As Gregg Steinhafel steps down as chairman and CEO of Target, we’re witnessing more than just an act of contrition for one of the largest and most costly data breaches — ever. We’re witnessing the evolution of data breaches, and IT security in general, as a corner office concern.
For today’s CEO, being the victim of criminal hackers is no longer just a source of embarrassment. Now, being hacked often carries legal ramifications and can even cost you your job. Here are a few tips for those of you who’d like to stay in the corner office.
Accept IT security as your responsibility
The CEO has always had broad responsibility for the overall health and growth of his or her organization. Historically, CEOs were clearly responsible for and focused on bottom-line issues such as sales and marketing, manufacturing, and getting product out the door and into customers’ hands.
In new electronic age, CEOs are increasingly responsible for security, too, if they’re not responsible already. Security has become a bottom-line issue. Customers will stop buying from companies if they don’t feel safe doing so. And Wall Street will clobber a public company that loses the trust — and business — of its customers.
Assess the risks
Job number one is to perform a thorough risk assessment for the organization overall. From the IT perspective, you need to know where you are vulnerable, both inside and outside your firewall. You may not have control over your customers’ use of Internet Explorer, but you can certainly fast track Heartbleed remediation. Risk and vulnerability assessments as well as penetration testing by trusted third-party firms are now as important as product R&D and customer acquisition.
Beyond hardware and software, there’s another potential threat inside the corporate firewall that you need to assess — disgruntled employees and other insiders. Many high profile breaches include some degree of internal, malicious activity perpetrated by employees or contractors who worked for the company either before or during the time of the theft.
Yes, you may want to redouble your background checks and beef up other personnel security measures. But you may also want to rethink your data access policies. Specifically, you might reconsider the policies that define who in your company has access to your corporate and customer data. Now is probably a good time to separate these two data classes, giving only the most-trusted employees access to customer data on an as-needed basis. Apply those access restrictions across the board.
After conducting your various risk and vulnerability assessments, it’s time to bolster the weak areas you discovered. One of the best ways to shore up security is to monitor and record all sessions concerning customer data and other high-value assets that are the hackers’ targets of choice.
For instance, session recording capabilities can capture entire privileged sessions of sensitive resources in a log file or on video. The files can then be archived and reviewed for anomolies or during a forensic audit, revealing every keystroke, mouse click, and action performed by an employee, technician, partner, contractor, or other user during a given session.
Limit controls to limited number of people
Then, you limit the span of control or access to where vulnerabilities exist.
In the world of IT security, hackers are constantly looking for novel ways to compromise new and old systems alike. CEOs (note: not just CIOs), in turn, must stay vigilant and react swiftly to potential threats and to actual breaches.