Presenting to the board of directors is an opportunity for CIOs to shine. Waters Corporation CIO Brook Colangelo shares best practices to help you succeed.
4 data security measures CIOs should take now
Hodges-Mace CTO Kevin Andrews on how to better protect your organization from breaches
After a data breach, your company will feel the implications for years to come. Attacks often come from unexpected directions, but CIOs and CISOs can prioritize steps to protect sensitive data, according to Kevin Andrews, CTO of employee benefits service company Hodges-Mace. “The biggest misconception is that it’s going to happen to someone else,” he says. To better protect your own organization, he recommends these steps:
1. Prepare for attacks from seemingly authenticated sources
“There is a misconception where people think since they have a firewall, that will protect their information and it’s encrypted and secure externally,” Andrews says. “The reality is most attacks are orchestrated through a compromised valid user within the network. This means that data is accessed with credentials obtained through spear phishing or a socially engineered hack, getting through the firewalls by impersonating an authenticated user.”
[ How secure are your containers? See our related article, What Clarence Birdseye can teach us about container security. ]
You can lessen the chances of these and other attacks by observing data security best practices at every level of the organization, he adds. “It’s important to make sure you have proper audits and controls, such as patch management, penetration testing, and vulnerability scans on a regular basis.”
2. Treat all data as sensitive
Should you take special steps to secure particularly sensitive data, such as personally identifiable information? No, Andrews says. “You are better off securing the entire data set. Segmented secure/non-secure data is risky due to the potential lack of communication within the organization,” he explains.
“The breadth of organizations makes it difficult to communicate the determined segmentation throughout because there are many touch points inside most organizations including vendors, partners, customers, etc.," he says. "This leaves a high degree of vulnerability and the potential of someone distributing insecure data.”
3. Educate users on data security
Your organization’s users can make or break data security, Andrews says. “It is important to build awareness around security vulnerabilities, and it is important to outline the role that each individual plays in securing company or personal data.”
It’s never too early to deliver the data-security message, he adds. “The process starts at point-of-hire through educational programs and best practices and should be continued through the exit process. It is very important to reinforce best practices and provide real-life scenarios or role-play for employees so they can become better prepared for potential threats.”
4. Budget enough to do data security well
It’s important to have the right resources and budget to maintain and secure all your data, Andrews says. “Make sure you are leveraging third-party experts to help in the audit and testing of security protocols. CIOs should not skimp on security budgets. They should also ensure executive leadership is on board with the potential liabilities and risk.”