In a previous article, I briefly mentioned what a data breach was and gave a general overview of how an organization or entity should handle it. I spoke about how companies can draft a comprehensive incident response plan to tackle any future attacks. But what if you are the person in the company who is responsible for managing and implementing the IT infrastructure? The position I am talking about is that of a Chief Information Officer (CIO) or as most would like to call them ‘the sacrificial lambs of a data breach response.’
Let me give you some background as to why I used that phrase. Suppose a data breach has occurred, and you take the necessary steps to limit the damage done. However, you will not be able to stop the blow it will have on you financially and in terms of reputation. With the level of damage caused, shareholders are considering future risks, executives are worried about getting fired and facing lawsuits, and the board members are also into the play. The average human tendency is to blame someone for a disaster.
So, everyone tries to play ‘pin the blame on the CIO.’ While blaming one person might be unjust, and this is the only option most companies will exercise to thwart the damage done to their reputation. I am not making this up. In 2014, after a data breach of 40 million credit card details and 70 million customer details, the CIO of Target was forced to resign. In 2019, CIO of Equifax had to resign following a massive data breach. The list is quite long.
However, this is not always a losing battle for the you. If appropriate preventive measures are taken, there is a big chance that you will not be shown the door after a breach. So, what should you do in case of a data breach? First, let us understand who a CIO is.
Who is a CIO, and what is their role?
A Chief Information Officer is a job title given to a senior executive in a company that is responsible for managing, implementing, and working with information technology and computer systems. A CIO typically reports to the Chief Executive Officer (CEO).
CIOs need to have proficient knowledge in business and IT to help support enterprise goals. CIOs should possess hard and soft skills to excel at their job. They must know the technology trends and have working knowledge of every department’s functioning to determine their IT needs. They need to be a bridge between IT and non-IT employees. Furthermore, the CIO works closely with the Chief Financial Officer (CFO) by playing a crucial role by using ICT to help control costs and increase profits. They are also responsible for planning for recovery from any possible disasters or incidents.
Understanding CIO’s role in security
Now earlier, I mentioned a couple of people getting sacked over data breaches. That was not meant to scare you off the job. If anything, that should be an extra piece of motivation to have security as your top priority. Now, why should a CIO be involved in security apart from the “sacking” part? CIOs are the best in the company to understand the complexities and working of the IT infrastructure and the services. CIOs should, therefore, extend their focus on these three key areas:
- Vulnerabilities: A vulnerability is a weakness that can be exploited by attackers to carry out malicious attacks. As a CIO, along with focusing on the business facilities, the focus should also be on the weaknesses arising from these facilities and devising methods to counter those weaknesses. Keep a mindset looking for gaps not only in strategic business but also in technology threats.
- Internal security awareness programs: Every single person can be a vulnerability for the company. An employee may insert an infected USB, open a malicious email, not install a security patch, be a corporate spy, or just a disgruntled employee. As a CIO, you must interact with IT and non-IT employees, making the most out of it. Make them aware of the possible security threats and repercussions. Make it a point for them to report any suspicious activity. And most importantly, deliver all this in simple terms to be understandable by all.
- Regular security reviews: The key idea here is to make sure you have the right technology for your company. By the right technology, I mean using technology that can catch any potentially harmful activity and does not cause any dangerous activity. A CIO must conduct regular security checks and reviews for the same, including any third-party resource.
- Comply with regulatory standards: If this point is not adhered to, then you are just digging your own grave. Regulatory standards like GDPR, CCPA, HIPAA, APRA compliance, and so on must be adhered to.
- Securing the workplace: As I mentioned earlier, employees can be vulnerabilities for your business, and while it will be difficult to control their actions, what you can do is access control. They should not be in charge of the settings of their resource, the company should be. Subject the laptops and other resources to a centralized settings management and policy enforcement. Make sure that a data stream is routed and accessible only as per the employee’s security clearance. A public relations person should not be able to access the code of a programmer in the organization. Access to data should be just enough for the employees to do their job. Securing the workplace means uninstalling chaos and installing a sense of confidence.
- Special data: The CIO should make sure special data like research documents, technical documents or blueprints, non-public company documents relating to finance, marketing, and management get special treatment. They should be protected, encrypted, and tracked with so much surveillance as the company’s life depends on them.
Now, after all this, if there is a data breach, what should a CIO do?
- First and foremost, do not give up. He/She should not simply throw their hands up and say something like, “The end is near.” As I said in my previous article, it is imperative to act immediately. The goal is to limit the damage and not to see the ship sink.
- The speed at which the CIO and his team can respond to a threat is crucial. Assessing the damage, securing unaffected departments, finding the root of the problems, doing damage control, and shutting down servers and accounts should be done immediately.
- Determine the immediate risk the attack poses to the entire system’s stability.
- Communication is essential. Getting the legal and public relations team on board as fast as the IT team is equally important. Inform the customers, stakeholders, and board members about the attack, its magnitude, and what you are doing to lessen the damage. Physically lock away any servers, PCs, or other compromised resources that are related to the breach.
- Assist the forensics team in every possible way.
- Secure the evidence as you may have to defend yourself and the company in a court of law. Preserve the evidence so that the data can be forensically analyzed and admissible in a court of law.
- Put your incident response plan into motion. Start communicating and taking the lead on every aspect of the plan. Enact different contingency plans as that will keep most of your data immune to the threat.
Cloudanix can help you and your CloudOps teams to minimize the chances of any security lapses. Sign up for a free trial for a better cloud security posture of your organization.