A list of ‘don’ts’ for chief information officers

Today’s companies require CIOs who have not only a thorough understanding of technology but also an in-depth understanding of the company’s target audience, including customers, as well as their business operations and modules.
They need CIOs who can lead from the front and who can transform the information-technology department from an entity that maintains the computing hardware and software into a highly valuable service provider driving business innovation.
Innovation is the next frontier for all CIOs, and now is the time for them to prepare for action.
In past years, headlines have been dominated by high-profile data breaches, including many that involved health-insurance companies (for example Anthem and Premera) and one huge breach in an important US government office (the Office of Personnel Management), where confidential information on almost 22 million current and former federal employees were stolen, along with the biometric data of more than 5 million people.
Thus the CIO’s role is becoming all the more critical. Globally, 91 per cent of all healthcare organisations reported at least one data breach over the past two years. According to IBM and the Ponemon Institute, the average consolidated cost of a data breach is now nearly US$3.8 million (Bt134 million) – an increase of 23 per cent over 2013.
As CIOs make their to-do lists, they should also consider a list of what they shouldn’t do when it comes to cybersecurity strategies. Let us look at certain aspects that CIOs should absolutely consider.
1. Don’t confuse cyber-insurance with cybersecurity. Keeping a financial back-up plan is indispensable when it comes to a business’ most important assets. The market for cyber-insurance is taking off as companies are coming to realise its significance. However, it should be kept in mind that cyber-liability policies can’t actually protect mission-critical data, and thus cyber-insurance forms only a small part of the security strategy of an organisation.
2. Don’t refrain from educating your human resources about cybersecurity best practices. It is obvious that employees often form the vulnerability point when it comes to cybersecurity infrastructure. Thus businesses should make a point of educating their staff on how best to utilise such tools as e-mail and the Internet so that they don’t compromise office networks. Conduct workshops and training sessions where employees can be told when it’s OK to click on links in e-mails and what websites they can and can’t visit. This will help curb the number of phishing scams and malware infiltrating company networks.
3. Don’t pay ransoms. Do not be a victim of ransomware. Educating employees and deploying proactive anti-ransomware solutions can solve this problem to a great extent. However, if such an unfortunate incident happens, incident response teams must be ready, including by making proper data back-ups in advance. This will ensure you don’t lose your critical data and that you don’t need to succumb to ransom pressure.
Remember that when any customer pays ransom money to cybercriminals, it’s helping boost the crooks’ financial power to attack more such customers. As part of corporate cyber-social responsibility, this must be a strict “No”.
4. Don’t neglect a company disaster-response plan. Many organisations do not have a proper disaster-response strategy in place, and many others have lackadaisically constituted ineffective response plans that are completely redundant in times of need. This can lead to lethal issues down the line, especially considering that when businesses go offline for any amount of time, it costs a serious amount of money that could cripple an entire company at one go. Breach response is more than just a reaction to an infiltration; it needs to be a legitimate course of action that an organisation develops and puts to test in times of crisis.
CIOs should make sure their companies have a well-engineered disaster response plan in place. This includes creating a strategy and testing it out before a network breach actually occurs.
5. Don’t compromise on the quality of cybersecurity solutions. It doesn’t pay to invest in something that isn’t going to do the job, especially when so much business-relevant, mission-critical information is on the line. Companies cannot afford to integrate the wrong solution and pay a heavy price that can bring the entire organisation to its knees.
Cloud and mobile computing are pushing the IT landscape further away from the organisation, and an emerging Internet of Things is expanding the surface area of a defensive front already riddled with gaps. Today’s cybersecurity trends are evolving at an overwhelming pace, but it’s not a lost cause.The enemy is not an invincible genius – he’s smart and organised, but the key to winning is simply to beat him at his own game.

Piyatida Tantrakul is country manager of Trend Micro (Thailand) Co.