5. Plan for failure, Part 1
If you knew with certainly that hackers were going to get into your systems, what would you differently?
After this year's high-profile breaches, a lot of people are asking themselves that question, and starting to look at security differently.
"The way that I look at it, and the people I talk to on a day to day basis look at it, there's a switch in mentality," said Scott Barlow, the chair of the CompTIA's IT Security Community and vice president of product management at Boston's Reflexion Networks, Inc. "Businesses are assuming that their data will be exposed, or is already exposed, and they're taking steps."
Scott Barlow, the chair of the CompTIA's IT Security Community
Those steps include encrypting data on employee desktops, in file servers, even email.
And a process called tokenization replaces bank card numbers with randomly generated codes, or tokens, even before they leave point of sale devices. Only the payment processor knows the real numbers -- the retailers get tokens, which are completely worthless to any hackers who break into their systems.
That turns the payment processors into targets -- but then, they always have been.
"Guys are already going after us," said Paul Kleinschnitz, senior vice president and general manager of Cyber-security Solutions for FirstData, which accounts for about 40 percent of the payment processing in the U.S.
Meanwhile, the Targets and the Home Depots will be insulated from the risk of losing the payment data.
"We are pulling that burden away form the merchants and managing it," Kleinschnitz said.
6. Plan for failure, Part 2
If JP Morgan can be breached, every company is vulnerable.
"Even if you have the best security in place, there's still a chance that you may be breached," said Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley. Toren was also a federal prosecutor for eight years, in the Justice Department's computer crimes division.
Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley
How a company reacts to that breach can make a big difference.
Both Target's CEO and CIO lost their jobs this spring as a result of the problems the company had in dealing with the consequences of its 40 million payment card accounts breach late last year.
"It came out in drips," said Toren. "It was the death of a thousand cuts."
Companies need to be prepared to deal with a breach transparently and promptly -- and preparations have to start long before a breach ever happens.
"They need to have a plan in place and work with a public relations firm beforehand," he said. "Not just bring one in after the horse is out of the barn."
Sign up for CIO Asia eNewsletters.