What keeps CIOs awake at night?

Keeping your company safe from security breaches is right at the top of every CIO’s priority list and being hacked or having your systems compromised can be an extremely challenging and even distressing situation for any high-level IT executive. 

You only have to look at last year’s cyber-attack on Uber where 57 million customer and driver records were stolen to understand why the threat of security breaches keeps CIOs awake at night.

The reality today is that the rapidly changing landscape of cyber security often doesn’t afford CIOs enough time to regularly road test their security strategies before they scale them up. There is also so much else to occupy their attention on a day to day basis but IT security bosses still need to do absolutely everything they can to properly protect against cyber threats.

Here’s our look at some the most important areas of focus for CIOs hoping to rest a little easier while defending their businesses against cyber threats of all kinds.

Patching

It’s been made abundantly clear in recent months (if it wasn’t already) that patching is an essential activity if you’re aiming to keep your IT infrastructure and your sensitive company data safe and sound.

You may remember the NHS hitting the headlines recently after being struck down by a ransomware attack that could’ve been prevented by proper patching. Not long after that very high profile NHS attack the credit report company Experian found itself in a similar position and for similar reasons. In Experian’s case, problems were identified and then six months down the road they still hadn’t been patched and the company ran into serious problems after being targeted by cyber attackers.

From the point of view of enterprise IT security today, unless everything is patched, secured, replaced or not patchable then it’s a vulnerability that urgently needs addressing.

Pen testing

One of the tests that every business should be doing to ensure they are properly protected is pen testing (penetration testing).

If you haven’t come across this before, it’s essentially where you get an expert in IT security to try and hack into your system. They don’t actually hack your system, of course, they are a trusted third party and they have your permission to attempt their incursions. The idea is that you give them just enough information to attempt to get into your system and how much success they have goes a long way towards highlighting how secure or vulnerable your systems really are. 

It’s very important though to use a third party for this kind of exercise rather than someone from your internal IT team because it makes the process a whole lot more worthwhile. The third party tester will start off with far less knowledge of your business and IT systems so they’ll approach a simulated hack from the same starting point as a potential real-world attacker. 

Detection

Very often hackers can get into an IT system and look around for several weeks before doing any damage, attempting any fraudulent activity or trying to steal any data. The hackers don’t know the system and they are using this time to become more familiar with it. Therefore, if you have effective detection methods in place then you should be able to identify that you’ve been compromised and shut down the threat before it has to do any real damage.

The aim for CIOs and IT managers is to stop cyber-attacks from breaching their systems in the first place but if that isn’t possible then the next best thing is to offset the potential damage that could be done. In many ways, how you respond to an attack and a data breach is actually every bit as important as how you were attempting to protect your systems beforehand.

Transparency in these scenarios is vitally important. One action that should certainly be taken if your company falls victim to a data breach is to notify the Information Commissioners Officer. You should also make clear to anyone affected if your data breach involves sensitive information such as medical records, bank account details or credit card information. Disclosure will become even more critical when the General Data Protection Regulations (GDPR) come into force in May 2018.

For large businesses that transparency can mean communicating with tens of thousands of people but it has to be done to avoid further reputational damage. Uber, for example, had to contact 57 million people to let them know their information had been taken after its security setup was breached badly in 2017.

BYOD

A very widespread phenomenon to emerge over the past decade or so within businesses worldwide is what’s referred to as BYOD or ‘bring your own devices’, meaning situations in which individual members of a given workforce use their personal devices to carry out work-related tasks. This happens a lot today but it can be a real problem for CIOs who consider the use of these external devices as threats to their overall IT systems. If you’re responsible for IT security at your company then the use of personal devices for professional communications needs to be monitored very carefully and restricted where necessary.

Even if you are not implementing a BYOD policy, consider the risks of staff plugging in USB devices, even if it is just to charge them. If they need data exchange, make sure you have software in place to scan USB devices before access is granted. If your teams don’t need USB data exchange, consider disabling the ports or providing “charge only” cables.

Education

Education is key to good IT security because not every potential problem can be prevented through the use of smart technologies or by locking down your networks to the greatest extent.

A majority (52 ) of all threats have a human element to them. A good example is what’s called social engineering, whereby individuals are effectively duped into handing over access to sensitive data. Education can prevent these problems and lots of other security issues as well because it helps employees understand more about how IT security works and encourages them to get into good habits. 

To build on education in it’s important for CIOs to instigate testing programmes involving fake phishing emails. These kinds of tests can give IT managers potentially very valuable insights into how easily fooled members of their workforce really are and how lax they are when it comes to data security issues. 

Doing all that can be done

It simply is not possible for a CIO of any organisation to be 100 confident in their policies and protections. The reality is that even the biggest and organisations in the world can sometimes find themselves somehow on the end of a devastating cyber-attack.

From a CIO’s perspective the aim should be to keep making progress and to do all that can be done to ensure complete security and to have methods in place to deal as well as possible with any breaches that do arise. It’s only by doing so that CIOs will give themselves any chance of sleeping soundly and not worrying so much about where their next cyber-attack is coming from.

ABOUT ME

I am the Managing Director and owner of the SCA Group, a managed IT solutions provider.

SCA provides a wide range of IT services to SMEs, entrepreneurs and large organisations. Our focus is on helping our clients to manage their technology smoothly so it supports and doesn’t interfere with the day-to-day running of their businesses.

From our West London offices and datacentre, we deliver and administer a wide range of services and provide expert assistance to every client using the technology and systems we supply.

We understand that businesses today need their technology investments not just to deliver value for money but to proactively drive competitiveness and SCA make that ambition a reality for our clients.

If you would like to talk to me about how we can help you then please contact me on [email protected] and I welcome connections on LinkedIn.