Six months after Target experienced the largest known cybersecurity breach in U.S. history, the statistics are still a sobering reminder of the impact.
Forty million credit and debit card numbers stolen. Seventy million records—including names, addresses and emails—also stolen. A 46 percent drop in profits in the fourth quarter of 2013.
News of other companies that have had sensitive customer data stolen in the past year, including Nieman Marcus, Schucks, Raley’s and Harbor Freight, should also alarm us.
There were more than 1,300 confirmed data breaches and more than 63,400 security incidents reported just last year, according to the 2014 Data Breach Investigation Report released by Verizon Wireless.
But when it comes to cybersecurity, many senior leadership teams aren’t doing enough to sound the alarms, former FBI deputy director and principal of PricewaterhouseCooper’s Advisory Forensics Services practice Sean Joyce told Compliance Week in a recent interview.
“It’s a 21st century risk that a lot of companies have not really come to grips with,” Joyce said.
Senior leaders expect their infrastructure to be secure, but too often, they take that security for granted. Traditionally, much of the actual work of containing and warding off threats has fallen to the information technology department, but cybersecurity is really a risk management and compliance issue.
The Chief Compliance Officer or Chief Risk Officer’s expertise in managing threats to the company brings an important perspective to cybersecurity matters. Here are four ways your CCO or CRO should contribute to cybersecurity.
Educating Employees
While cybersecurity should be a top priority for every company, the average employee sees frequent password changes and firewalls as hindrances to doing their jobs. This leads employees to look for ways to circumvent important security protections. Employees need to have a thorough understanding of not only the rules, but the reasons behind them. Your CCO or CRO can be instrumental in communicating the real threats of cyber-attacks in a language they can comprehend. They need to know how to spot a phishing scam, how to detect spyware and why certain websites are blocked in the workplace.
Consider what every individual needs to know about protecting his or her online identity and data at home, and then apply that to the workplace. Employees will be more likely to pay attention if you present information that can be useful to them in both their personal and professional lives.
Defending Against Data Breaches
The IT department may be more involved in implementing and monitoring the actual programs that ward off data breaches, but compliance executives should regularly review them to ensure they meet regulatory standards.
That includes examining how well your programs adhere to the National Institute of Standards and Technology’s framework for managing compliance risks.
Regardless of whether your company operates within a critical infrastructure sector where these standards are required, they are the authoritative voice on what you can do to protect your business.
They include guidance on the five core functions of any cyber-security program, which are:
- Identifying your risks
- Protecting your assets
- Detecting intrusions
- Responding to attacks
- Recovering after an attack
The standards and guidelines will continue to evolve over time, so it’s imperative to have someone who is keeping up with the changes.
Managing Cybersecurity of Third Party Vendors
Hackers have found that the quickest way to get to a company’s classified information is often through third-party channels. Businesses can implement internal controls and monitor their own networks, but that only goes so far. It’s much more difficult to gauge the security of a vendor managing your data, which can put your company at a significant risk if someone isn’t doing due diligence.
Compliance and risk management leaders have a responsibility to work with the IT department to vet new vendors and provide ongoing monitoring. This has even led to the rise of third-party security companies such as InfoArmor, which provides companies with real-time security reports about their vendors.
Calling in the Experts
One of the most important duties of any compliance professional is recognizing when the scope of a particular task falls outside his or her area of expertise. If a gap exists, your CCO must determine how to fill it. This could mean hiring an outside firm once a year to audit your cybersecurity programs or records management to ensure you are in compliance. It may also involve hiring compliance officers with information security expertise.
High-profile hacking events in recent years have put cybersecurity professionals in high demand. There are more job openings than job seekers, and that gap is expected to grow.
Recruiting compliance officers with that specific skill set can be a challenge, but it’s easier when you know where to look and what questions to ask. To learn more about how to evaluate compliance candidates, download our guide, “5 Essential Questions to Ask Compliance Officers.”
Connect with a legal recruiting advisor
* indicates required fields
