According to the Ponemon Institute’s 2017 Cost of Data Breach research, the average data breach has a total cost of about $3.62 million. But while the numbers and increasingly high-profile successful cyber attacks in the news sound scary, many people seem to think that data breaches are events that happen to other companies, not theirs. The truth is, cyber attacks can happen to anyone. Over five million data records are lost or stolen every day, and over 37% of US businesses are at high risk of an attempted attack. So, if cyber security is something you should be concerned about, what can you do?
WHAT IS CYBER SECURITY?
At its most basic definition, cyber security is the practice of ensuring the confidentiality, integrity, and accessibility (commonly known as the CIA triad) of data and information.
Confidentiality: The creation and enforcement of authorized restrictions on access to and disclosure of private information, such as personal and proprietary data.
Integrity: The enforcement of safeguards against the unauthorized or improper modification or destruction of information. This includes verifying accuracy and authenticity.
Accessibility: The assurance and maintenance of reliable and timely access to information.
These three attributes make up the core goals of all cyber security efforts, and every action taken towards more secure data can be linked to one or more of the triad.
Cyber security should be a top priority for all businesses that work in connected spaces, whether that means a basic internet connection or an expansive private network. Not only is poor cyber security a bad business practice, it also falls on organizations to protect themselves, their employees, and their customers from misuse of private information in a world where data is more public than ever.
While cyber security addresses much more than malicious attacks, cyber crime tends to take up a lion’s share of the topic’s press coverage. Attacks can range from relatively simple programs that are easy to execute to sophisticated network breaches, but regardless of how the attack is carried out, a successful breach can be devastating. Here are some of the most common forms that cyber attacks take:
- Malware: A favorite tool in a cyber criminal’s shed is malware, which can refer to a wide variety of harmful software. Many forms of malware, including viruses and ransomware, can allow the attacker to take control of the infected device, monitor actions, and access, send, and delete data. Usually, malware is installed on a device unwittingly by an authorized user via deceptive practices, such as disguising the executable file as a document or PDF attachment in an email.
- Phishing: Phishing goes hand-in-hand with malware, as they often rely on one another to do real damage. In order to get you to download and install malware, attackers know they have to give you the motivation to do so, and will send fraudulent emails or messages that look like they’re from trusted sources. Besides acting as a vehicle for malware, phishing is also used to gather account and password data for websites by directing viewers to a lookalike website and collecting the entered information. Be wary of anything that seems “off” about an email, such as strange grammar, URLs you don’t recognize, and requests for your password.
- SQL Injection Attack: Structured query language, or SQL, is a programming language for communicating with databases. Many website servers that store critical website information use SQL to manage that data. Similarly to XSS, SQL injection attacks insert malicious code into a website, but rather than targeting visitors, they target the website itself, getting the server to give up information stored in databases such as user and company information.
- Credential Reuse: How many applications and websites do you have logins for? If you’re like most web users, probably too many to count. It’s tempting for people to reuse login credentials (username and password) to make memorizing accounts easier, but doing so puts you at risk of giving up access to some or all of them if a single account is compromised. Attackers rely on web users’ tendency to reuse passwords and can gain access to high-security platforms such as online banking by gathering data from a less-secured website, such as a hobby forum.
- Denial-of-Service: When a website or application is inundated with more traffic than its server can reasonably handle, it becomes practically impossible to access. Called Denial-of-service, or DoS, attacks, this phenomenon can happen normally, like if a highly-advertised promotion for an online store goes live and the site stops loading. However, DoS attacks can also be malicious, and businesses and organizations can be massively impacted by the loss of revenue and reputation. In some cases, when the traffic is caused by many computers at once, the attack is called a DDoS, or distributed denial-of-service, which makes it harder for network administrators to determine the source.
Another term commonly associated with cyber security and attacks is “data breach,” which has been on the minds of many after years of large-scale breaches associated with big brands and companies such as Equifax, Yahoo!, and Target. The term refers to any instance where confidential and secure data is accessed and either lost or stolen. While it’s commonly associated with cyber attacks, a data breach does not necessarily entail hacking or other methods of digital access. For example, a data breach could occur because of a database malfunction which deletes a section of information, or because an authorized user left information unattended. As such, data breaches and cyber attacks are deeply connected, but not directly analogous. Both, however, are addressed through cyber security solutions.
