Last year was a big year for cyber security – and not necessarily in a good way. A few high-profile data breaches made the news, according to Network World, including several that involved health insurance companies (e.g., Anthem and Premera) and one huge breach on an important federal government office (the Office of Personnel Management). The latter especially was cause for concern, as the confidential information of almost 22 million current and former federal employees was stolen, along with the biometric data of 5 million people.
Data breaches aren't something that CIOs can ignore or think will never happen to them. According to IBM and the Ponemon Institute, the average consolidated cost of a data breach is now nearly $3.8 million – representing an increase of 23 percent over 2013. As CIOs make their to-do lists for the coming year, they should also consider the list of what they shouldn't do when it comes to their cyber security strategies.
Here are the top five things executives shouldn't do when they are looking at their security for the coming year:
1. Don't confuse cyber insurance with security
It's a good thing to have a financial backup plan when it comes to a business's most important assets. According to the National Association of Insurance Commissioners, the market for cyber insurance is just starting to take off as more companies realize its usefulness. However, being insured only helps after the fact – and cyber liability policies can't actually protect mission-critical data. Thus, it's important to make sure that cyber insurance makes up only one part of the complete security strategy of an organization.
2. Don't forget to educate employees about cyber security best practices
Employees are often the weakest link in the cyber security chain. As such, it's crucial for businesses to make sure to tell workers how best to utilize email and the Internet in a way that isn't going to compromise office networks. For instance, setting up training sessions wherein employees discuss when it's okay to click on links in emails and what websites they can and can't visit. This will help curb the amount of phishing scams and malware infiltrating company networks, which saves money and time in the long term.
3. Don't get complacent
Just because a data breach hasn't yet occurred for a certain organization doesn't mean it won't eventually happen. There are certain industries that are practically guaranteed at least one data breach. For instance, the Ponemon Institute found in 2015 that 91 percent organizations within the health care sector had experienced at least one data breach during a five-year period.
According to Trend Micro, one of the major problems with the proliferation of data breaches in today's security landscape is that these events are incredibly common. Enterprises and individuals alike are subjected to near-daily news about the latest security incidents, and that has led to people becoming desensitized about having protected information stolen. It's important, however, that CIOs don't take their security for granted and make sure they aren't growing desensitized to the very real threat of cyber attacks.
4. Don't neglect the company's disaster response plan
According to CSO contributor Brian Contos, having a disaster response strategy is crucial, yet some businesses don't have one or don't believe the ones they have are effective. This can create serious problems down the line, especially considering when businesses go offline for any amount of time, it costs a serious amount of money that could cripple entire companies.
"[H]ow organizations that were victimized handled the breaches [of 2015] is a direct reflection of the plans they had in place," Contos wrote. "Breach response is more than just a reaction to an infiltration; it needs to be a legitimate course of action that an organization had developed and tested in times of crisis."
In 2016, CIOs should make sure their companies have effective disaster response plans. This includes creating a strategy and testing it out before a network breach occurs. By making sure both employees and IT equipment are prepared for the inevitability of an intrusion, companies can minimize the impact it has on day-to-day activity.
5. Don't settle for less than the best cyber security solutions
It doesn't pay to invest in something that isn't going to do the job, especially when so much important data is on the line. The realization that a security solution is ineffective has a steep price, especially when it comes after a cyber attack has already been perpetrated against an organization's systems. Companies can't afford to install the wrong security software the first time, or any time after that.
Solutions from Trend Micro, like Trend Micro Deep Security, should be at the top of any CIO's wish list for 2016. By investing in the right cyber security products now, companies won't have to backpedal in the future, and their security strategies can experience a clear boost.
CIOs should keep these tips in mind for their cyber security strategies in 2016.