Ask The Expert

Reducing your company’s vulnerability to cyberattack and breaches

Question: I own a medium-size business with extensive customer files and billing records. How can I stay informed about emerging threats and make sure my security practices are up-to-date and effective?

Answer: When I was at the Department of Justice, I talked with a lot of companies, and one of the responses I always heard was, “If we only knew this kind of attack was happening 18 months ago, we would have been able to respond and stay safe.” What they learned the hard way is that security is a lot more than checking off compliance boxes.

First you must identify, within your industry, what attacks could most likely happen. Staying compliant isn’t enough, because criminals always outpace regulators. We’ve seen a sea change in the last 18 months to two years. Law enforcement groups, academics and nonprofits are all pushing out information on cyberattacks. Find the groups following attacks in your industry and stay abreast. For example, if you have credit card data and are PCI compliant, the Secret Service Electronic Crimes Task Force regularly puts out payment card data information. InfraGuard at the FBI regularly puts out information on recent attacks, as do the big credit card companies like VISA. There are also consumer-based incident response groups, some specific to particular industries. You want to get on those listservs.

It’s important to remember that compliance does not mean you’re secure. Smart businesses take a risk-based approach. Security is only effective if it’s tailored to the types of attacks that are most likely to happen on your system. Q&A with Kim Peretti Reducing your company’s vulnerability to cyberattack and breaches.

Kim Peretti was the lead prosecutor in U.S. v. Albert Gonzalez, the largest identity theft case in U.S. history, and now serves as a director in PWC’s U.S. Forensic Technology Solutions practice.