Turn out, 2017 was a crazy year for data breaches. No one can forget the massive Equifax disaster, which exposed the sensitive information of millions of customers to cybercriminals around the world. And of course, there was the attack on the Republican National Committee which leaked personal data of over 200 million American voters. Oh, and don’t forget the executives at Uber who were forced to pay hackers $100,000 after some fierce ransomware took hold of their system and refused to return the data of over 200 million ride-sharing customers.
Indeed, the more we scrutinize the state of digital security in large enterprises, the more see that it doesn’t really exist—at least on the level it should. Successful attacks on giants like Kaspersky Lab, SVR Tracking, Whole Foods, and the U.S. Central Intelligence Agency (CIA), should be enough to prove this point. The effects of these breaches on big fish organizations has been so powerful, it’s forced them to stop blaming IT departments and finally assume a certain degree of responsibility.
The government has also noticed this trend and has subsequently started holding corporate enterprises accountable for their own cyber-preparedness through the establishment of stiffer regulations and compliance laws. For example, New York City now requires people in upper management positions to sign documents guaranteeing their organization’s compliance with the New York Department of Financial Services Cyber Security Regulation.
These regulations have been put in place to hold higher-ups accountable for their cybersecurity decisions, essentially forcing them to sit up and take notice of our new digital landscape. In the event of a breach resulting from negligence, the government can fault them for violating the false claims liability act. Corporate leaders must now be responsible for day-to-day concerns as well as those related to IT support, training, and preparedness.
Executives need to focus on more than just cybersecurity, they must also equip themselves to handle the fallout of a successful attack. The recent Equifax breach—and the failure of their executives to properly hand it—has made this a painful reality in the industry. By waiting a full two weeks to address or even admit the breach to the public or their stakeholders, Equifax demonstrated what real negligence looks like. As the social security numbers and credit card details of their customers swirled around their internet like confetti at a giant hacking convention, executives at Equifax quietly decided to sell some stock before picking up the phone to notify anyone.
More than just a simple IT department, organizations these days need to establish a larger body of digital preparedness. Not only do they need to raise awareness, but they should create a response plan tailored to meet the obstacles of an actual attack—when it’s happening, several hours afterwards, and many days following. This body must map out the chain of command and establish clear communication channels and timelines for such an incident. Setting clear guidelines on when stakeholders, the public, and the authorities are notified is critical. Further, they will need to coordinate with a third-party security company to investigate the cybercrime and ensure it does not happen again.
In addition to establishing a proper threat response plan, executives also need to develop their own security practices and personal habits. And while they are busy educating their employees on the importance of digital security, they’ll need to implement an array of supportive measures to ensure everyone is doing their part to promote a truly defensive posture.
Understanding exploits from the past is useful for sure, but higher-ups must also prepare themselves for malware that has yet to be identified. That is arguable the biggest threat. The newest scam of spear phishing has been particularly effective because it tricks employees into corresponding with cybercriminals. Posing as top executives, these hackers are able to persuade workers to share industry secrets, passwords, and even to wire them money. Even though this may sound simple and easily detectable, many employees who thought they were getting instructions from their ”boss” did exactly as they were told.
Simple protocols like two-factor authentication or phone verifications can help mitigate these threats. Executives can definitely minimize identity theft and spear phishing by communicating more closely with employees and making sure some sort of confirmation step is available before any action is taken. Education is the best practice in these cases. Instead of delegating to IT techs on security matters, executives need to get down in the trenches and help their organization proactively prepare for what lies ahead. If they don’t, the aftermath is on them.