02:23 PM

SmartAdvice: Consider Long-Range Vision For IT When Upgrading ERP Systems

Get users on board early and incorporate company strategy when planning an ERP upgrade, The Advisory Council says. Also, adopt cybersecurity policies to head off cyberthreats and consider getting a technology-risk insurance policy; plus, measure a project's business value before it gets started.

Question B: What can we do to protect ourselves from cyberextortion threats?

Our advice: Cyberextortion is just one of the many forms of cybercrime proliferating through the Internet. The CERT (Computer Emergency Response Team) Coordination Center recommends that businesses:

  • Recognize the real problem is crime, not hacking. The criminal intends to make money, rather than to just disrupt the business being attacked.
  • Business intelligence needs to include criminal-intelligence analysis. In addition, risk assessment needs to incorporate criminal threats, and cybersecurity needs to be conceptualized as part of a broader security problem that cannot be understood or dealt with in strictly technical terms.

  • Related Links

    Organized Crime and Cyber-Crime: Implications for Business

    Extortion Online

    How Are You Managing Technology Risk?

    RiskWorld insurance Web site links

  • Beware of infiltration. Know your customers, your partners, their clients and associates, and so on, especially if you are involved in cross-border trade or transactions where cyberlaws may be different from those in your own country.
  • Develop partnerships and information-sharing arrangements. Develop a working relationship with government and law-enforcement agencies. There is broad agreement that cybercrime is under-reported.
  • In addition to the tactical advice above, there are a number of strategic maneuvers that companies, and the industry as a whole, can make to circumvent the growth and impact of cyberextortion:

  • Seek and obtain corporate buy-in at every level of the organization. Use such techniques as scenario training to demonstrate the impact of cyberextortion on the company and the industry as a whole. Empower the IT department to take preemptive steps to safeguard systems.
  • Set the tone starting at the top. Regardless of the size of the company and the relative size of the cyber-threat, respond and react to it as if the very life of the company depended upon successfully circumventing it (in some cases, it actually may depend upon it).
  • Work closely with and support both industry and government bodies, including local law enforcement and federal agencies, in developing measures to prevent and respond to cyber attacks.
  • Adopt a "do whatever it takes" attitude to prevent and respond to cyber attacks, using such technologies as firewalls, cyberattack defense systems, real-time intrusion-detection systems, and preemptive scanners.
  • Control who has access to systems and when. Access to information systems should be provided on a "need to know" basis, and stringent controls must be put in place to prevent unauthorized access. These controls include:
    1. A system for assigning access to data resources for various stakeholders.

    2. A system for creation, suspension, and deletion of user IDs and passwords.

    3. Open communication between the IT and Human Resources departments.

    4. Define the "need to know" based on job function.

    5. Establish formal information-security policies, and have employees sign agreements to comply with those policies.

    One final piece of advice: If you don't already have one, get a technology-risk insurance policy that covers cybercrimes such as extortion, as well as the consequences of such crimes. These consequences include security breaches, denial of service, loss of intangible property, and business disruption.

    -- Sanjay Anand

    2 of 3
    Comment  | 
    Print  | 
    More Insights
    Register for InformationWeek Newsletters
    White Papers
    Current Issue
    Twitter Feed
    InformationWeek Radio
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.