This October, like every October now, is National Cybersecurity Awareness Month – an ongoing effort by the government and industry to raise public awareness of cybersecurity and to safeguard the cyber activities of constituents. This, along with many other efforts and programs over the last few decades, represent one tactic in the battle against cybercrime – one that pits governments, businesses, law enforcement and information security professionals against cyber criminals.
The worldwide spending on cybersecurity has so far exceeded $100 billion according to the research firm IDC. So there is incredible industry attention on this issue and organizations have been increasing cybersecurity budgets.
And yet given all this attention, barely a few days go by before we hear of another multi-national, or local government, or small business that is the victim of a cyberattack or data breach.
Cybercrime Is Here to Stay
Unfortunately, we will continue to live in this reality for the foreseeable future. As organizations invest in digital technology and more individuals and “things” become get connected to the internet, the opportunity for cybercriminals is enormous. There is no shortage of bad actors that perpetrate these crimes whether they be nation states, or business competitors, or hackers with malicious intent. Often, the very lucrative incentives associated with this type of activity is the biggest draw.
Small Businesses Especially Are At Risk
In an article by CNBC,
- More than half of all small businesses suffered a breach within the last year
- These incidents cost small businesses $200,000 on average … with 60% of them going of business within six months of being victimized
Small businesses, and other organizations, such as local government and non-profits, that may not have the luxury of dedicated resources remain attractive targets for cybercrime. In some instances, these entities may not even have been targeted for the crime, but just got caught up in a large-scale phishing campaign.
Finally, some organizations continue to treat cybersecurity as a technical issue that is the realm of the IT staff. This is misguided. Cyber risk is a business risk and should be evaluated as such. The potential for damage and impact to operations and brand name is large and real that everyone has a role to play in ensuring the security of the organization.
Strategies for Addressing Cybersecurity
Depending on the size and scope of the organization, there are many large and well-accepted security programs and regulations available. NIST and ISO 270001/270002 are two of the more popular security frameworks. Further, compliance requirements for PCI DSS and HIPAA and now GDPR also ensure organizations meet minimum standards for data protection.
The Center for Internet Security published v7.1 of their CIS Controls that now include recommendations for different sized organizations. These 20 controls are set of best practices that serve as a foundation for a solid cybersecurity program.
For smaller organizations that don’t have a cybersecurity program yet or don’t know where to start, the following recommendations should get you started and afford some basic safeguards.
Basic Recommendations on Cybersecurity
- Develop a cybersecurity plan. The format isn’t as important as the discussions that go into it. The exercise and documenting of risks and mitigating actions will help you be better prepared for various scenarios.
Include: what technology does your business depend on, what are the impacts of inaccessibility, or data loss, who are the partners you can call for help in an emergency. This information can eventually be fed into your business continuity plan.
- Ensure that all your computing devices and software applications are being updated with the latest security patches. Cybercriminals continually monitor vendor notices for vulnerabilities that have been recently fixed and leverage this information to target tardy organizations.
- Have anti-malware (or at least anti-virus) software active and updated regularly on your computing devices.
- Backup your data (and test Recovery). This has always been sage advice (equipment will fail at some point), but is even more important with the threat of ransomware. This is also true even if you use “cloud storage.” Unless you’re paying for a specific backup service, cloud vendors are not going to maintain copies of your data for you.
- Evaluate your password policy for you and your employees.
– Use passphrases instead of a hard-to-remember string of characters and numbers.
– Use different passwords for different uses (there are many password managers to help with this).
– Use 2-factor or multi-factor authentication if at all possible.
- Provide security awareness training.
This training has to include everyone and it has to be periodic (and sustained).
Cybercriminals target the human layer because in many cases it’s easier to breach than the extensive technical fences an organization has invested in. The largest of breaches (Target, Sony, Equifax) involved some form of social engineering, and of these, phishing is the most common.
Moving From Cybersecurity to Cyber-Resiliency
Much of the emphasis in the last few decades has been on the prevention of cybercrime – ie., keeping the “bad guys” out. But, judging from the reported breaches and the evolution of threats, many of these prevention techniques may not be enough. Thus, there is a trend now to move towards “cyber-resiliency.” This fairly new concept goes beyond the protective nuance of cybersecurity to also "defend against and limit the severity of the attacks, and ensure it continued survival despite an attack."