Areas of Focus
In the digital, connected world that we live in, information and data make up so much of our environment that our points of access are nearly impossible to quantify. But for organizations and businesses, a cyber security strategy should target several key areas of focus for optimal coverage:
- Network Security: Many companies and organizations utilize private networks to allow information to be transferred within the organization more securely. Because of this, networks both public and private are common targets of cyber attacks. A good starting point is ensuring that adequate access controls, such as extra logins, are in place, and that credentials are not being shared.
- Cloud Security: Businesses large and small are moving databases, applications, and more to the cloud, but don’t make the mistake of conflating cloud instances with security. Many cloud providers are consistently making improvements to their security practices, but some are not, and distinguishing between good and poor security responses is critical when making the move.
- IoT/Connected Device Security: These days, connected devices can mean anything from your smartphone to your refrigerator as tech designers and manufacturers add more functionality to everyday utilities and change what we think of as “smart.” Collectively known as the Internet of Things (IoT), as long as they’re connected to a network, these devices are avenues for entry. Many successful business cyber attacks find their way in through a connected device such as a security camera or printer, which creates unique challenges for cyber security.
- Application Security: Often abbreviated as AppSec, application security is one of the most important areas of focus for overall cyber security because it’s one of the weakest points of attack. Proprietary web applications are often developed with the intent of getting them usable and productive as quickly as possible, prioritizing business goals over secure development practices. The best way to ensure application security is to begin during development – after that’s completed, the task becomes harder to manage.
With all the possible attacks and entry points, getting started on better cyber securitycan seem like an impossible task. But the worst course of action is inaction, especially when 2017 saw a record 1,579 confirmed data breaches that affected US businesses and customers. Every little effort helps towards creating a more secure digital environment for your organization. Here are five strategies to get you started:
Quick-Start Security Strategies
- Passwords: Among the first things that most people learned about the internet and cyber security is the importance of a secure password, with tips over the years ranging from unique word combinations to an assortment of letters and characters. But there’s more to securing your passwords than just making them harder to guess. Create a password policy for the entire company that includes guidelines for how to create a secure password, how often to change your password, and strict prohibitions on sharing passwords and accounts.
- Multi-Factor Authentication: While most people are familiar with two-factor authentication, there are actually multiple factors that can be used to verify authorized access to an account – hence the name. These can be used in various combinations and include knowledge (something you know, such as a password or PIN), possession (something you have, such as a phone or ATM card), or inherence (something you are, such as voice, fingerprint, or facial identification). Many applications and services are encouraging two-factor authentication at a minimum, and it should be enabled wherever possible for enhanced security.
- Email Encryption: Email occupies a strange space in the business world; many organizations are moving to instant messaging for day-to-day communications, yet email remains critical for external communication and in some cases, moving files. Unfortunately, email is far from secure, and most email attachments are attractive data breach targets. To make email as secure as possible, set up an easy way for employees to encrypt and decrypt attachments, as well as systems to delete or deny access to the email after a certain amount of time.
- WiFi Security: Most ISPs today make it easy to secure your wireless network at setup, but some organizations still used unsecured connections. All company business should take place on a secure internet connection, and no one but employees should be able to access it. If you need to provide a connection for guests, visitors, or temporary workers, a separate open network should be used. For additional security, you can hide your wireless network from discovery by outside devices.
- Device Policy: More companies have begun to embrace bring your own device, or BYOD, policies that allow employees to work from personal phones, laptops, and tablets. While such policies can improve employee morale and save money on company-owned devices, they do pose a security threat. On a company device, unsafe internet browsing and file downloads can be controlled, to some extent. But on a personal device, off-hours use isn’t monitored, presenting a risk of breach. Set and enforce a policy outlining expectations for devices, personal or company-owned, including locking the device and changing the account password, protocol for wiping the device should it be lost or stolen, and employee compliance with cyber security best practices.
MITIGATING LONG-TERM RISK
While implementing these quick-start strategies in your organization can help to safeguard against opportunistic attackers, mitigating long-term risk requires more in-depth planning and investment in cyber security.
Create a Formal Data Security Protocol
Depending on what types of data you store and where you store it, a formal data security protocol or procedure for your business may look different than those in other industries, or even other companies in your industry. To evaluate what should be included in your company’s data security protocol, start with these questions:
- Do the employees of your company use personal devices for work? If so, is company data stored on those devices?
