Forty million credit cards … 70 million client records … $148 million cost.
That was the impact of Target’s 2013 security breach.
Then, how about 4.5 million names, addresses, Social Security numbers, birth dates and telephone numbers.
That was the number of patient records stolen in the recent Community Health Systems (CHS) breach, an attack that hits closer to home, both geographically and psychologically, for many Middle Tennessee business leaders. Since the CHS breach involved permanent information that cannot easily be changed — unlike a credit card, for example, which can be cancelled and replaced — the long-term ramifications of this violation are potentially severe.
Don’t let your business become the next cyber breach headline.
Traditional approaches aren’t sufficient for today’s cyber security landscape and changing compliance requirements. We’ve talked in this column before about how the biggest headache that’s driving companies’ interest in IT security right now is dealing with compliance issues like HIPPA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry) or SOX (Sarbanes-Oxley Act). Compliance standards are lengthy, confusing and full of technical jargon.
Achieving compliance also isn’t a one-and-done scenario. It’s something organizations have to work at every day to keep up with evolving technology. It’s no wonder business leaders are breaking out the aspirin. If you have data that falls under compliance standards like HIPPA, PCI and SOX, where you have to demonstrate that you control access to that data, traditional IT security protocols are costly, complex and take too long to deploy.
All is not lost, though. Even small and mid-sized businesses can put forth every effort to protect their clients’ data. Your organization’s defense against today’s modern threats should include five steps.
- Assess your network: A key problem area for many small and mid-size businesses is a lack of knowledge. Many business leaders simply don’t have a complete inventory of their IT resources and critical data. Take, for example, the CHS attack, which according to TrustedSec, an information security consulting company, leveraged the “Heartbleed” bug — which widely hit in the news back in April — and gained user credentials from an unpatched Juniper Network that was connected to the CHS network. From there, the credentials were used to login to CHS’ virtual private network. While we’ll likely never know whether or not CHS knew about the unpatched Juniper device, the health care company’s first step would have been to assess its network and create an inventory of its assets, installed software and any potential vulnerabilities and active threats.
- Find threats: Your threat detection system needs to extend well beyond prevention-only security tools such as firewalls and anti-virus software, and identify known malicious entities, compromised systems, potentially insecure behaviors and unpatched software. If you need to comply with PCI, HIPAA or Sarbanes-Oxley, this is also where you need to measure, manage and report on compliance.
- Respond to incidents: Small and mid-size business leaders often lack the specialized staff or security training needed to respond to IT security incidents as they occur. Whether you keep expertise in-house, or partner with an IT firm, when a breach occurs you need to analyze the threat, respond quickly and conduct a thorough investigation.
- Learn from others: Don’t operate your IT defenses in a bubble — find a systemized way to stay on top of everything from the latest threat gracing the headlines to time-tested security controls. When you learn something new, leverage and share that information with your peers.
- Adjust and improve your security system: Even the best data security systems are not perfect. There will always be cracks that hackers can slip through, and once they have the keys to the kingdom the volumes of data they’re able to extract are extraordinary. While this may sound extremely discouraging at first read, it’s really just a byproduct of all the amazing advances your organization gets to take advantage of every day because of technology. To continue to take advantage of these advances without being breached by a hacker, you need to treat your defense system as a living process that you continually adjust and improve.
This post originally appeared in The Tennessean.