There is nothing more important to any business, no matter the industry, than data. Client data, proprietary data, data that is used every day to service the clients and meet objectives.
CEOs, more than anyone else, understand this. Yet, the security of this data rarely makes it as a CEO’s priority as it is too often considered a purely technology issue. Following are what every CEO must know about IT security that may put it into better perspective.
1. IT Security Is A Business Issue
Think of all the data your business runs on. The client projects, the billing information, the research and development your teams have been working on to edge out the competition; how is that data being protected? What is being protected? What happens if a breach takes place? If you do not have answers to this now, speak with your IT team and talk about network protection, policies, disaster recovery plans and the metrics by which it is all being measured. Get a good understanding of what is being protected, how it is being protected and ensure the technology policies and processes are in line with the business.
2. Neglecting It Has A Cost Associated
There is no question that the lack of IT security will have a definitive impact on the bottom line. When there is a data loss there will be labor costs to getting the data back in place; whether through manual entry or any other type of data recovery. Additionally, there may well be hardware replacements costs. Not to mention, the inability to manage the day to day tasks of billing, client work or just about anything else is costly in of itself; while the data and systems are being recovered, the staff will still be getting paid as they wait to be able to do their jobs again.
3. Your Company Has Many Opportunities For Data Loss
The more diverse your network is, the more opportunities for data loss there is, the more the complexity of your security should be considered. For example, if your network includes not only the in house servers for file management but cloud servers, mobile devices, virtual desktop and cloud applications, there are vulnerabilities that come with each aspect. Few are aware that data loss can be permanent with cloud applications because they feel that the service providers provide the protection. But they do not protect against disgruntled or careless employees that click the “Delete” button. Those records are considered to be deliberately deleted and therefore no longer kept for retrieving. Have your IT team provide you with a detailed report of your network, virtual and on premise, including cloud applications in use, with the vulnerabilities and security solutions for each aspect.
4. Compliance Does Not Mean Security
For companies that are expected to meet certain security regulations, including HIPPA or PCI Data Security Standards (PCI DSS), it must be understood that complying with those regulations does not mean protecting your network. The regulation were devised to ensure that your clients’ private data remain so, but it does nothing to protect or ensure the security of the rest of your business. While you may be in compliance with regulations as they are written, they will not go far enough to protect your entire network, especially if it much more complex than just internal servers and a firewall. In 2009 Heartland Payment Systems experienced a major data breach while being in compliance with PCI DSS when it was suspected hackers may have targeted servers deemed not as important to the business. If your business is required to be in compliance with certain regulations, be sure to do, but in addition to your overall security plan, not as the entirety of it.
5. Security and Productivity Are Not Mutually Exclusive
The ability to access data remotely has not only increased the level of productivity CEOs have seen in their employees, but also added complexities to securing the data. The number and types of devices that access corporate data can vary greatly and an executive decision needs to be made on what types of data are allowed to be accessed remotely and how. In light of the fact that one out of ten Android apps are affected with malware, making those decisions are more critical than ever. With employees incorporating their personal devices on to the company’s network, the vulnerabilities are even greater. In an effort to bring order to what may be a wholly unmanaged landscape of devices accessing a vast array of data, bring in your IT team together and discuss the types of data, access and devices required for your employees to be productive and build security policies around that.
6. Not All Hackers Are The Same
If your idea of a hacker is some nameless, faceless tech savvy individual who is more of an idea than a threat, you have to re-evaluate that. The fact is hackers are very real, and your data is extremely valuable to them. But the type of data they are after will vary from hacker to hacker, and the type of hacking they do will also differ. The black market has a price to pay for credit card information, email addresses, financial information of all sorts, as well as corporate information your competitors will find valuable. Some hackers will target you as a part of a larger group, where the payoff will be whatever data they can gather, while others will focus on you specifically for your corporate data, paid off by competitors known and unknown. All of them will exploit known and common vulnerabilities, betting they exist on your network.
7. Data Security Is Not Just A Question Of Technology
Company culture is an important aspect of the job of the CEO. Cultivating one that includes data security will do more than any firewall and malware protection software put together. IT security is not just a matter of the right hardware and software being put in place, but policies and processes as well. When the entire staff made well aware of what these are and how they work to protect the business, managing IT security becomes substantially easier. Whatever your culture is at the moment, find a way to incorporate security into in a way that makes the most sense for your business. In the end, data security should be seen as an important part of your company’s mission.