Time to Take Security Seriously
Cybersecurity experts have been warning for a long time of vulnerabilities in private and public computer systems. However it is only in the past few years that numerous publicized breaches have exposed the full magnitude of the problem. Here are some of the top hacks of 2016:
- User names and passwords for 500 million accounts were stolen from Yahoo.
- Data about 1.5 million Verizon Enterprise customers was stolen and placed for sale on-line.
- Tax information for 724,000 people was exposed by an IRS breach previously reported as affecting 114,000.
- Russian hackers gained control of Oracle’s MICROS point of sale systems support portal. MICROS has points of sale terminals (card readers) at 330,000 retail sites worldwide.
- Russian hackers also broke into the email system of the Democratic Party, maintaining access for about a year.
The last item has been in the news these past few weeks, since the release of the stolen emails had an impact on the presidential elections. It is worth noting that the email system was not well secured. This situation is common because cybersecurity has not been a priority in most organizations, as it has been seen as a secondary role within IT.
But organizations are now totally dependent computers and the networks they run on. It is difficult to imagine a company today that is able, as it would have been a few years ago, to operate for an extended period of time without computers. Information system security is now best seen as a fiduciary duty, of concern all the way up to the board of directors. For example, since 2011, the SEC has required that cybersecurity issues be reported to investors. More importantly, it is bringing charges when proper practices are not followed and a data breach occurs.
A significant data breach can cost more than money. It can also damage the reputation of a company. On the other hand, a reputation for strong security can be a competitive advantage in a world where both customers and investors are increasingly tuned in to the problem.
Cybersecurity is now important enough that some companies have created a new role, that of Chief Information Security Officer. The management structure of companies is varied, and there is probably more than one way to organize cybersecurity efforts. One thing that we know for sure is that it can no longer be relegated to some obscure corner of the IT department. There is too much at stake.