■■ How would the organization’s reputation survive a breach? The
answer to this question may largely depend on the very nature of
the business. For example, organizations holding vast amounts of
personal information would be particularly vulnerable. Consider
the 2017 breach at Equifax, a credit rating organization, where
the breach struck the primary focus of the business.
The degree of risk an organization is willing to accept will
largely dictate the key steps it must take to defend itself. There are
both human and technological considerations at play.
In looking at risk, the first thing to do – the first line of defence
– is to start fostering a culture of cyber safety in the organiza-tion.
This means employees should be well educated in safety
practices and be aware of all the methods used by hackers to infil-trate
a system. In addition, the culture of your organization should
encourage fellow workers to look out for each other’s safe behav-iour.
By the same token, any unsafe practices should be called out.
Attackers are usually after user names and passwords, so
employees must be familiar with any situation that could expose
them. What kind of situation? It might be the use of unsecure
networks, sharing information with fellow employees or storing
information on removable storage drives.
Another avenue that is exploited by hackers is social engineer-ing,
which is now growing with the proliferation of personal data.
Potential attackers will follow a user’s social media sites and activi-ties
to gain insight into the individual’s personal profile. Pet names,
preferences and lifestyle are all things that help intruders with
answers to security questions. It is of paramount importance that
employees are aware of these dangers.
The second line of defence involves technology. A number of
security providers offer technological solutions to enhancing
security. However, knowing how much to spend is the key con-sideration.
The solution is to evaluate each security technology
and determine which one provides the most value. The criteria
outlined earlier to evaluate risk will help. Creating a strong cyber-security
foundation means – at the very minimum – investing in
the basics, such as security intelligence, while continuously inno-vating
to stay ahead of the hackers and continually improving
processes to make them more secure.
The final defence is to test the organization’s system. This
involves undertaking extreme pressure testing on all entry points
to the system. It is not sufficient to only test compliance with the
organization’s policies. Testing is a dynamic and continuous pro-cess
that will identify vulnerabilities and allow organizations to be
able to outwit and outpace the attackers.
So, how much will all this cost? A good guideline is to work back-wards
and estimate the cost of a data breach and then put a value on
the time it takes to rectify the damage. Then, multiply the total cost
by the likely probability of this happening in any given year. Such an
exercise will provide a benchmark which the organization should
revise each and every year, based on the experience gained.
It can’t be stressed enough that addressing cyberattacks is
a continuous learning process; it never stops. The degree to
which employees embrace the learning as part of the organiza-tion’s
culture will drastically reduce an organization’s exposure
to cyberattacks. n
Bill Ross is the founder of Vercerta.
rawpixel / 123RF Stock Photo
26 ❚ AUGUST 2018 ❚ HR PROFESSIONAL