HOW ENTERPRISE CAN MINIMIZE SECURITY BREACHES

Cybercrime attacks on America’s institutions continue to rock the country, and the problem continues to grow in magnitude as evidenced by the massive data breach of 143 million records that was recently reported by Equifax. “The sophistication and verve of these attacks spans both the Public and Private sectors”, says Sam Chughtai. “Consider this: in the last 2 years, a data breach of 123 million records was reported by the US Government’s Office of Personnel Management, and a data breach of 1 billion records was recently reported by Yahoo” (all statistics courtesy of USA Today Research).

Unfortunately, the problem isn’t merely limited to theft of personnel records. “Ransomware and phishing attacks are growing in number, with a predilection for targeting such critical sectors such as healthcare and the financial industry”, says Eric Abbott. “Further, consider the impact of HIPAA penalties on the targeted healthcare organization, notwithstanding the damage to their reputation”, says Abbott. Additionally, new concerns are being raised about targeted attacks on any IP-enabled infrastructure such as the power grid and the ability to quickly recover from such attacks. Says Chughtai, “we are at a crossroads that fundamentally requires a close and thoughtful examination of current IT governance models in order to herald disruptive reforms needed to break and mitigate this continuous cycle of damage to our valued institutions”.

“The process begins with effective IT leadership governance to avoid overconfidence and over-reliance on technology”, says Abbott and Chughtai. Simply put: “the old model of solely relying on internal IT security practices is no longer sufficient”, says Abbott. As Chughtai adds: “it can kill companies overnight when attacks occur”.

Instead, the new approach starts with creating a governance program founded upon two core principles. First, the role of a Chief Security Officer is essential to orchestrate and govern policy and procedures for the organization. Says Chughtai, “without an executive leader to set and enforce organizational policy, random chance favors the cybercriminal”. Last, a holistic systems approach to cybersecurity is essential. This entails entering into performance-based service level agreements (SLA) with external specialty providers offering services ranging from third-party scanner services to data analytics, the latter of which can identify unusual system network and data flow behaviors. In this way, the risk is apportioned and shared, allowing for specialization and shared industry learning, much like how the highly successful anti-malware and antivirus vendors have found.

“We need to bring the same level of discipline in cyber security reporting to Board of Directors and Senior Leadership of a company, much like how Accounting and Finance behave”, says Abbott and Chughtai. “It starts with an in-house internal audit and attestation, followed by an external audit and attestation under the SLA terms agreement”.

In this way, a strong security posture can be formulated between a dedicated internal security team who are collaborating with the external vendor. Moreover, using a different external vendor for monthly security audits will serve as an additional checkpoint. Says Chughtai, “unfortunately, this is not the standard practice in the industry”, adding that “the impact on the reputation of companies that don’t adhere to these principles cannot be sustained in the long run”.

A successful approach to Cybersecurity begins with a well-defined strategy for effective governance practices. Cascadia Pacific and National Aerospace Corporation stand ready to be your partner in protecting your vital digital assets.