Top Cyber-Risk Issues -- Takeaways from the National Center of Cybersecurity Excellence Speaker Series (original) (raw)
Mary Hildebrand, CIPP/US/E/AIGP
Mary Hildebrand, CIPP/US/E/AIGP
Global Privacy, Cybersecurity and Intellectual Property Attorney • Authority on Data Privacy & Cybersecurity + IAPP Certified for AI Governance
Published May 22, 2017
I recently had the good fortune of participating in an excellent Speaker Series sponsored by the National Center of Cybersecurity Excellence (NCCoE)*. Our program, which included representatives from industry, the technology sector and trade associations, focused on Cyber-Risk in the Hospitality Industry. While we covered a broad range of cybersecurity issues unique to the hospitality sector, the top three are relevant across all industries:
- Think out of the “Pure Tech” Box: Ensuring cybersecurity across your organization often means looking beyond the technology systems that collect and process critical data to the entire infrastructure you – and many others – rely on every day. Attacks on industrial control systems are on the rise. This includes security systems, key physical, technical and work facilities and computerized environmental controls that regulate heat, AC and the electricity that quite literally power your entire enterprise. Losing control of these systems, even temporarily, is definitely not good for business.
- Vendors can be your Achilles Heel: Vendors may be the “weak link” in an otherwise tight cybersecurity program. Engaged to provide a wide array of products and services, vendors are often permitted access to physical locations, technology systems and reams of critical data (which may be removed from your premises for purposes of providing the products/services). Quite simply, they may control key parts of your business and, as far as your customers are concerned, they are you! Yet many businesses pay scant heed to screening the cybersecurity practices of potential vendors, or limit the inquiry to specific practices (e.g., HIPAA), or geographic areas (e.g., a company that conducts business with EU residents neglects to take GDPR or other EU data protection laws into account when vetting a vendor). There is no doubt that you are responsible for your vendors – and their data breaches – so make sure they are up to your cybersecurity standards.
- Don’t Delay Training: In the day-to-day press of business, it’s all too easy to reschedule cybersecurity training sessions. This may be especially true when your business is expanding so new hires are a common occurrence, or you rely on temporary or seasonal staff. Nonetheless, these individuals will often be deployed immediately, with training to be provided “when things settle down.” There are simply no short-cuts on this one – train your personnel on a regular basis and do not let new hires work unsupervised until the process is complete.
These are a few quick items that I hope will spark thought regarding ways to help your organization strengthen its security and better protect the business against network intrusion, data breach, fraud loss, and damage to reputation.
*NCCoE, part of the National Institute of Standards and Technology (NIST), is a public-private partnership that provides practical cybersecurity solutions for specific industries and cross-sector technology challenges. Check it out at https://nccoe.nist.gov/.