There seems to be a constant stream of new stories regarding data breach events — more and more companies having their most critical data compromised. We hear about the big companies, but most of the targets and access to the big companies comes from breaches at small-medium businesses. Most leaders recognize the impact this has on their business — costs to recover from such an event are significant, and the reality is that the majority of small businesses that experience such an event are out of business within 18 months. So why then do so many CEOs delegate the protection of their most critical data to a tactical IT department? The answer is the gap between the business strategy and the execution tasks IT understands is too great for most organizations to close, so the CEO has no choice but to provide high-level instructions for IT to make sure data is protected (whatever that means). What other options does the CEO have?
Every CEO Should Know
Ultimately, the CEO needs to find a way to close the gap between the results the business requires and the IT execution, and I would contend the success of the organization depends on closing this gap, but let’s start small and just talk about data protection at this point. When it comes to data protection there are some key areas every CEO must know:
- What Data Is Sensitive – Simply defining and then communicating to the organization what data must be protected is a great first step. For some, this may be obvious — health data, financial account numbers, credit card numbers, employee pay and bank deposit information, etc. For others, it may be more obscure like Intellectual Property (IP). What data must always be protected for your business? Know what that is and communicate it often!
- What Data Encryption Is in Place – Where does the data live and is it encrypted? The sensitive data should be encrypted, and every CEO should know that systems and processes exist to ensure it is always encrypted wherever the data lives. In addition, how is it transmitted — is the transmitted data always encrypted? Where are the gaps? Could the data be emailed without it being encrypted?
- Workstation & Server Update Processes – What processes and tools are in place to ensure servers and workstations are up to date with the latest security and operating system patches? This one is critical — as the CEO, you don’t need to know how to update workstations or servers, but you need to know that it is being done, and done at least once a month.
- Email Protection Systems in Place – What systems are in place to protect the organization from malicious email attacks? Is there a good Spam filter in place? Are attachments scanned for viruses or malicious code before delivered to an end-user? Better yet, are the attachments converted to a PDF before being delivered to an end-user? Are hyperlinks in an email scanned to be safe before an end-user is taken to the website?
- Password Policy & How It Is Enforced – The weakest link for entry into protected data is still user names and passwords. Make sure you know what your password policy is for your company — how often passwords are changed? Make sure they are complex — at least 8 characters with upper/lower case, symbol and number. Lastly, make sure you know how these policies are enforced.
At a minimum, these are the five practices every CEO should know around data protection. If you do not know today, schedule a meeting with IT to get these answers. For bonus points, make sure your IT group knows how important your sensitive data is and what the business impact would be if there were a breach. Then simply ask, “what else should we be doing to protect our sensitive data?” You might just start to close the gap between your business strategy and IT execution.