IT Security: If It’s Not A Board-Level Topic, Your Business Is At Risk

The biggest data breach of 2014 can be credited to the one that got the best of Sony Pictures Entertainment. The attackers infiltrated the Sony Corporation and exposed a company executive’s emails, which contained movie project details that had not yet been made public. By the time 2014 came to a close, approximately 1,500 breaches worldwide had exposed nearly 1 billion records total, according to The Wall Street Journal.

As we know, IT security will remain a hot topic with the recent activities occurring across business lines. Board-level strategies are a must and processes and procedures need to be implemented to protect the reputation and reduce the regulatory risks of these companies. Here are some crucial information security tips:

Increase Vendor Risk Management

As organizations become reliant on vendors, one aspect that should definitely continue to be enhanced from a Board-level perspective is that of increasing vendor risk management. High-level points that need to be addressed when analyzing vendor-related IT security risks include:

    • Identify and classify critical third-party arrangements
    • Maintain accountability of vendor risk management practices
    • Determine inherent risks and mitigation strategy
    • Establish vendor risk management policies, procedures and standards
    • Develop guidelines, tools and templates
    • Implement key controls to comply with an organization’s policies
    • Perform periodic audits and testing to ensure compliance with contractual requirements

Protect Your Cloud Computing

Many organizations are moving to cloud-based solutions. It’s important to increase the procuring and managing of cloud services, which are considered a prerequisite for big data to be cost effective. Managing cloud services, however, often is a weak spot for many organizations when ensuring the security and privacy controls of data in the cloud are effective. There must be well-defined responsibilities for both the cloud services provider and the cloud services users regarding specific, required data privacy controls. There must also be ongoing monitoring and audits of cloud services along with any relevant metrics that indicate levels of data integrity, confidentiality and availability.

Ensure Data Privacy

Data is one of the most important assets for organizations, so Board-level awareness across business lines should also be proactive in protecting its sensitive data. To start, one must properly classify the data based on its sensitivity, plus understand the location of the sensitive data and how it’s used and stored. Based on data classification, organizations can leverage industry best practices in IT security and standards such as Payment Card Information Data Security Standard (PCI DSS) and HIPAA Privacy Rules to ensure sufficient controls are applied to protect the data.

Secure Mobile Technology

As today’s businesses continue to grow and expand to locations worldwide, Board-level execution should take a proactive approach and carefully plan an effective mobile implementation strategy. More and more organizations are beginning to implement mobile app best practices that will improve accessibility. Before any mobile technology is selected, a formal risk assessment should be performed to determine risks associated with the mobile technology. An enterprise policy that defines acceptable use of the mobile technology should also be established. Further to the above considerations, strong security controls need to be built into the solution at the early stages of the system development life cycle. These measures will reduce security risks while enabling an organization’s mobility objectives.

In conclusion, data breaches expose vital data and can significantly damage the organization’s reputation. It’s time to raise the topic of information security to the Board-level and discuss strategies, assess organizational changes, and take preventative measures to enhance the IT security posture.