Cybersecurity: Identifying your weak points before they get hacked
CX Best Practices
By: Troy Moritz, Chief Security Officer, TELUS International
Across industries and around the globe, businesses are fighting to keep hackers at bay. Last year saw an unprecedented amount of cyber crime, with online security firm ThreatMetrix recording 700 million cyber attacks worldwide. The Ponemon Institute, a Michigan-based privacy research center, puts the current cost of a data breach to companies at more than $3.6 million. Worse, the size of the average data breach is on the rise.
Despite the statistics, an attack on your company isn’t necessarily a guarantee. By taking a three-pronged approach that focuses on people, processes and technology, organizations can identify vulnerabilities and take action to prevent irrevocable damage.
As much as we’d like to think all cybersecurity threats are external, the fact is that employees are often to blame for putting companies at risk. Their actions may not be malicious; data breaches are often a case of people acting in good faith in response to unethical and criminal minds. Still, a lack of employee knowledge about cybersecurity can leave your business open to attacks.
Consider what happened earlier this year, when more than 5,000 people were affected by a data breach at health insurance agency Flexible Benefit Service Corporation (Flex). The cause? An employee fell victim to a phishing attack that exposed their customers’ personal information ranging from addresses and birth dates, to Social Security numbers.
Last year’s cybersecurity controversy involving Boeing wasn’t a calculated external attack, rather an employee disclosing the personal information of 36,000 colleagues to his spouse when he sought help formatting a document containing the data. It was an innocent mistake, but another example of how employee missteps can facilitate attacks. The breach prompted Boeing to require its workers to complete additional training on proper handling of sensitive data.
The best way to mitigate employee risk is by building a company culture that puts cybersecurity and communication first. Hire employees you can trust, and make privacy and security training an ongoing effort that’s mandatory for all. Promote awareness campaigns that teach your workers the difference between spear phishing (targeting high value victims and/or companies), clone phishing (fraudulent emails that replicate legitimate corporate documents) and whaling (targeting top executives) so they can spot suspicious activity and know what to avoid. Encourage communication between team members and IT, and as a company leader, hold yourself accountable if someone fails to keep your organization secure.
The more you prioritize security, the more ingrained it will be in your company culture.
Companies don’t always take business processes into consideration when assessing cybersecurity policies and working to discover vulnerabilities — but they should. Your business processes are what protect your company against cyber crime if your people let a hacker slip through the cracks.
This aspect of your operation goes hand-in-hand with corporate governance, and it encompasses everything from how you identify risk, to how you choose to manage it. Establishing robust and effective processes isn’t something that can be done overnight. It’s easy to rely entirely on technology as a barrier to attacks, but it takes more than software alone to protect you.
Work to implement company-wide cybersecurity best practices, like classifying information assets as public, internal, sensitive, regulated and so on. Assess the impact that each kind of attack or data breach could have on your organization. Get every department into the habit of assigning cybersecurity risk scores so the potential outcome of your employees’ decisions is always top of mind for them.
The common thread in most security journeys is that there’s no formal system for identifying risks, but this danger can be mitigated by having strong processes and a governance model in place.
To support your business processes, you’ll need technology — but be careful not to think of it as a panacea for cyber attacks, as technology can be another weak point in your organization. Last year’s Equifax breach saw hackers successfully gain access to sensitive data that put more than 143 million Americans and hundreds of thousands of Canadians and Britons at risk by capitalizing on a weak spot in the company’s website.
Implementing the latest and greatest cybersecurity system isn’t going to protect your company if your staff can’t properly manage it. The problem many businesses currently face relates to information security risk management. Anton Chuvakin, research VP and distinguished analyst at Gartner’s GTP Security and Risk Management group, recently explained on the Gartner blog that a lot of security technologies are “misconfigured, not configured optimally, set to default or deployed broken in myriad other ways. And it is rather the norm, not the exception!”
When companies rely solely on security technology to protect them, they often end up layering on more software without stopping to consider whether they’ll be able to manage it all. In this instance, legacy systems are ignored and security updates lag. Additionally, employees aren’t likely to be equally proficient in every technology, opening the door to malware and ransomware attacks. All of this creates situations that hackers are more than happy to exploit.
It’s absolutely important to buy the right technology. But think of it like this: Mastering a craft requires 10,000 hours of experience, as famously noted by journalist and author Malcolm Gladwell. If you’re using three brands of firewalls, you’re expecting your staff to put in 30,000 hours of work. Instead of layering on more tech, start with the right solutions and mix in aggressive management from your CIO, CTO and COO. Your tech portfolio should always be right-sized for your company.
The weak points in your organization can come in many forms and span departments, but that doesn’t mean they can’t be fortified effectively. Adopting this three-pronged cybersecurity strategy will help you keep sensitive data safe so you can turn your attention to where it belongs: your customers.