Navigant's Cyber Risk and Information Security PracticeLearn More

Blog

Why Technology Should Not Solely Drive Business Decisions30 September 2014

By
Employee Training, Policy Development

With a new data breach reported on what seems like a weekly basis, business owners and executives are faced with the dilemma of taking action to protect their organizations while at the same time balancing their resources and selecting the “right” solution. Many organizations, particularly ones that lack in-house information technology expertise, incorrectly jump to the conclusion that technology is the answer. Technology should be part of an organization’s enterprise data-breach prevention strategy, but it cannot be implemented alone. Organizations that prioritize technology over training are almost guaranteed to have sensitive data exposed at some point, resulting in potential lawsuits, reputation damage, and financial damages. Exposure of data could be unintentional—an employee clicks on a phishing email that results in malware being installed and the network compromised. But basic security-awareness training would have educated the offending employee on how to handle suspect emails and possibly prevented the entire breach. Spam filters and virus scans do catch most of these types of attacks, but none of these tools are foolproof. This means education needs to be combined with technology to develop a strong defense against data breaches.

Technology cannot address 100 percent of the potential vulnerabilities. Organizations may not have a defined data-backup and retention policy—so although the IT department may have the necessary technology to perform these tasks, they lack the written guidance. Or employees may not know how to create a strong password, leaving them vulnerable to even simple breach strategies such as a dictionary attack—a method of hacking into a password-protected computer or server by systematically entering every word in a dictionary as a password.

Instead of solely relying on technology, organizations need to take a step back and clearly assess their vulnerabilities and deficiencies. This assessment should focus not only on technology but also look at training and operations, specifically policies and procedures. The vulnerabilities identified in this assessment should be the primary input for the development of an organization’s data-breach prevention strategy plan. It is always less expensive to deal with a vulnerability before it is compromised than to try to fix it after a breach. Other areas to assess include insurance, crisis management, disaster recovery and business continuity, and critical systems monitoring. Organizations that take a holistic approach to their enterprise data-breach prevention strategy—one that includes technology but doesn’t rely solely on technology—will have a greater chance of success.

COMPASS has developed a methodology that combines the discipline of project management with the latest cyber-security technology and data-protection best practices. In today’s hyper-connected world, every organization is just one data breach away from being a leading story on the news and social media, which can severely damage its reputation and brand. Find out how to protect your institution. Contact COMPASS to learn more about our methodology and how it can help your organization develop a robust cyber-security ecosystem.

Work With Us Learn How