When he was in high school back in 1977, independent consultant Ted Demopoulos discovered his love for computers while incessantly hacking into his school's PDP-11. While he nearly flunked out of school, his love affair with information technology is still red hot.
He worked his way through graduate school as a programmer and eventually joined Apollo Computer, where he worked with network administration, new media.
Through seminars, keynote speaking and consulting, he works with organizations on making informed decisions about information security. Clients have included Cisco Systems, T Rowe Price, Hewlett Packard, IBM and Motorola.
Ted took a few minutes to answer some questions for Business.com about how to protect your company's sensitive information.
How has information security changed in the past 10 years?
- Most organizations have a significantly larger amount of their assets as digital assets, including intellectual property.
- The attacks have become far more sophisticated and targeted. We are not dealing with teenagers hacking random targets between playing games in their parents' basements. We are dealing with nation states, corporate espionage, hacktivists, and lots of for-profit online cybercrime.
- Regulatory law (e.g. HIPAA, Sarbanes_Oxley, GLBA) is requiring a bare minimum of security for many organizations
What are examples of the types of documents and/or information that should be protected?
It varies for every organization, but certainly includes trade secrets and other intellectual property, sales and marketing information, and financials.
How can businesses protect them?
The first step is in identifying all the information. Many organizations do not have an inventory of all their critical data, where it all resides.
What happens when businesses don't properly secure sensitive information?
Worst case, the company can cease to exist. For example, Nortel (now out of business), was breached more than a decade ago, and the attackers had access to all their data for more than a decade. They might still exist if they had discovered the attack or prevented it.
What are the biggest mistakes companies make when it comes to securing information?
Biggest mistake is not knowing what their critical data is and where it resides. The second is not taking a risk-based approach to protecting it.
What are day-to-day things a company can do to ensure its information is secure?
Every company is going to be attacked AND some of those attacks will be successful. That is OK, as painful it is to say that. What is not OK is for a company to be successfully attacked and not find out for a month or a year or a decade (Nortel).
It's like mice in the Northeast. If you have a house or building near a rural area, eventually one or more mice WILL get in. You don't, however, want them to live and breed in there!
Who is responsible for keeping information secure within a company?
Everyone. The ultimate responsibility lies with the owner of the data. For example, for financial data it may be the CFO. Of course, this person will usually not be technical nor security savvy, but he needs to have people he knows and trusts to work with.
What types of training should all employees receive regarding information security?
At a minimum, some security awareness. Employees need to know that everyone is responsible for security, and that EVERYONE is being targeted. For example, a low-level clerical worker might click on a link or open an attachment in an email, which may allow an attacker access to their machine. That can then be used as a pivot point to move to other parts of the IT infrastructure.
For a small business, with a limited budget, what's the minimum the business owner can do to help protect sensitive information?
- Know what that critical information is, and HAVE REGULAR BACKUPS
- Know the consequences of a breach, including the impact on the business if the systems go down (for example due to a big malware infestation)
How often should security needs be re-evaluated?
That's a tough question, because it depends. For many large, dynamic companies it needs to be on an ongoing basis ... or at least quarterly. For smaller companies, at least yearly, or whenever there are changes to the business or IT infrastructure, even it it's two computers and a printer.
Learn more about information security on Business.com.