You didn’t read that headline wrong. Getting hacked can be good.
For CIO’s and Security Officers, suffering an attack, like a phishing or whaling scam, can actually be a good thing.
Take for example the story of one IT leader, who joined us as a panelist on our last Innovation Executive Forum (IEF) conference call. His global manufacturing company that specializes in medical and industrial products is no stranger to being hacked.
“We went through three separate ransomware attacks this year,” he said, speaking in September 2016 on the IEF conference call. “And the third one was almost caught by accident – it could have been much, much worse.”
Still, even though the damages of those attacks were fairly “significant,” the IT leader explained how it had produced a net-positive effect on his security operations. The breeches, he explained, finally gave him the proof needed to kick his executive team into gear and take new security investments seriously.
“[The attacks] raised awareness across the company, particular for the c-level team,” he said.
“It wasn’t until then that we contacted all our users and told them ‘this is what’s happening,’. Only then did people realize the threat was real and something had to be done.”
This story was not unique to that manufacturing IT leader. Two other executives joined him as panelists on the one-hour security call. Each of them had their own stories of the positive role a security breach can play in an enterprise.
Turning the theoretical into reality
Perhaps the simplest reason for this counter-intuitive idea is that when a company suffers an attack, it makes the idea of a threat become a cold, hard fact, something both executives and end-users can’t ignore.
“There are two ways to get buy-in for new security programs,” said the IT leader of the marketing firm. “Make the front page of a newspaper, or ensure they understand the risk on a personal level, in advance.”
Put the attack to good use
In a recent opinion piece on Network World (an IDG publication), Lior Div argues that when businesses suffer a hack, they shouldn’t waste their time trying to track down the culprit. Instead, use the experience to uncover what was weak in your security, and use that to guide their strategy forward.
Not only is it impossible to track down the criminals. You just don’t have enough time and resources to play detective and fix your security at the same time. He writes:
“A company’s limited security resources are better spent understanding how the attackers infiltrated the network and their capabilities and using this intelligence to prevent future attacks.”
During the IEF conference call, a number of useful strategies were shared describing exactly how your enterprise can put a breech to good use:
- Find the right tools: After suffering numerous phishing and whaling attempts, one IEF member invested in Mimecast, an automated solution to identifying and stopping email spoof attacks. Sometimes attacks highlight a need for a new tool or solution.
- Tell stories: Using real-life examples of how the mistakes of users lead to real company loss can be a powerful prevention tool. Use stories of phishing scams in onboarding and regular training to end-users.
- Create a vision: It might feel like the sky is falling, but one IEF member says, you need to take a break, step back, and clearly paint a new vision for your security strategy. Hit the pause button and work across departments to identify what went wrong, and the solutions and policies you need to make things right.
This was just a fraction of what was discussed at our recent IEF conference call, which was focused entirely on security. To hear more from top IT leaders about how they are working to make their businesses safer and smarter, download the high-level rundown of their discussions here.