CYBER SECURITY: C-SUITE RESPONSBILITY
By JIM KENDALL
This material originally appeared as one of Jim’s Daily Herald columns
You know the situation has worsened when George Vroustouris talks about social engineering and the need for C-suite leadership to combat what has morphed from certainly serious but by comparison relatively straightforward identity theft to cyber security issues.
A similar message comes from Drew Kelly, who talks of “a proliferation of people with an attitude to do bad things” and a willingness to focus on mid-size and small businesses “because they are seen as softer targets.”
Kelly is insurance, a vice president at Chicago broker Alexander J. Wayne & Associates Inc. Vroustouris is principal at Undo Identity Theft Inc., Schaumburg. His cyber issues are somewhat broader.
Insurance coverage can help mitigate the expense of a breach, and Kelly notes that some carriers will provide forensic and related support. “The biggest expense,” he says, “is the cost of notification” – the letters businesses whose data have been accessed are required to send to customers whose information might have been affected.
The ultimate cost of the required letter, Kelly says, easily can be $10-$20 each.
Do your company’s math. If the math says insurance, Kelly cautions, “Understand what you’re buying before you purchase coverage.”
Along with the disruption a breach brings, cost is one reason Vroustouris says cyber security is an issue that should be elevated to the top of a business. His thinking:
* Cyber criminals linger once they’ve breached a site, Vroustouris says. “It’s no longer crash and dash. They’re looking to see who (in the breached business) has access to information.”
That’s a pretty decent opening example of social engineering. Norton, part of Mountain View, CA-based Symantec Corp., defines social engineering as “a way that cybercriminals use human-to-human interaction in order get the user to divulge sensitive information.”
Social engineering can be effective. Vroustouris notes, for example, that the 2013 Target data breach had its beginning when a third party vendor, not Target, was breached.
* The days when security meant showing a badge to the company guard are long gone and, in a sense, the guard has been replaced by IT. Although the words aren’t always in the job description, the practical effect is that “Everybody has a role in security,” Vroustouris says. Businesses need to “improve their defenses, change their culture (and) fight back.”
* With vulnerable data including employee personal information, customer information, vendor data and such intellectual property as formulas and other key processes, the security issue should move to the C-level, Vroustouris says.
Led by the business owner/CEO, the initial top-level meeting, Vroustouris says, should begin with a discussion of “the new reality that (our company) is vulnerable because we have data.” Asking team members to share examples of data breaches they know about should bring a good discussion of the business’ investment – what it is now and what it should be – in cyber security.
© 2017 Kendall Communications Inc. Follow Jim Kendall on LinkedIn and Twitter. Write him at Jim@kendallcom.com. Listen to Jim’s Business Owners’ Pod Talk at www.kendallcom.com/podcast.