By Eric Brown, CIO, NCI Building Systems, Inc.
Here are a few rules of thumb:
1) You get more spam and viruses at work than at home
2) Your corporate network password has been 5 lowercase letters for the last five years and
3) You occasionally view marketing thumb drives on your laptop from Chinese and Russian vendors.
These are exaggerations for most firms but the concept still applies – regular investments in cybersecurity are as essential today as stone walls were to a medieval city.
And just like fortified cities, your cyber defenses should be in layers. “Must haves” are all the usual suspects such as strong passwords, intrusion detection and segregated duties; additional layers, the “nice to haves,” range from biometric identification to statistical analysis of traffic patterns and outlier behavior.
The media and cybersecurity blogs often focus on standards (such as PCI for credit cards) and general good practices.
The key to success for your company is to build security around your highest risk assets, whether physical or intangible (such as customer trust). Practically, this means starting with “good enough” base security and adding defenses specific to your risk profile. Examples of industry specific key assets to protect: oil and gas exploration firms proprietary seismic data; manufacturers’ programmable logic controllers; and medical organizations’ patient data.
The Forbes article below, which lists lessons learned from Target’s most recent data breach, emphasizes the need to invest in cybersecurity defenses, as well as a practical customer response strategy. Think of these lessons learned as layers of defense, some baseline/off the shelf and others specific to your company’s relationship to its customers.
Bottom line: Spend enough money for a strong cybersecurity baseline, then use value-at-risk to invest in additional layers where it matters.