Part 1: The Basics
Disclaimer: I am a crazy person. I read over 50 articles before I wrote this (WHO DOES THAT) and I’m not even sure how I got so sucked in. In short, information security is a big deal right now – and there are tons of ways to combat cybersecurity, risks. Tons. Bad news for my eyeballs, but good news for you, because it means that there are so many ways to protect your organization. Trust me – if you don’t find one new piece of advice in here, I will be very surprised – and sad.
Earlier this semester I had an amazing IT class on information security. I’m going to go ahead and give a shout out to my IT professor Dave Chatterjee, because I’m about to shamelessly plunder the information from his class for this post, in addition to all the articles I mentioned above.
First, some stats.
Startling Statistics: Information Security and Data Breaches
From research by Professor Chatterjee:
- 60% of all attacks are caused or aided by disgruntled employees
- 90% of companies will experience some sort of a data breach this year
From Time Magazine:
- New York institutions alone faced 900 data breaches last year, costing a reported $1.37 billion
- One-third of New Yorkers were data breach victims in 2013
Highlights from the 2014 OTA Breach Report:
- 89% of breaches and data loss incidents could have been prevented
- 740 million records disclosed
- 31% of incidents were due to insider threats or mistakes
- 21% of the incidents were the result of physical loss (PC, drive, notebooks, paper documents..)
- 40% of the top breaches recorded to-date occurred in 2013
- 76% of breaches were the result of weak or stolen account credentials
You have to admit, the class was timely. With P.F. Chang’s recently reported data breach, not to mention last year’s high-profile data breaches at Living Social, Target, Neiman Marcus, Michael’s stores, and now potentially Home Depot, information security is a hot topic. Time even wrote a cover story on it – “World War Zero: How Hackers Fight to Steal Your Secrets.”
What should be an even hotter topic is that businesses don’t get hacked more often, considering the sheer volume of attacks they face. Or perhaps they do get hacked more often, and they just don’t know about it. Last year, 3,000 companies didn’t even know they’d been attacked until the government informed them of their victim status.
That’s pretty terrifying from a personal information security standpoint – I would hope the companies harboring my personal information would at least be aware if their information, and therefore my information, was compromised.
According to Vice, 2013 was the worst year for data breaches. They may be speaking from personal experience – they were hacked just a few weeks ago, and in November of 2013 they were reportedly hacked by the Syrian Electronic Army. (To their credit, Vice seems to be taking their own advice: they were well prepared for the attack, passwords were encrypted, making them virtually useless for the hackers, and the vulnerability was patched almost immediately.)
Vice interviewed two members of the Online Trust Alliance (OTA) which recently published the 2014 Data Protection & Breach Readiness Guide (one of the primary sources I consulted for this series.) I found these two quotations from the Vice interviews particularly insightful:
“Being compliant is not good enough…” This phrase in particular struck a chord with me, as I feel like the compliance officer’s role is expanding exponentially. We often emphasize that training can’t be once and done, awareness programs need more than a poster, Codes of Conduct need to be more than scripted legalese booklets… Nothing is “good enough” without ongoing input from the compliance team.
That’s bad news for resource-strapped compliance teams. It gets worse:
That’s unacceptable. If there’s one thing I’ve gotten out of my IT class thus far it’s that IT can’t do everything alone. Compliance can’t either. It’s time to buddy up and share the load. While the Kroll report implies that perhaps compliance officers aren’t comfortable or familiar with the more technical aspects of cyber security, there are plenty of other pieces that the compliance officer can get involved with including information security training.
Join us next week for Part 2 of this series!
For More Information About Information Security Training, Check Out These Resources:
- Blog: 4 Cases Where Security Awareness Training Could Have Saved The Day
- Blog: From Russia With Love: ‘Do svidaniya’ Peace Of Mind, Hello Information Security Training
- Blog: Information Security Training Can Even Save Your Grandparents
ON DEMAND WEBINAR | Cybersecurity 2014: The Impact on Global Companies
Download “Cybersecurity 2014: The Impact on Global Companies,” featuring Lisa Sotto, Partner and Chair of the Privacy and Security Practice for Hunton & Williams. Lisa will discuss the state of cybersecurity in 2014. You will learn cybersecurity best practices, the current state of data privacy legislation, and what to do in the event of a data breach.