Skip to main content

Making Sure CyberCriminals Can't Hack It

The White House's regulatory regimes of cybersecurity best practices won’t kick in for a year or more, and even then they will be voluntary—two eyeroll realities made that much more disturbing when one considers that a year is an eternity in Internet time.

In the meantime, cyber hackers continue to have a field day, highlighted by reports that China has been on a break-in binge across a range of companies that include news outlets (charges that China denies).

Congress will hold numerous hearings—including one last week. But those wheels grind slow too, and the short-term question remains: What should company technology chiefs at Internet service providers and others be doing to keep from becoming tomorrow’s hacking headline?

Harriett Pearson, a partner with international law firm Hogan Lovells and former IBM chief privacy officer, provides these useful cybersecurity tips that go beyond “Make sure to trash emails from the Sudan that begin, ‘Hello, My Dear.’”

Understand the threats that are specific to your business. Every organization is different. Each has its own risk profile, based on the type of assets handled, the locations in which the business operates and other factors. To protect itself, a company needs to know the likely sources of risk—Is it criminals? State-sponsored actors? Political activists? Disgruntled employees? Careless employees managing data and IT haphazardly?—and prioritize its actions.

Form a team. Security is a team sport. It’s not just the CIO or the IT security director’s job. It’s the COO and CFO who must be convinced to fund and support risk mitigation initiatives. It’s the chief legal officer who can help guide the assessment of legal and reputational risks and advise on smart ways to document the company’s efforts so they stand up to scrutiny. And it’s the human resources and communications leaders who can help educate employees and strengthen corporate culture to value security.

Prepare to respond. No security program is perfect; incidents will happen. The key to handling them well is preparation, the kind that can prevent an incident from turning into a crisis. Make sure people know whom to report an incident; rehearse your response if possible. At least know the lawyer and technical experts you will involve if something unusual is detected.

Watch over your vendors. The weakest link is sometimes outside of your own shop. Pay the most attention to your vendors who handle important data or operations, and for them require certain demonstrations of security competence. Write requirements into contracts.

Document your program. Let’s say something happens. When you are asked what did you do to prevent it, have a thoughtful answer that is backed up by a written description of your efforts to identify threats and defend against them.

E-mail comments to and follow him on Twitter: @eggerton