Reports of data breaches at retailers, health care organizations and financial institutions have become a mainstay of today’s media landscape. Examples include Target, the second largest retailer in the U.S., who in late 2013 confirmed that cyber criminals had stolen credit card information from at least 40 million customers during a breach that ended up costing the company $148 million. In the first quarter of this year, Anthem, the second-largest U.S. health insurer, reported an intrusion to its systems that gave attackers access to the names, birthdates, addresses, and social security numbers of 80 million people.

Many organizations regard cyber security as a noun, but would be better served by viewing it as an adjective that characterizes each of the various systems and networks required for business operations. This mindset, and the resulting development of secure infrastructure, will make it harder for cyber criminals to gain a foothold into your organization and dramatically reduce the damage from a successful attack. To achieve these goals, here are three items C-level executives and business managers should keep in mind: 

1. Invest in good people. The selection of security-related technologies and policies appropriate for your organization will require coordination with professionals that possess the right combination of education and experience. As even the best technologies can be ineffective in the wrong hands, investment in good people will likely need to go beyond finding the right person to spearhead initial efforts. 

2. Focus on resiliency. Even with the right people, technologies, and policies in place, one or more attacks will eventually succeed. Thus, instead of the impossible goal of prevention, companies should focus on resiliency, which strives for damage minimization and continued business operation in the face of successful attack. The right combination of infrastructure and response plans can represent the difference between a minor, internal security incident and reputation-damaging headline stories. 

3. Educate your employees. Minimizing opportunities for attacks to succeed requires instilling basic, job-appropriate security competencies in every individual at your organization. As examples, consider an administrative assistant who thinks twice before going to a website because of a call from someone claiming to be in IT, or a manager who speaks with a team member to confirm they sent an unexpected email containing a PDF attachment. In these types of situations, a small amount of training can go a long way.

Those who choose to ignore the importance of developing secure infrastructure do so at their organization’s peril, with consequences that now include civil and criminal litigation, loss of customer confidence and trust, and a measurable impact on the bottom line. Given these stakes, companies willing to consider cyber security as a core business strategy will come out ahead financially. To learn more about how data breaches occur and why security should be viewed as an adjective, consider attending the Georgia Tech Learning Series event on March 5 from 11:30 AM until 1:00 PM. 

Paul Royal is a research scientist in the College of Computing at Georgia Tech and associate director of the Georgia Tech Information Security Center (GTISC). In these roles, he engages in collaborative research on various aspects of the online criminal ecosystem. As an active member of the information security community, he has participated in and led efforts that have resulted in the takedown of large botnets and the arrest of the operators behind them.