You might not think that a company that specializes in making flavored seltzer needs to worry all that much about cybersecurity.
But as sales surged at Talking Rain, a Seattle company best known for its Sparkling Ice beverages, so too did the emphasis on protecting company data.
All companies, no matter their size or industry, must protect their assets, said Gina Harris, IT director at Talking Rain.
“It’s the responsible thing to do,” she said. “What’s your competitive advantage? What is your differentiator in the marketplace? You have to protect your intellectual property.”
Millions At Stake
Revenues for Talking Rain increased from $25 million in 2010 to $148 million in 2012. By 2020, they are projected to reach $1 billion.
Amid rapid growth in 2014, Talking Rain hired Harris, and she began to assess how the company approached cybersecurity.
As someone who used to audit IT departments for a living, Harris said she has an appreciation of risk management and believes preventive controls are more valuable than detective and corrective ones.
“I feel like it’s a prudent business practice: looking at your entire perimeter to assure your stakeholders, shareholders and the board that you have at least basic or better protection to prevent threats,” she said. “Otherwise, you’re not doing your job.”
One of Harris’s first undertakings as IT director was to engage Secureworks for a penetration test of the company’s infrastructure. The procedure allowed her to identify areas that were most susceptible to attack.
Based on the test results, Talking Rain worked with Secureworks to first address the high-risk scenarios. With a baseline established and the company’s acceptance for risk quantified, they next embarked on a security awareness program.
“It is so important because employees are the first line of defense for security,” Harris said.
Employees each month undergo 15 minutes of training. According to Harris, there is such widespread acceptance of the program that employees want to share it with their family and friends.
“It’s very popular; we complement the training with some inserts that we put on the inside bathroom door stalls so they can read about it. We even give awards for people who get 100 percent [on their monthly test scores], and there are HR sanctions for people who don’t do their training.”
Part of the security training involves testing employees by sending phony phishing emails, baiting them to see if they fall for the scam. Staff members caught on quickly and now report legitimate phishing and malicious emails regularly.
Talking Rain also rolled out iSensor, a Secureworks intrusion prevention system that provides around-the-clock monitoring and can trigger incident response.
When IT Becomes A Reality TV Show
When you’re seeking executive buy-in for security upgrades, nailing the pitch is critical, Harris said. She equated the experience to the television show “Shark Tank,” in which inventors pitch their ideas to investors.
“Our job is to translate the opportunities, to help the company with technology and talk about it in the language they need to hear,” she said.
Then it’s up to the executive to decide if the company’s appetite for risk is high enough to forego the expenditure, she noted. Talking Rain’s low acceptance of risk is paying off.
With so much at stake, the time is now for companies to assess their acceptance of risk and develop a cybersecurity plan around it.
More Info: www.forbes.com