I recently checked back in with most of my current and past clients. What I found surprised me a bit. Nearly one in four - almost 25% - had experienced some sort of hack, data breach or security violation in the past 12 months. Almost 25%. The nice thing is a few are asking for my help in making sure 2016 is safer than 2015...but I have to admit that it was not necessarily the way I wanted new consulting business. However, I will not turn down that kind of experience, research and revenue. At the same time, I wonder what is going to be hit next? What will black hats target next that we haven't even thought of? And what about white hats out there who work hard to expose security flaws and backend openings to prove to governments and software or equipment vendors that they have issues that they aren't aware of but need to patch quickly? Those individuals could be targeted next by cybercriminals...just as was the case on the season (and probably, unfortunately, series) finale of CSI Cyber this past week. This knowledge and software code is worth an inconceivable amount of money in the wrong hands. And it puts lives in danger at the same time.
Back to the issue with the 1 in 4 companies experiencing a security breach and what that could or should mean to you. Nothing or everything...it's your choice. At the very least, I highly recommend the following...
Make cybersecurity a top priority in your risk planning. I know we all think it can't happen to us. And it may not. But if it does, just one cybercrime could cost you countless customers, high costs of identify theft of employee information, or worse....though I'm not sure what that might be. Your risk depends more upon the types of clients you have, the types of projects you run, the industry you operate in, the type of data you handle and the size and complexity of the projects you manage. But any size business can be and is at risk. To omit it from your risk planning is crazy in 2016. I am usually working with small to medium sized businesses though I am periodically running projects as a consultant for very large Fortune 500 organizations and government entities like the Department of Defense and others. And yes, sometimes it does involve sensitive information. Risk planning needs to be part of every project and cybercrime and cybersecurity needs to be considered during every risk planning session.
Hire one staff, a department or a consultant. You can hire one staff, you can create a department, or you can just hire a consultant. But it is imperative, I believe, that you do something to prepare your organization for a cybercrime incident in 2016. It may not happen this year, but it is likely to happen soon and the sooner you bring in staff or designate an individual the sooner you can have that person or group ready and productive. You don't really need a large group of certified individuals. You can operate with just one interested tech lead moving into this role and learning as they go. The information and technology for them to research is everywhere...they can get up to speed fast. Just don't put it off any longer.
Attend Black Hat. Seriously. I've been to Black Hat USA in Las Vegas five years running and it is amazing – both in terms of fascination and in terms of understanding the breadth of the security risks we all face. They call it Black Hat, but it is really much more about White Hat work identifying and reporting on security flaws and what cybercriminals are capable of and what these incredibly skilled hackers have discovered over the past year. If cybersecurity is a concern to you – and it needs to be – then this conference is well worth your time and money. If it makes you plan for and mitigate or avoid one breach because you added it to your risk planning process then it will pay for itself 20 times over.
Summary / call for input
Everyone can be hacked. Do I need to repeat that? Everyone can be hacked. And it will likely get worse – not better. I will not be surprised if I conduct a similar client survey in a couple of years and see that number rise to nearly 50%.
What about our readers? Has your organization experienced a data breach or be the victim of a cybercrime...no matter how small? If so, what was your response? How has it changed your risk planning process. Please share your experiences and discuss.