With this latest in a string of highly publicized data breaches over the past 24 months – at Target (tgt), eBay (ebay), Home Depot (hd), JP Morgan Chase (jpm), and others – business executives and corporate directors must confront to two truths: first, every company relies on information technology and the Internet; second, no corporate leader should be excused for failing to have in place programs to prevent and remediate cyber threats – whether stolen data, corrupted information, compromised identities, or worse.
The question is, how can executives, particularly those without technical background, know what to do? They don’t have to look hard for answers, because information technologists actually know a lot about how companies should protect themselves. Basic “cyber hygiene,” including one approach known by many security experts as Critical Security Controls, will thwart most attacks.
Last year, Jim Lewis from the Center for Strategic and International Studies identified four measures that stop more than 80% of all known attacks. They include: taking inventory of hardware; taking inventory of software; limiting administrative permissions; and automating network monitoring. These measures were also endorsed by Peter W. Singer, co-author of Cybersecurity and Cyber War, and Tom Wheeler, chairman of the Federal Communications Commission.
They’re basic steps — equivalent to brushing your teeth, flossing, and visiting the dentist twice a year. They allow an enterprise to know what’s connected to its networks and what’s running on those networks. They highlight the importance of knowing who has the ability to bypass, override, or change a network’s security settings, and they give organizations up-to-date and measurable information on the state of repair that the networks are in. When things go amiss, enterprises can, with the aid of these controls, move rapidly to respond. Many of the breaches we’ve seen recently could have been avoided with proper cyber hygiene.
Which raises the question: if they are so effective, why haven’t we seen more firms adopt them? Because until recently, the government viewed large data breaches as a problem for the nation’s intelligence community to deal with, while businesses treated intrusions as a nuisance or a cost of doing business.
Some experts criticize basic hygiene as not being comprehensive enough, insisting instead that literally hundreds of measures be included in any company’s cyber security strategy. Others argue that there is no “one size fits all” solution; that every organization must have its own remedy – an argument akin to saying that every car needs its own unique seatbelt system, and that every driver is responsible for finding, configuring and installing it.
To be sure, just as wearing seat belts won’t save you from all accidents or keeping your teeth clean won’t save you from all cavities, basic hygiene won’t stop every cyber attack. But it does represent the most important set of things to do first to limit and reduce the chances.
Every executive and board director should ask the following questions:
- Do we know what’s connected to our company’s systems and networks?
- Do we know what’s running, or trying to run on our systems and networks?
- Do we limit and manage the number of people who have the administrative privileges to change, bypass, or override our IT security settings?
- Do we have in place continuous automated processes backed by security technologies that will allow us to prevent most breaches, rapidly detect all that do succeed, and minimize damage to our business and customers?
- How would we demonstrate this to ourselves and to others?
Indeed, many corporate business and security leaders have begun to focus on basic security hygiene – a move that may help explain why their companies are not showing up in the breach headlines. Over the long term, companies that succeed financially always seem to focus on the basics of business first – and keeping customers’ data safe is one of the most important business basics.
Accepting this responsibility will distinguish market leaders going forward. If leaders fail to do so, there really is no excuse.
Jane Holl Lute is president and CEO of the Council on Cybersecurity. Lute served as Deputy Secretary of Homeland Security from 2009 to 2013.