Companies that store credit-card or financial information need to activate employees to study, monitor and respond quickly to possible data breaches, says a cybersecurity risk study released this week.
Chicago-based information security firm Trustwave’s 2014 State of Risk report suggests that companies are taking a more active approach to risk management than in previous years but highlights the importance of further enabling employees to respond to problems.
The report, released this week, drew findings from a 16-month survey of 476 information technology or information security professionals, conducted by a third party. The respondents hailed from 50 countries, with most reporting from the United States, United Kingdom and United Arab Emirates.
Eighty-one percent of respondents said their companies store and process financial data, while 47 percent said their companies store and process credit card data. They also said companies should only store the credit card information they need and nothing extra, and that a dedicated employee should be assigned to track regulatory changes in this arena.
Phil Smith, SVP of government solutions and special investigations at Trustwave, said companies must ensure they have the right technical processes and protections in place. But training employees to identify and react to crises may be even more important, he said.
The survey found that the majority of businesses have boards or executives who actively participate in their company’s security plans. But 45 percent of companies’ leaders take a “partial” role. “The results are not as high as I would like to see where executives and boards are involved in decision-making,” Smith said. Higher-level involvement often leads to funding for security programs.
“Security has to flow from the top down, making it a normal business practice.” Lower-level employees must also be trained in security matters, from knowing where data is stored to understanding what normal activity looks like, Smith said. “If you don’t understand where that data is and how it’s being protected and what is an anomaly, you have no ability to determine when you have experienced a breach,” Smith said.
While the public often hears of external threats such as hackers, employees can also create security risks, intentionally or not. A company’s IT team should set up processes to identify unusual activity, and have them audited by an independent third party, Smith said.
Smith also stressed the importance of training employees in security awareness. Employees should know when something strange is going on, and they should know how to alert the appropriate parties, he said. “Our statistics have shown, the companies that are able to self-detect and respond quicker means less data exfiltration and less damage,” Smith said.
By Amina Elahi
Blue Sky Reporter
- 30 Dec, 2014
- Posted by admin
- 0 Comments