Recent news illustrates that cyber security, or insufficient cyber security, is always a concern. More importantly, cyber security strategies and incident response processes should be continuously reviewed.
First, as if Equifax wasn’t already reeling under pressure from a massive data breach which exposed the information of 143 million Americans, the credit-reporting agency now reports it also had a security breach earlier this year that involved a different part of the company. The earlier breach involved TALX, Equifax’s human resources and payroll service. Equifax reports that there is no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.
Secondly, the Securities and Exchange Commission (SEC), the federal agency responsible for both ensuring that markets function as they should and protecting investors, has announced it was hacked and the intruders may have used the nonpublic information they obtained to profit illegally. According to the SEC, the breach was discovered last year but the possibility of illicit trading wasn’t uncovered until last month. The agency didn’t explain why the hack itself wasn’t revealed sooner, or which individuals or companies may have been impacted.
The disclosure comes two months after the Government Accountability Office issued a critical report about the cyber security measures employed by the SEC, citing a number of deficiencies in “the effectiveness of SEC’s controls for protecting the confidentiality, integrity, and availability of its information systems.” GAO also issued 26 recommendations which it said would make SEC systems more secure.
With both of those cyber security breaches in mind—well, actually three breaches if you count the Equifax breaches separately—I was interested to read a reminder that CIOs and IT leaders, of course, must frequently evaluate the technologies and resources the company uses to ensure they have the right defenses in place to anticipate, respond and resolve possible cyber threats. However, they also need to continually explain to all employees that everyone is responsible for maintaining the company’s cyber security, and secondly explain the roles all employees can take in strengthening the company’s cyber security.
Craig Williams, chief information officer of network strategy and technology provider Ciena, recently explained how companies can improve cyber security in an article on Forbes. He listed several strategies, but a few in particular caught my attention. The first is to institute awareness programs to ensure that—as a result of continuous training—employees can alert the cyber security team about things that look suspicious. That training must include teaching employees about cyber attacks, social engineering and phishing, including across multiple mechanisms, such as email updates, blog posts, posters and online training, Williams wrote.
Secondly, it’s vital to ensure the company’s incident management process can be followed for cyber security events. The only real difference to consider is the escalation path and whom to involve during an event. Williams reminds that security events can be highly sensitive, so executives may need to be selective of whom to involve—or not involve—depending on the issue. As always, it’s critical that the company frequently tests the process periodically.
Finally, it’s imperative that the CEO and other C-suite executives are advocates and participants in cyber security issues and discussions. Williams suggests asking executives to talk about security in their “All Hands” employee meetings, to send out an email about a particular security topic or to blog about cyber security in the company newsletter because when senior executives discuss concerns, it helps convey the matter’s weight. He also includes an anecdote about a senior executive who dressed up as a fisherman at an employee meeting and spent time talking about the importance of cyber security, explaining that phishing was no joke. As Williams relays, the message drove the point home.
I’d like to ask your thoughts on involving senior executives, and C-level executives in particular, as cyber security advocates. Does that happen where you work? What about your company’s key suppliers and partners?