We sat down with Provident Bank’s very own Information Security Officer, Nathan Horn-Mitchem, this week and discussed his world-view when it comes to security, his take on the recent rash of cyber attacks, and the single most important thing business owners should know about protecting their most prized possession—their data.
Don’t let his youthful smile and geek-chic glasses fool you: Horn-Mitchem is the real deal. He has worked in the Information Security Industry for more than a decade. His most notable stints before joining Provident include Johnson & Johnson, Accenture, and consulting positions for Goldman Sachs and Deutsche Bank. He holds a CISSP (Certified Information Security Systems Professional) certification.
Most importantly, his message is too crucial to ignore.
Nathan Horn-Mitchem: I think about it this way. Your data is your company. It doesn’t matter what industry you’re in; you can’t function without your data. Thus, it becomes priceless to your organization. That data has a very real, tangible value to other parties, as well, and if something is valuable, you can be sure other people will try to steal it.
Every company should have data security controls in place because a data breach isn’t a singular event for a company. The initial breach is what we always talk about, but what isn’t discussed is the long-term effect of your customers’ lost faith in your entire organization.
The majority of data breaches go unreported. The legal definition of a data breach varies by jurisdiction and many breaches don’t satisfy the legal definition, so no one is told.
Sadly, this isn’t anything new. It’s been happening for years. There’s just been more awareness recently by consumers, the media, and companies about what a data breach means, so it’s now a higher-profile event.
Hacking committed by a nerdy kid in his mom’s basement, as so many people think of it, isn’t the reality anymore. Hacking has become big business. It’s performed by organized crime, governments, and even organizations targeting their competitors. There are readily-available tools that make it easier to be a bad guy than a good guy. There’s also big money to be made by being a bad guy.
I think these incidents will continue to escalate, and it will force both consumers and organizations to think more intentionally and make better decisions about data security.
The best technology anyone can use to prevent hacks is their brain. Computers do exactly what they’re programmed to do, so if we depend solely on technology to keep us safe, we’ve already lost.
News stories about cyber crimes usually describe a sequence of events leading up to the critical moment. People need to think through situations, raise the alarm on suspicious events, and make smart decisions about not clicking on suspect links or visiting websites with malware. I’ve yet to see a single hacking event that didn’t involve some sort of human error.
A major part of gaining access to information involves social engineering & phishing. Social engineering is the practice of tricking someone into divulging information to a person who shouldn’t have it. Watch the TV show White Collar to see how these crooks operate.
Phishing occurs when hackers pretend to be an organization that you have a relationship with and send you a legitimate-looking email collecting personal information. Your bank will never ask for your Social Security Number because they already have it. They don’t need your password because they manage the systems you’re logging into. Yet consumers fall for these scams all the time.
At Provident, our goal is to align ourselves with security best practices in the financial sector. That involves having defense in depth— multiple controls, or fail-safes, that should prevent data breaches. That way if one control fails, the other controls are still in place.
Your house is a perfect example of defense in depth. How do you keep your house safe? You have outside lights, a deadbolt, window locks, an alarm system, neighborhood watch, a big dog, a baseball bat in the closet, your local police, and homeowners insurance. Some of those controls are designed to prevent burglars from attempting to break in, in the first place. Some are designed to detect burglars trying to break in. And the rest kick in if a burglar succeeds.
We emphasize employee security training, too. As I mentioned before, the weakest link in security is usually not a mis-configured server, but a person who makes a mistake or doesn’t report an issue. We also put numerous controls in place to detect and prevent security breaches, including data classification, data loss protection tools, disablement of USB ports and removable storage drives, outbound email encryption, and personal email website blocks.
Understand who has access to your data and your network. An increasing number of companies with strong security programs are suffering data breaches because a third-party vendor with access to data or the company’s network doesn’t have a strong security program. Target’s breach occurred because its HVAC company had access to their network and one of its employees was the victim of a phishing email.
It really depends on the security event, but it boils down to identifying the breach, gathering the right people to make decisions, acting swiftly, documenting decisions and actions, and executing a pre-determined security incident plan. Communication is extremely important, ensuring that all the right people understand their role/responsibilities in resolving the incident successfully.
The most profound impact of a breach is that you lost control of data you were entrusted to keep safe. Depending on the nature of that data, a breach could lead to a number of negative consequences, including loss of customer trust, inability to do business, and civil or legal suits.
Information Security is a mindset, not a department. If people think it’s the job of a single department to keep the organization’s information safe, you will most likely suffer a security breach. Every employee needs to be in the business of keeping the organization’s information safe with leadership and support provided by the Information Security Department.
*This is the fifth installment of “Safeguarding Your Business,” a series that educates you on how to stop defending yourself against external business threats. It will help put you in a position of offense, where you can start thinking strategically about your business. If you missed the previous article, you can find it here.