It has been interesting to read about malware called “NotCompatible” because it particularly targets Android mobile phones. Lookout, a mobile security company that has been tracking the malware for two years, estimates between four million and 4.5 million Americans’ phones have been infected by the malware this year.


Attackers first infect legitimate websites with malicious code. Then, when victims visit the site from their mobile phone, they unintentionally download the code in what is commonly called a “drive-by download.”


Cyber-security experts say the intention of the attackers is to infect as many smartphones as possible, and then turn them into a so-called botnet which is a network of infected devices the attackers may use remotely for malicious purposes. The business problem is that if employees then use those phones at work, they again unintentionally introduce an opportunity for hackers to gain access to company networks.


The rise of NotCompatible and other ploys means that the reality is data breaches are now a matter of when they will occur, not if, writes consultant Adam Epstein of Third Creek Advisors in a recent BusinessWeek article. If Fortune 50 companies with nine-digit annual cyber-security budgets can’t prevent breaches, neither can small or mid-size companies, he writes.


Epstein goes on to dispel some other cyber-security myths in the article, including that executives don’t need to worry about cyber-security because the company’s IT department has it under control. Unfortunately, cyber-security is only partially an IT issue because it’s also a matter of corporate culture, employee training and physical security, Epstein writes. The result is executives also need to worry about disgruntled employees and the supply chain, not to mention small companies that have been recently acquired, he explains.


Another commonly held belief is that cyber-theft is about credit cards. Cyber-thieves have disparate goals that may include semi-benign mayhem, espionage, misappropriation or terrorism, Epstein writes. Credit card information is certainly a target, but other targets may include personal info, intellectual property, strategy memos, customer lists and other nonpublic information.


The situation may even be worse. In the manufacturing industry, cyber-theft targets may include designs, specifications, or research and development information, writes David Barton, managing director of UHY Advisors, in an article that ran on IndustryWeek today.


If the question isn’t if a cyberattack will occur but when will it occur, it makes sense then to prepare for such an attack. With that in mind, it’s critical for manufacturing businesses to have a data breach preparedness plan in place, Barton writes.


The starting point in planning for cyber-attacks is to implement an incident response plan (IRP) to ensure appropriate action if security is breached, Barton writes. An effective IRP will address preventative controls, timely detection of potential problems and rapid response to data security breaches, he explains.


The key components of a well-defined IRP begin with creating an incident response team composed of selected individuals from departments that will be involved when a data security breach occurs, such as executive management, information technology, human resources, public relations, legal, and operations, Barton explains. Data classification—such as “public/non-classified,” “internal use only” and “confidential”—is another critical component because it takes into account the type of data compromised by the breach when the team determines the appropriate response efforts and activities.


Another key step is to make sure appropriate training is in place. Incident preparedness training ensures that all company personnel are ready to handle data breaches before they occur, Barton writes. IRT members should be well versed in how to appropriately evaluate, respond and manage security incidents, he explains.


What position has your company taken regarding cyber-attacks? Does it have a plan, or team, in place in case such an attack occurs?