Photo credit: Wikipedia
This article is by George Westerman, a research scientist in the MIT Sloan School of Management’s Center for Digital Business. He is co-author of IT Risk: Turning Business Threats Into Competitive Advantage.
A few years ago I was working with a small consulting firm, and one of our up and coming salespeople left for a competitor. No big deal. It happens. But several months later, the management team noticed a disturbing trend. The company kept losing bids for new business to this very same competitor. It had happened four times in a row when finally we realized that we’d forgotten to turn off the former employee’s network access. He had been logging into our network, stealing our information, and then undercutting us.
The fact is, if you’re in business, you’re a target. If you’re on the Internet, you’re already under attack. Companies today face what’s known as an advanced persistent threat, a category of cybercrime that involves Internet-enabled espionage directed at corporate and political targets. Hackers are not just nerdy teenage kids fooling around in their basements; they are sophisticated criminals trained to identify and exploit Internet vulnerabilities. Hackers try to make money any way they can. They look for information on your accounts and finances. They look for information about your employees and your customers—Social Security numbers, addresses, credit cards, and other personally identifiable information. They try to use you as a tunnel into the systems of your suppliers and customers.
First, train employees on IT risk. People who are risk-aware do fewer risky things. They do not need to know every threat or technical detail, but they should know the basics. Teach them how hackers operate: Explain how hackers constantly run scripts across the Internet to find unprotected computers and then use tool kits to launch massive attacks on those weaknesses. Teach them how to recognize scams and phishing schemes—emails or phone calls from purportedly trustworthy groups that try to get access to your credit cards and financial accounts. Use vivid examples so they get it. In 2011, for instance, Condé Nast received an email that appeared to have been sent by its printer requesting that payment be sent to a different account. The magazine publisher lost nearly $8 million before learning that its printer had never changed its banking information and hadn’t received any of the money.
Second, create clear and simple company policies regarding technology. Make sure your employees understand how and when they’re allowed to use personal devices on company networks. Make sure any changes to the network are reported or automatically logged. I once consulted for a semiconductor firm that, naturally, had very strong Internet security and a powerful firewall. However, one of its engineers added a wi-fi card to his desktop computer so he could access the network from other parts of the building. Unfortunately, this wi-fi card also allowed hackers to access the network from the parking lot.
Third, put somebody in charge of security. Big companies have armies of security specialists who work full-time on these issues and protect their company’s information. Obviously this is harder to pull off when you’re a smaller company without vast resources. But even small companies must give someone clear responsibility for security.