Data Security & Privacy

Basic Guidelines Every Company Should Consider to Combat Cyber-Threats

The unauthorized release of mission-critical data presents a multitude of problems for victimized companies, but there are several steps a business can take to mitigate the risk of data loss and subsequent collateral damage.  Speaking at Georgetown University, U.S. Deputy Attorney General, James Cole, itemized some best practices for businesses to follow (it bears repeating, even if obvious):

  1. Prevention through Technology.  While technology alone will not prevent an unauthorized release of data, having a strong system of network firewalls, both externally and internally, will provide additional “gates” for the hacker to enter.  In areas of the IT infrastructure where more sensitive data is stored, it is advised to have a more robust protection plan in place.  A few blog posts ago, I mentioned the analogy of a “Maginot Line” – the takeaway from the Maginot analogy is that the core of a protective shell needs to be just as strong as its outer layer.
  2. Education.  Regular training seminars for employees, and associated third-parties (i.e. contractors, vendors, etc.), with an emphasis on the latest cyber-security threats, trends, and preventative measures is a core tenet of any data governance program.  Mr. Cole’s comments at Georgetown University were limited to “employees,” and I added an emphasis on “associated third-parties,” because many data leaks occur as a result of careless vendor and contractor management by the hiring company (i.e. see Booz-Hamilton/Snowden data leak case, etc.).  Hackers will try various social engineering techniques (e.g. spear-phishing, redirecting websites, etc.) to gain entry into a desired company’s network.
  3. Passwords.  Multiple-layer passwords, while annoying, are a better solution than the alternative – losing trade secrets and valuable intellectual property. 
  4. Sharing.  This suggested best practice is a tough one for most companies.  On the one hand, businesses do not want to be perceived as inhibiting, or covering up, a data breach investigation.  However, as recent stories of government agencies accessing various corporate databases increase in the mainstream media, many companies risk a public relations nightmare related to the “integrity” of its data handling practices.  With that said, a data-sharing partnership between the public/private sector and government agencies, like the FBI, allow for better dissemination of threat alerts and advisories.
  5. Government Assistance.  Those famous 8 words – “I’m from the government, I’m here to help” – are not exactly comforting for companies, in light of the recent disclosures by Mr. Edward Snowden, but, to its defense, the government has collected and shared hundreds of thousands of indicators of malicious activity from around the world.  Access to such information is potentially valuable to businesses looking to thwart cyber-attacks.
  6. Baseline Standards.  The National Institute of Standards and Technology (“NIST”) is a government organization that works with the private sector to help establish a comprehensive framework for owners and operators of critical infrastructure to identify and manage risks posed from cyber-threats.  For companies  looking to define a framework for designing their own data governance program, this is a good place to start.
  7. Disaster Preparedness.  One thing for sure will occur when a data breach occurs, most executives and employees will feel like a proverbial deer in headlights.  To prevent this effect from happening, a company should run regular disaster preparedness exercises.  Such exercises (for example) help companies determine what kinds of filters to employ in the face of a DDOS attack; how to implement mechanisms to shut down access to important sectors of their computer systems; procedures to change passwords and access controls; and provisions to preserve all critical data to ensure continuity of the company’s business operation if the data has been destroyed.
  8. Financial obligations.  As a business executive (regardless of its status as a publicly-traded or private firm) always keep in mind the fiduciary obligations to the stakeholders.  The perceptions and impressions made to that group, and the general public at-large, may critically affect the long-term economic viability of the organization.  At the end of the day, the sole obligation of any corporate executive is to maximize profits and exceed shareholder expectation.  Does having a deficient cyber-security program meet that maxim?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.