In modern times, cybersecurity threats are relentless. In January of this year, the Spectre and Meltdown computerchip flaws exposed security weaknesses in the foundations of computing infrastructure (I’ve synopsized this information from a recent article in the WSJ).
During the past few years, companies have amassed mountains of data about hack attempts but still have slim knowledge of how much danger they really face. One of the reasons is that there aren’t widely-accepted metrics for measuring the health of a company’s defenses, so all computer specialists have to come up with metrics that make sense for their companies and that are comprehensible to executives and boards of directors. Microsoft Corporation ranks the company’s top enterprise-information risks on a scale of 1-15 so that the board has a coherent view of security team priorities. Risks such as addressing a gap in the company’s supply chain might increase between board meetings if the security team learns that hackers can exploit a vendor’s technology. Companies can also use information obtained from security rating firms to benchmark themselves against industry averages. These data need to be addressed along with two other measures: 1 – the percentage of the company’s software that is the latest version available, and 2 – the speed of detection of a significant intrusion, whereby it is anticipated that there should be ever-diminishing timeframes for detection and detention. One of the biggest tech threats is steadily becoming clearer: employees logging into corporate systems remotely, sometimes from their own devices. (I should also mention that it is wise to insist that no apps such as FaceBook, Twitter, LinkedIn, etc be on company computers – these apps are easily hacked and allow ready access by those who mean only to do harm.) To deter the threat from employee use, companies are starting to give only specified access to certain sections of data, rather than to a company’s entire network. This makes very good sense – we have long been too liberal in our openness of our systems. Even the federal government has serious difficulties in this area, particularly with its use of contractors who often have access to large swaths of data – and frequently make ill use of that open access. As mentioned above, it’s often the vulnerabilities of a company’s vendors that provide security gaps that must be closed – therefore, the trusting of business partners has recently become a serious concern. And, finally, of interest to those who are beginning to look closely at cybersecurity, company boards of directors are starting to tie cybersecurity safeguards and assurances to the compensation that top executives receive – if a CEO allows his company’s system to be attacked by deficiencies in adequate safeguards, then either he will be fired or his salary will be seriously impacted. That’s only as it should be – in today’s age, CEOs, even if they themselves aren’t technologically competent, should be about the business of hiring those who are to protect their company’s systems. A company’s data systems are the most important assists that a company has in today’s environment of fast-moving decision making and actions.