Transcript:

Tuesday was not a good day for Elizabeth. She is the controller for MixBig Industries, a 50-person company selling music remix apps for smartphones. She had just received a call from one of her accountants who reported that he found some transactions with a country in which they did not do business. Liz checked with the bank and saw that the transaction had been initiated from outside the company. The bank quickly locked down the account, but not before $100,000 had been illegally transferred. This turned out to be the least of Liz's problems, though. Informing customers would require an enormous amount of time and money, not to mention that the costs associated with offering customers new security options would nearly match the illegal transaction. And, there was also the damage to MixBig's reputation to consider. Liz's research into this question did nothing to ease her pain. Some companies reported as much as an 18% drop in revenue after such incidents. The company's current crisis could be traced in many ways to two years earlier when Liz - having managed rapid growth at the company - had supervised a move to a new accounting system as well as the transition to a cloud-based server storage system. At the same time, the IT Director had implemented a wireless connectivity program at work. Nearly all workers could log on through mobile devices, tablets, and laptops. It was a progressive approach allowing for increased flexibility. Following their investigation, though, Liz and her team found that one part of the wireless network was not secured properly. A wardriver had exploited the weakness and gotten into MixBig's intranet. Wardrivers drive around with very powerful antenna in their vehicles looking for unsecured networks. Unfortunately, accounting data was not fully segregated from non-sensitive data properly either. Not realizing that sensitive customer information could be accessed through the wireless system, she had falsely believed the system was well-protected. An internal audit showed that this was the only breach, but that was of little comfort. Though MixBig had caught the transaction in time to save them from a complete catastrophe, the breach made all their customers vulnerable to the same set of hackers. Liz not only had to inform them all of the data breach, but also provide support for customers as they protected themselves from further attacks. All told, the damage was enormous. Though Liz had done all the right things within the accounting area to make the system secure, she had not sufficiently considered "cross-contamination." A breach elsewhere had allowed the foxes to get through a hole in the fence, which then allowed them to tunnel into the henhouse. She also recognized that the same kind of security breaches could originate from sources outside the company, such as suppliers. After the incident, Liz realized that security was everyone's business, not just a matter for IT. She designed a training program for all employees that would cover the following topics: 1) Security is everyone's business. 2) Learn to identify phishing scams. 3) Change passwords frequently. 4) Notify customers immediately in the case of a breach. 5) Certify that suppliers and anyone else with a data interface with the company is secure.

Liz's single biggest mistake in system security was:

a. Failing to integrate her accounting security protocols with other computer systems in the company.

b. Allowing the IT Director to install a wireless access system without her approval.

c. Allowing suppliers' systems to communicate with MixBig's systems.

d. Not knowing what a wardriver was.

The main way hackers gain access to computer systems is:

a. Through wardrivers.

b. Through human error such as poor password management.

c. By utilizing "phishing" emails to gain pertinent user information.

d. By "tapping" incoming data lines.

Normally, the best public relations approach when a breach has occurred is to:

a. Keep the breach a secret until the full scope can be determined.

b. Tell affected people the whole truth right away, along with your plan for addressing it.

c. Minimize the damage by underreporting the incident to customers.

d. Do nothing until things calm down and then craft a best response to those affected.