SmartAdvice: Consider Long-Range Vision For IT When Upgrading ERP Systems
Get users on board early and incorporate company strategy when planning an ERP upgrade, The Advisory Council says. Also, adopt cybersecurity policies to head off cyberthreats and consider getting a technology-risk insurance policy; plus, measure a project's business value before it gets started.
Question B: What can we do to protect ourselves from cyberextortion threats?
Recognize the real problem is crime, not hacking. The criminal intends to make money, rather than to just disrupt the business being attacked.
Business intelligence needs to include criminal-intelligence analysis. In addition, risk assessment needs to incorporate criminal threats, and cybersecurity needs to be conceptualized as part of a broader security problem that cannot be understood or dealt with in strictly technical terms.
Beware of infiltration. Know your customers, your partners, their clients and associates, and so on, especially if you are involved in cross-border trade or transactions where cyberlaws may be different from those in your own country.
Develop partnerships and information-sharing arrangements. Develop a working relationship with government and law-enforcement agencies. There is broad agreement that cybercrime is under-reported.
In addition to the tactical advice above, there are a number of strategic maneuvers that companies, and the industry as a whole, can make to circumvent the growth and impact of cyberextortion:
Seek and obtain corporate buy-in at every level of the organization. Use such techniques as scenario training to demonstrate the impact of cyberextortion on the company and the industry as a whole. Empower the IT department to take preemptive steps to safeguard systems.
Set the tone starting at the top. Regardless of the size of the company and the relative size of the cyber-threat, respond and react to it as if the very life of the company depended upon successfully circumventing it (in some cases, it actually may depend upon it).
Work closely with and support both industry and government bodies, including local law enforcement and federal agencies, in developing measures to prevent and respond to cyber attacks.
Adopt a "do whatever it takes" attitude to prevent and respond to cyber attacks, using such technologies as firewalls, cyberattack defense systems, real-time intrusion-detection systems, and preemptive scanners.
Control who has access to systems and when. Access to information systems should be provided on a "need to know" basis, and stringent controls must be put in place to prevent unauthorized access. These controls include:
A system for assigning access to data resources for various stakeholders.
A system for creation, suspension, and deletion of user IDs and passwords.
Open communication between the IT and Human Resources departments.
Define the "need to know" based on job function.
Establish formal information-security policies, and have employees sign agreements to comply with those policies.
One final piece of advice: If you don't already have one, get a technology-risk insurance policy that covers cybercrimes such as extortion, as well as the consequences of such crimes. These consequences include security breaches, denial of service, loss of intangible property, and business disruption.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.