Major data breaches like Facebook, Yahoo or Google clearly represent high-value targets for hackers, but this shouldn’t lull smaller companies into thinking their data is immune from bad guys. What if a ransomware attack shuts down your ecommerce site, contact centers and warehouse operations, leaving you dead in the water?
Insurance giant Marsh & McLennan and IBM surveyed 1,141 executives from small to mid-sized organizations across North America and found that while they’re clearly concerned about cyber risk, they fail to grasp how to protect themselves. While admittedly both companies are selling solutions to cyber crime issues, we feel they highlight some very real problems. Let’s look at some of the conflicting responses:
ON ONE HAND:
- Almost 60% said they consider cyber crime to be one of the top five risks they face
- 78% said they were highly or at least fairly confident their organization could manage and respond to a cyber attack
- 82% said they were highly or at least fairly confident of their ability to understand and assess a cyber attack
ON THE OTHER HAND:
- Only 18% said they had developed a cyber incident response plan
- 34% said they had conducted a cybersecurity gap assessment
- 36% said they had implemented a plan to train employees to recognize phishing emails
- 23% said they had conducted penetration testing of their online defenses
The Marsh/IBM survey found that if a company with sales of up to $50 million experienced a data breach it could cost up to $10 million. Obviously, breaches of this magnitude can cripple or shut down a business.
The risk is difficult to understand and deal with because of the advanced technology and the changing cyber risk landscape. IT professionals need management support and budget to address the risk, and management needs to understand it better. Let’s look at some of the key considerations in a strong cyber strategy.
Conducting a Cyber Security Risk Assessment
Has your company done this over the last two years? This process identifies issues of people, processes and technology; analysis and evaluation of the risks and the likelihood of occurrence; and proposes risk mitigation solutions. There are many self-assessment tools available. However, given the risk, the potential loss and the difficulty in understanding the technology, an objective, external assessment might be money well spent.
Make Changes in the User Environment
Usernames and passwords are keys to the castle. Using default passwords, similar passwords and not changing passwords on a regular basis creates security problems. Password strength is greatly improved when customized to each unique user with multiple numbers, case-sensitive characters and special characters.
Companies should provide training aimed at raising the awareness of phishing as a common weapon of cyber criminals. One of the biggest causes of data breaches is employees who haphazardly click on suspicious links or download attachments from phishing emails. Training that includes simulation and testing of online responses and practices can be useful.
Also bear in mind that public wifi sites are generally not secure. With daily use of laptops and mobile devices, risks of bringing in viruses and cyber threats has grown exponentially.
Conduct Penetration Testing
The cyber criminal is constantly testing your networks and defenses every minute of every day. If you don’t think so, ask your network administrator how much junk mail, viruses and malware is detected and stopped daily. As the Marsh/IBN survey found, only 23% of respondents said they do penetration testing.
Create a Cyber Crime Incident Response Plan
As the survey showed, only 18% said they had a cyber incident plan. What do you want employees to do when they think they have a virus or malware? In our mind it’s like a fire drill or an emergency plan. What is the plan for reporting and dealing with this threat?
Encrypt Key Data Assets, Especially From Customers
If a customer’s information is compromised in any way, the consequences are catastrophic. PCI/DDS regulation and enforcement in the ecommerce industry, while coming with a high cost, provides greater protection of customer payment and financial information.
How should encryption of data be extended across all your digital assets? What will an objective cyber assessment deem worthy of further protection (intellectual property, financial, bank and tax return records, HR and employee data)?
These are only a few of the critical considerations involved in evaluating cyber crime threats. The risk will continue to accelerate as we become more reliant on advanced technology. Continued assessment of the risk, response plans and security protocols are essential.
Brian Barry is President of F. Curtis Barry & Company