We've assigned the #1 spot on our 2013 list to a seemingly dated topic, rather than a new risk: compliance with government and industry-specific regulations. What's new is additional enforcement, making non-compliance potentially more expensive. The fallout of compliance failures also correlates directly with the second-largest risk factor in this list, instant exposure. The media spotlight, enabled by social media and mobile devices, can rapidly amplify any financial, health, education, or personal data breaches. In fact, the ability to respond quickly and properly marks the theme for all of the items on our 2013 list.
1. Compliance: It is a relentless battle for companies to comply with regulatory requirements. Regulations such as the Health Insurance Portability and Accountability Act, Gramm–Leach–Bliley Act, and Sarbanes-Oxley have been in place for several years now, and some companies have grown complacent. When these regulations first appeared, companies set policies and procedures to meet them. Today, your company may have new personnel, systems, or business operations. Are you still compliant? New legislation is giving some regulators more authority, increasing potential fines and sanctions for violations. Make it an annual tradition to revisit these regulations and check your compliance.
2. Instant exposure to the world: A data leak is bad enough. News stories about your company's problems add insult to injury. Sites like Wikileaks use networks of hackers to obtain information and release it to the public. First, is your data secure? Second, does your company have a plan should a leak occur? The best plan is prevention, but if you run into a media storm, have your media response and social media policies and procedures ready.
3. Improved social engineering attacks: Your employees may be leaving the online "door" to your company unlocked. People often provide personal information in their social media profiles (addresses, birthdays, places of employment, hobbies, pets' names) that commonly comprise the answers to security prompts for password changes. Hackers can access an unsecured social media profile, then unlock passwords to bank accounts, credit cards, and employees' accounts on company systems. This practice—hackers taking advantage of people's natural tendencies—has come to be known as "social engineering." Educate your employees about online risks, and ask them to secure their accounts by removing personal details.
4. Smart phones, tablets, and other mobile devices: By their nature, mobile devices are easily stolen or lost. Your company needs to protect your data on any device. Employer-owned devices are more secure than employee-owned devices because the company can configure its IT security settings from central hosts. If you don't have an IT security policy for all the mobile devices that connect to your company's systems, write one this year.
5. Cloud computing and application service providers: Maintaining your own systems and business applications is costly and time-consuming. Many companies are going to the "cloud" and outsourcing application, hosting, and system maintenance to third-party providers. If you do this, find out how the provider accesses the cloud, what controls are in place, and whether connections to the provider are secure. If the Internet goes down, could it set your business offline? Is the connection encrypted? Perform due diligence on third-party vendors, and develop a back-up plan for accessing your data.
6. Logging: Are your systems configured to log security events, such as unauthorized network access attempts (either internally or externally), locked-out accounts, password failures, and other auditable events? If not configured correctly, logs can be unwieldy to review, reducing the chance they'll be reviewed daily. Systems are available to help aggregate logs and identify threats, and Managed Security Services (MSS) vendors can help monitor your system's perimeter for attempts to access your company's information.
7. Patching and system updates: Do you upgrade or "patch" your system as soon as you know there's a problem? Many public websites post details about system and application vulnerabilities with the aim to educate legitimate users, but hackers use this information as a roadmap for network access. You can greatly reduce the risk of unauthorized network access by putting a patch management program in place.
8. Internet protocol version 6 (IPv6): Internet protocol (IP) addresses have served us well for years, but, like phone numbers, we are running out of them. The old IP system (IPv4) is being replaced by IPv6, which provides longer IP addresses and more addressing options. IPv6 needs to be configured correctly to be secure. Educate IT personnel on IPv6 now to prepare for the transition.
9. Incident response: A breakout of malware on an internal network can wreak havoc in a short period of time. Be sure your company has an "Incident Response" policy and procedure guide. Identify and train the personnel who may need to respond quickly.
10. Passwords: IT security experts debate what defines a good password. Some say the more complicated the password requirements are, the more likely it is to be compromised because employees are more likely to write it down. Nonetheless, passwords are still the first line of defense in protecting systems and applications. Companies should maintain strong password requirements, but due to hackers' increasingly advanced tools for cracking passwords, you may want to consider dual-authentication procedures for access to secure systems. RSA tokens and text message verification provide your systems with another layer of security.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
