Cybersecurity: Identifying your weak points before they get hacked
Across industries and around the globe, businesses are fighting to keep hackers at bay. Cybercrime is spreading at an alarming rate, with online security firm Norton reporting that more than half of all consumers have experienced a cybercrime to date. For brands, the cost of a data breach averages nearly $3.9 million, according to IBM. Worse, the cost of the average data breach is on the rise.
Despite the statistics, an attack on your company isn’t necessarily a guarantee. By taking a three-pronged approach that focuses on people, processes and technology, organizations can identify vulnerabilities and take action to prevent irrevocable damage.
As much as we’d like to think all cybersecurity threats are external, the fact is that employees are often inadvertently putting companies at risk. Their actions may not be malicious; data breaches are often a case of people acting in good faith in response to unethical and criminal minds. Still, a lack of employee knowledge about cybersecurity can leave your business open to attacks.
Phishing and its various forms are a growing concern for companies looking to protect their critical data. According to CSO Online, phishing attacks account for more than 80% of reported security incidents. If successful, these attacks can expose customers’ personal information ranging from addresses and birth dates, to Social Security numbers.
The best way to mitigate employee risk is by building a company culture that puts cybersecurity and communication first. Hire employees you can trust, and make privacy and security training an ongoing effort that’s mandatory for all. Promote awareness campaigns that teach your workers the difference between spear phishing (targeting high value victims and/or companies), clone phishing (fraudulent emails that replicate legitimate corporate documents) and whaling (targeting top executives) so they can spot suspicious activity and know what to avoid. Encourage communication between team members and IT, and as a company leader, hold yourself accountable if someone fails to keep your organization secure.
The more you prioritize security, the more ingrained it will be in your company culture.
Companies don’t always take business processes into consideration when assessing cybersecurity policies and working to discover vulnerabilities — but they should. Your business processes are what protect your company against cybercrime if your people let a hacker slip through the cracks.
This aspect of your operation goes hand-in-hand with corporate governance, and it encompasses everything from how you identify risk, to how you choose to manage it. Establishing robust and effective processes isn’t something that can be done overnight. It’s easy to rely entirely on technology as a barrier to attacks, but it takes more than software alone to protect you.
Work to implement company-wide cybersecurity best practices, like classifying information assets as public, internal, sensitive, regulated and so on. Assess the impact that each kind of attack or data breach could have on your organization. Get every department into the habit of assigning cybersecurity risk scores so the potential outcome of your employees’ decisions is always top of mind for them.
The common thread in most security journeys is that there’s no formal system for identifying risks, but this danger can be mitigated by having strong processes and a governance model in place.
To support your business processes, you’ll need technology — but be careful not to think of it as a panacea for cyber attacks, as technology can be another weak point in your organization.
Implementing the latest and greatest cybersecurity system isn’t going to protect your company if your staff can’t properly manage it. The problem many businesses currently face relates to information security risk management. Anton Chuvakin, research VP and distinguished analyst at Gartner’s GTP Security and Risk Management group, explained in a blog post that a lot of security technologies are “misconfigured, not configured optimally, set to default or deployed broken in myriad other ways. And it is rather the norm, not the exception!”
When companies rely solely on security technology to protect them, they often end up layering on more software without stopping to consider whether they’ll be able to manage it all. In this instance, legacy systems are ignored and security updates lag. Additionally, employees aren’t likely to be equally proficient in every technology, opening the door to malware and ransomware attacks. All of this creates situations that hackers are more than happy to exploit.
It’s absolutely important to buy the right technology. But think of it like this: Mastering a craft requires 10,000 hours of experience, as famously noted by journalist and author Malcolm Gladwell. If you’re using three brands of firewalls, you’re expecting your staff to put in 30,000 hours of work. Instead of layering on more tech, start with the right solutions and mix in aggressive management from your leadership team. Your tech portfolio should always be right-sized for your company.
The weak points in your organization can come in many forms and span departments, but that doesn’t mean they can’t be fortified effectively. Adopting this three-pronged cybersecurity strategy will help you keep sensitive data safe so you can turn your attention to where it belongs: your customers.