Another day, another hack.
In some cases, the hackers claim to be activists fighting back against greedy corporations. In other cases, the hackers are reportedly working on behalf of foreign governments. In almost all cases, however, the fallout is huge.
From potentially billions of dollars in losses to the release of sensitive information, it's no surprise that many companies are worried if their systems might be next.
Realistically, there's no way that a company can protect itself from every security threat on the internet. But to mitigate risk and minimize the potential harm of a hacking incident, companies should plan for the best, and prepare for the worst. Here are several tips on both fronts.
Planning for the Best
Take security seriously
The first step in planning for the best is to recognize just how important security is. If you don't, you're far more likely to have out-of-date infrastructure and software that is low-hanging fruit for would-be attackers.
Having a security strategy in place, and making sure it's followed, won't completely eliminate risk, but taking basic preventative measures (like applying security patches on a regular basis) puts you one step ahead of other targets.
Don't store data you don't need
This seems like common sense advice, but common sense isn't always so common. Data is good, obviously, which is why many companies try to collect as much of it as they can, even if they're not sure how to use it yet.
But the more data you have on a server somewhere, the more enticing that server potentially is to an attacker. By thinking strategically about the data you store, you can minimize the risk that you'll be at the center of an embarrassing and painful media blitz.
Fire any developer who stores passwords in plain text
Many companies that have been hacked have suffered immensely because they didn't properly protect user passwords. At the end of the day, there's no excuse for this. No password should ever be stored in plain text.
Going further, it's also a bad idea to encrypt passwords with a key that could also be compromised. In other words, techniques such as strong one-way hashing, salting and password-based key derivation should be required whenever passwords are stored.
Preparing for the Worst
Recognize that you can, and probably will be, hacked
Your company could do 999 things right, and a hacker only needs you to do one thing wrong to compromise your systems. In other words, the odds are against you, no matter how good you are.
That means coming to grips with reality: at some point you will almost certainly face a breach of some sort.
Establish relationships before you're hacked
Cleaning up from a major hack can be a nasty experience. From trying to trace the culprits to ensuring the integrity of all the systems which may have been compromised, expertise is generally required.
Knowing who you're going to call if and when you need that expertise is crucial to minimizing the harm to your business and stakeholders.
Have a response plan in place
Being hacked is never fun, but responding quickly and competently is important. At a minimum, being able to reassure those affected by any breach that their most valuable information (passwords, credit card numbers, etc.) was not compromised (because it wasn't stored or was stored properly) is huge.
Think about insurance
It's not surprising that the recent spate of hacking incidents has sparked demand for cybersecurity insurance policies. For some companies, these policies are worth a look, even if they're no panacea.