Categories
Computer & Network Security|Information Security

IT and the C-Suite: 3 Tips for Communication

Years ago, I served as Head of Information Security for a large organization. After just 6 months on the job, we experienced every network administrator’s worst nightmare…. a data breach. As we worked to resolve the problem, it seemed like there was enough blame for everyone. IT was blamed because of their operation. Application Development and Support was blamed because of their code. Then the CIO started taking heat because security hadn’t been his top priority. Finally, the CEO came under fire for the overall performance of the team leading up to the breach.

A recent article I read by Kacy Zurkus in Security Boulevard reminded me of this situation; Zurkus does a great job outlining recent trends in cybersecurity and corporate accountability. There is no doubt that C-level executives are held just as accountable as IT teams when a breach occurs. However, that doesn’t mean that the C-suite and IT are on the same page. Knowing this, why are there continuing challenges in communication? are there continuing challenges in communication?

Communication Between C-Suite Executives and IT

There is a communication gap between the C-Suite and IT. 91% of IT pros feel that their organization is improving its cybersecurity while only 69% of C-level executives agree. Executives also disagreed with IT on data priority. They prioritized protecting employee data while IT prioritized financial data.

If IT and executive leadership are going to prepare for inevitable data breaches, we need a roadmap for communication so that we can align priorities and coordinate efforts.

3 Tips for Communication Between IT and the C-Suite

The article on Security Boulevard highlighted some good thoughts on communication with the C-Suite. Here are some ideas that jumped out at us plus a few thoughts of our own.

Tip #1: Don’t Use Industry Lingo

IT must learn to communicate complex IT issues and security threats in layman’s terms. We recommend using analogies and avoiding industry jargon. As you will see in our next tip, your communication still needs to have some meat on the bone.

Tip #2: Make Substantial Recommendations

While words like “synergy” and “collaborative” are great in presentations (not really!), they don’t do much to make your company more secure. The CEO is personally responsible for every type of issue across all parts of the company and you can help by bringing specific, actionable recommendations to the table.

Tip #3: Understand the Role of the Chief Information Security Officer (CISO) in Preparing for a Data Breach

Many companies have designated a Chief Information Security Officer (CISO) to advocate for information security within the organization. This seems like a great solution, but many CISOs are not as empowered as they could be. The CISO frequently reports to the CIO, and their interests are not necessarily aligned. This can lead to a breakdown in communication within the executive team and lead the CEO to develop a false sense of security. Consider whether a CISO would benefit your organization and think about how they fit into the corporate hierarchy.

Conclusion

I’ve worked in IT security for over 30 years. Many things have changed, but it occurred to me as I was writing this article that these thoughts would have been applicable 10, 20, or 30 years ago. Before concluding this article, there is one more tip that passes the test of time:

Bonus Tip #4: Get an Outside Perspective

IT security is complex, and the only certainty is that the bad guys are always looking for new approaches. Having a fresh set of eyes to analyze your data security in light of the latest threats and security resources is frequently the difference between an unsuccessful hacker and a catastrophic breach.

At SecurIT360, we specialize in delivering our cutting-edge security resources with communication that is understandable and helpful for anyone from an executive with no background to the highest-level network engineers.

We are offering a free security audit to identify the paths that could leave you vulnerable to the next data breach. Contact us today to find out more.

Categories
Computer & Network Security|Information Security

Simple Cyber Security Tips for your Business

If you’ve ever had someone break into your home or even your car, you know the feeling of vulnerability and fears that accompany that experience. The fear and uncertainty can linger for months and even years.

Now imagine a break-in at your business that jeopardizes everything you have worked so hard to build. But this intruder is invisible, and there is no chance that the neighbors will see something suspicious and call the police. Someone in a distant coffee shop in another country can steal your bank account information, private employee data, and information about your clients. Security cameras and motion detectors are useless in detecting this kind of intruder. What does the aftermath look like? In the best-case scenario, you will spend a LOT of time and money cleaning up the situation and making things right. With a little luck, you might be able to get everything running normally again. In the worst-case scenario, you lose a significant amount of money, you are sued by employees and/or clients for not securing their information properly, and the devastation leads to your business not being able to recover.

According to Homeland Security, 44% of small businesses reported being a victim of a cyber-attack, with an average cost of approximately $9,000 per attack. Protecting your business from cyber threats has become a top priority and it takes everyone in your company working together to keep your business safe, from top leadership to the newest employee. It takes everyone in your company, from leadership to the newest employee, working together to keep your business safe. Here are a few tips from Homeland Security your company can apply.

SIMPLE TIPS FOR EMPLOYEES

  • When in doubt, throw it out. Stop and think before you open attachments or click links in emails. Links in email, instant message, and online posts are often the way cybercriminals compromise your computer. If it looks suspicious, it’s best to delete it.
  • Implement a backup plan. Make electronic and physical back-ups or copies of all your important work. Data can be lost in many ways including computer malfunctions, malware, theft, viruses, and accidental deletion. Your backup plan should include offsite storage.
  • Guard your devices. In order to prevent theft and unauthorized access, never leave your laptop or mobile device unattended in a public place and lock your devices when they are not in use.
  • Secure your accounts. Use passwords that are at least eight characters long and a mix of letters, numbers, and characters. Do not share any of your usernames or passwords with anyone. Create a unique password for each site that you visit. When available, turn on stronger authentication for an added layer of security, beyond the password.
  • Report anything suspicious. If you experience any unusual problems with your computer or device, report it to your IT Department.

SIMPLE TIPS FOR THE BUSINESS OWNER

  • Equip your organization’s computers with antivirus software and antispyware. This software should be updated regularly.
  • Secure your Internet connection by using a firewall, encrypt information, and hide your Wi-Fi network.
  • Establish security practices and policies to protect sensitive information.
  • Require employees to use strong passwords and to change them often.
  • Invest in data loss protection software, use encryption technologies to protect data in transit, and use two-factor authentication where possible.
  • Protect all pages on your public-facing websites, not just the checkout and sign-up pages.

In a perfect world, every employee would work their hardest to keep your network safe and secure. Since we don’t live in a perfect world, let this post help you determine next steps. Businesses often think they can’t afford outside help…until it’s too late.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.

Categories
Computer & Network Security|Information Security

Java vs. Javascript


We field questions about Java security issues on a regular basis, and have noticed that users are often confused about the differences between Java and Javascript.

Java is a standalone application that runs separately from your browser, although it can be called on by your browser to run Java ‘applets.’ Applets aren’t that common any more, but the Java application is a different matter. Java has a history of being exploited for vulnerabilities, and updates have historically released on a somewhat tardy basis. Even more painful is that users have to manually watch for and install those updates unless they chose the “check for updates periodically” option during the original Java install. And even then, they’re required to manually download a patch file and run it. And we all know how users are so very diligent about that sort of thing……..

Javascript is something else altogether. It’s integrated into the browser, and although there have been security issues with it in the past, updates come in the form of operating system updates which are usually controlled by Windows Update settings or corporate patch agents.

Securit360’s recommendations for this sort of thing always follow the “least privilege” concept: if you don’t need it – turn it off. Just like every other piece of unused software, we recommend uninstalling Java unless it’s actually being used. We’re not singling out Java; this is our recommendation for every piece of software and application on the market. If your users really need Java to do their work, though, then make sure Java is configured to periodically check for updates and patches. On top of that, run regular security scans to confirm what version of Java is installed and update old versions when you find them.

Java is a fantastic program but needs some care and careful handling to prevent it from being a security issue for your organization. Keep an eye on it……