- Are personal devices used for personal use while connected to company infrastructure, such as internet networks?
- Are employees permitted to access company data when not connected to company infrastructure?
- Does your company have a plan in case of lost or stolen devices, such as computers, laptops, or phones?
- Does your company have software or tools for monitoring networks for unauthorized access?
And finally, one of the most important questions is, “What steps will the company take in case of a breach?” We’ll cover this later in this guide.
Secure Cloud Applications
Cloud applications are frequently more secure than their on-premise software counterparts – if the manager of the cloud makes them so. When you’re using and executing applications from the cloud, you need to be sure that your cloud provider is trustworthy and is ensuring up-to-date security measures. From physical server location security to updating drivers, cloud providers need to be mitigating risk, too. And, as always, access is key: while easy access to a cloud application may be important for your employees or customers, making it too easy leaves the door open for malicious attackers. Secure access to any proprietary or third-party cloud applications that are used for your business.
Hire a Security Specialist
One of the main issues in wide-scale awareness and adoption of cyber security best practices is the lack of growth in the pool of data security experts. Whether it’s too difficult to learn, or IT professionals don’t have enough incentive to make the switch from their established specialty, not enough people are going into the cyber security field, meaning candidates for this much-needed position are in high demand. Yet without a security specialist, evaluating your business’s security needs is difficult, and it’s easy to miss a vulnerability.
In response, businesses have turned to outside expertise rather than investing in a new hire of their own. The “as a service” industry has boomed, with everything from everyday maintenance and IT support to software being sold as a subscription. Many managed service providers have recognized the gap in the availability of security expertise, and specialists at these companies are able to offer help to many businesses rather than just one.
Change Your Company Culture
Company culture is most easily described as the personality of your company – and when your company has a culture of cyber security, implementing security strategies large and small becomes easier and more effective. But like a personality, changing a company’s culture is no small feat. Training and informing employees about the need for cyber security is a good first step, but change needs to be wider-reaching than just knowledge.
For instance, how people act and speak can actually leave the company vulnerable to a data breach. If two coworkers decide to take a work meeting out to lunch and discuss sensitive customer information, that conversation can be overheard, and the information used. If someone leaves an important document on the copier while they take a phone call, that document is then vulnerable to unauthorized access. Data security doesn’t all take place in digital spaces, and getting employees onboard with security measures means changing their attitudes, not just raising awareness.
Establishing a culture of cyber security will look different in every company, but some examples of effective strategies are:
- Making cyber security training part of new employee onboarding
- Including cyber security news in a company newsletter or bulletin
- Providing intuitive security tools and software for employees with less experience with or knowledge of technology
- Getting employees involved with surveillance and reporting of suspicious network activity
- Regular policy reviews and training refreshers
WHAT TO DO AFTER A BREACH
A successful cyber attack does not always mean a failure on the company’s part – technologies and innovations on both the attacking and defending sides are always evolving. But once a breach does occur, the company’s response could be the difference between rebuilding and bankruptcy. Here are some places to start:
- Assess extent of data breach. How many files were stolen, one hundred or one hundred thousand? By knowing the extent of the breach, your response will change.
- Determine the point of entry. How did the attacker gain access to your company’s data? Did an authorized account get used by an unauthorized user, or in a peculiar way? And remember: not all data is digital. If an important file gets stolen, it may be your building security, not cyber security, where you have a vulnerability.
- Inform victims of lost or stolen data. Some of the highest-profile breaches in the past few years have devastated companies’ reputations because they attempted to cover up the incident. Informing victims, whether they be employees, partners, or customers, can help them protect themselves against adverse effects.
- Provide information about next steps. Of course, no one wants to be the one who admits to making a mistake, but being honest with victims of a breach is just the first step. Providing them with information on how to protect themselves can help you salvage your reputation.
- Create a plan for how to address gaps in security. Finally, prevent a repeat breach by creating a detailed plan to address the incident. Once a vulnerability has been exploited, leaving it vulnerable increases the likelihood of a repeat attack.
By creating a plan to address your organization’s cyber security needs, you’re taking an important step towards safer, more responsible digital business practices. Cyber security has become a necessity in today’s connected business world, and as technology becomes more integrated with our everyday lives, it’s critical to be prepared for the challenges of today and tomorrow.