Better Security?

Do Your Policies and Procedures Really Promote Better Security?

When was the last time you made changes to your security policy? When was the last time you considered how the procedures impact your business?

According to a survey conducted last year, 43 percent of businesses dealt with some type of data breach at some point during the previous twelve months. And with the number of threats out there in the world increasing every day, that number won’t shrink any time soon.

A security policy won’t prevent a data breach. But having strong policies and procedures in place will ensure that employees better understand how to prevent breaches, and what to do if one takes place.

While not having a policy in place is reckless, not reviewing it and updating it in a world that is constantly changing can be hazardous too. Security should always be evolving. If you are looking for ways to improve your security policy, consider these basic points.

Simplify

We’ve all been involved with organizations that choose to define every last detail. Even the simplest of concepts is written out and defined in binders of information. Yet keep in mind that the more content there is within your security policy, the less likely it will be read by the masses within your organization. Time is a commodity we have little of. A binder (or two or three) may satisfy a security audit, but it won’t do much to improve security within your business.

Relevancy

Does your security policy truly match the way your employees work? In many cases, the ones that write a security policy don’t take into account the way employees do their jobs. Today’s employees use their own devices on a day to day basis. Departments choose programs based on needs to get things done. Cloud computing is at an all-time high, with more moving to cloud based services all the time. If your policy assumes anything lower than what is actually occurring within the organization, your data can be at risk.

Automate

Employees are more likely to adhere to policies when they become repetitious and automated by nature. If an email automatically flows through a central policy engine before being released to determine if it needs encryption, for example, you take the human factor out of the process.

Find your biggest threats

Many security policies clearly define how to handle external threats. Yet in many cases your biggest threat is no further than the office next door. No matter how many times an employee changes their password, or what apps they have installed on their smartphones, if an employee wants to do damage, they know where vulnerabilities lie and how to move around them quickly and efficiently.

Most IT professionals will list employees not following procedures as one of their biggest threats. Yet in many cases, they aren’t providing the proper policies and training to change the situation.

Policies need to be created with the way employees work. Clear training should then be provided to give employees a better understanding of expectations. It’s not something that occurs once when an employee is hired on, especially in this fast-changing world. Technology has a short shelf life; to not recognize it and train accordingly on a regular basis is to increase your internal risks.

Any policy written without review two years ago or longer probably has significant holes in the process. If you haven’t reviewed your policy, or trained your employees accordingly in that time frame, your internal threats are very real.

Coping With Shadow IT

It starts simply enough. An employee has a problem. He needs to get work done. So he bypasses his company’s technology because it’s old, outdated, inefficient, clumsy. Just to login and use it takes time he doesn’t have.

And besides, there’s an easier way.

All the tools he really needs are right in the palm of his hand. And thanks to cloud providers like Salesforce and file sharing sites like Dropbox, he can easily complete the work he needs to do in record time.

Of course, he would never admit to doing this with the IT department. But the IT department would have to be blind not to know. Yes, today’s business environment is the online version of the Wild West. And Shadow IT is establishing the rules of the land.

Today’s Shadow IT is growing bigger than ever, thanks to the exponential growth of quality consumer applications in the cloud such as file sharing apps, social media, and collaboration tools.

The IT department can ignore it. The IT department can even issue rules against it. But today’s employees are clever, smart, efficient. If they can’t do what needs to be done, they will find another way. And that creates a mess within the organization.

Few would think twice about opening up Dropbox, saving a file, and sending it off to their peers and staff for sharing. It’s how you get work done in today’s world. But what about the risk that presents the company?

  • Is proprietary data at risk?
  • Is personal identification information at risk?
  • What is the risk of theft?

And all they want to do is transfer a file.

What’s a CIO to do?

Reduce Evaluation Times

Listen to the people in your organization. One of the biggest complaints we hear is about technology requests. The review process for new tools simply takes too long. The IT department puts the request on the back burner, considering it a low priority, or it spends far too much time in the evaluation process. If a request is made, the solution will be found. The only question is will the answer come from you.

Implement Faster

Even after a new technical solution gets the green light, it can sometimes take weeks, even months to implement. A lot of questions may need to be answered: how is it budgeted, who will implement? Which is why newer and faster processes for fast-tracking approved technologies must occur.

Anticipate and Embrace 

The world is speeding up, and it will never slow down. You can’t exist with what works today; you must anticipate where we’ll be tomorrow. If you’re not evaluating new technology, looking for the faster, better, more efficient way to do things, the people in your company are. Up to 40 percent of all IT spending today occurs outside of the IT department. That means people in management, marketing, even finance are learning what it means to be more efficient, and they are looking for better ways to achieve it. With or without your help. Anticipating needs early and establishing processes that work will save you time and headache in the long run.

Become an Enforcer

Shadow IT can hurt a company. It’s up to the CIO to control it. If rules are broken, it’s up to you to gain control. While you may find the best solution is to create new internal policies, in some cases it may be the employee who is wrong. Don’t relinquish control. Create clearer policies, more efficient systems. Reinforce how the process works, and let people know what is not tolerated when it comes to projects that sidestep IT.

Why Hackers Want Health Care Data Most Of All

Why Hackers Want Health Care Data Most Of All

Who can forget some of the biggest cyber security breaches of our time?

During the holiday season of 2013, criminal hackers potentially gained access to 40 million Target customer credit cards.

Sony has suffered not one, but two major cybersecurity breaches where hackers erased data from systems, stole pre-release movies, and compromised people’s private information.

Even the IRS has had its share of problems with security, where stolen information was used to file fraudulent tax returns and collect more than $50 million in refunds before the problem was spotted.

Identity theft and stolen credit card information are something at the forefront of many people’s minds. It’s reported on so frequently, it’s become a natural place for worry. But increasingly there is a new focus for cybercriminals, and they can do far more damage with what they find.

Buried deep inside health records is a wealth of information. Names, date of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, even claims information are available and waiting for potential hackers. And while financial data becomes worthless the second a customer realizes fraud has occurred and cancels a card or closes an account, health care records have a much longer life.

Social security numbers are not easily cancelled. Medical and prescription records are permanent. Which means it is growing into one of the largest markets for potential fraud. And it’s already happening.

Excellus has stated as many as 10 million records have been compromised during a recent attack. Over 80 million records were compromised by a recent Anthem security breach.

When criminals gain access to financial information, they typically want fast access to cash. With health records, they approach it in different ways. Most criminals are selling health care data to be used to access to free medical care. They use it to buy and sell addictive prescriptions. They use it to gain access to medical treatments they may not have been entitled to in other circumstances.

And what’s scariest of all is that criminals don’t have to act fast for potential rewards. Because medical data can’t be cancelled or changed, they merely wait until the most opportune moment to strike and use it to gain access to what they want most.

While retailers may have made the big news in the past for their security compromises, the coming years will be filled with headlines showing breached health care providers and the risks that brings to the general population. Health care providers and consumers as a whole simply are not prepared for the level of threats that are coming their way.

Are you?