43 million. It’s a disconcerting statistic. According to an AT&T Cyber Security Insights report, that’s the number of known security incidents that businesses experienced in 2014 – a 48% increase from 2013.
Data breaches seem to be a daily occurrence. It’s easy to become desensitized. However, National Cyber Security Month (October) is focused on raising awareness of cybersecurity threats. It also aims to enhance cyber protections and prepare the next generation of cyber professionals.
So, it’s perplexing that organizations are subjected to data breaches at such a high rate. But then again, perhaps it’s not so surprising based on three more findings that came out of the Cyber Security Insights report:
- Nearly 75% of businesses don’t engage all of their board of directors in the process of addressing cybersecurity issues.
- In the aftermath of high profile data breaches, approximately 51% of organizations still don’t reevaluate their information security practices and systems.
- Roughly 78% of all employees don’t follow their organization’s security policies and procedures.
We can’t bury our heads in the sand any longer. Believe it or not, the cybercriminals are already onto the businesses and employees in the above categories.
A Problem that Isn’t Going Away Anytime Soon
There’s just too much opportunity for the cybercriminals. If you need further proof, consider these six ways organizations compromise their cybersecurity and how to address them:
- “We just invested in security technology upgrades.” Throwing money and technology at the problem simply won’t stop the threats. Organizations need to shift the focus from technology and money to people and processes. This idea is at the cornerstone of everything we convey to our clients – albeit one of the most challenging mindsets to change. But when our clients make the shift, it’s also one of the most cost-effective and successful steps in mitigating cybersecurity threats. The approach needs to be more holistic. It should start with a thorough risk assessment of your systems, policies, procedures and people. A qualified external professional can be an invaluable source in the crucial first step. Next is developing and deploying processes before your purchase new technology to more effectively run and monitor your security program. Equally important are your people. Assess their security knowledge and readiness. Determine a security chain of command and protocols. Institute and deploy a detailed training program for them. Again, an outside firm can be helpful with this aspect. After you’ve completed the first three steps, then analyze your current technology to determine and implement any necessary upgrades. Finally, routinely and consistently monitor, test and patch your system. It can be stressed enough.
- “We trust that our vendors have adequate security.” One word: Target. The retail behemoth trusted that its HVAC maintenance worker’s credentials (login and password) were secure. Turns out they weren’t and it cost Target approximately $252 million (so far) in insurance costs and breach-related operating expenses. Make sure you evaluate your vendors properly. Ask them about their cybersecurity policies, procedures and training. Ensure that they have adequate encryption, segmentation and tokenization. Make sure only those vendors that absolutely need access have it.
- “Our data wouldn’t be of value to anyone outside of the organization.” Really? Think again. Perhaps you don’t capture credit cardholder data. But intellectual property can be just as appealing to the cybercriminals. They’d like nothing more than to sell it on the black market or use it for other disruptive means. According to the Federal Bureau of Investigations (FBI) website, U.S. businesses lose billions of dollars each year as well jobs and tax revenues due to theft of intellectual property. Train employees to identify and avoid phishing tactics. In tandem, implement stronger spam filters on the company’s network. Ensure that malware software is up-to-date. It seems obvious but an astonishing number of organizations fail to regularly update it. Be vigilant in controlling access to sensitive data. Work with an outside firm to help identify vulnerabilities and/or manage your security program if you are unable to execute it internally. Develop a strong incident response plan. Rehearse it regularly and ensure that employees are trained adequately for it.
- “Our organization implemented a security program a few years ago and we haven’t had any problems to date.” Are you sure? A 2014 Mandiant report, “MTrends: Beyond the Breach” found that just 31% of breaches were self-detected by the organizations. The average length of time a breach went undetected was 205 days in 2014. It’s why a yearly assessment of your security program is essential. These statistics also support the need for regularly monitoring, testing and patching. Otherwise, how would you know if your organization was breached? A 2014 Ponemon Institute data breach preparedness study found that 43% of companies surveyed were victims of a breach in the previous year. 27% lacked a data breach response plan and/or team. You must be proactive. It’s the only way you stand a chance of staying one step ahead of the cybercriminals.
- “We’re PCI-compliant, so we don’t have to worry about a breach.” We hate to break it to you but PCI compliance isn’t a silver bullet against cyber threats. A 2015 Verizon Compliance report revealed that out of hundreds of large businesses throughout the world, just 20% were fully PCI-compliant. Of those, only 28 percent were found to be fully compliant less than a year after full validation. Visit the PCI website for the latest developments and regulations. If it’s too time-consuming, confusing or daunting, engage a firm with expertise in this area. Either way, recognize that it’s just one aspect of your security program.
- “Our people are trained well enough.” Surprisingly, less than half of the Ponemon Institute’s 2013 respondents had a plan for addressing cyber attacks. Companies (82%) with highly effective security practices collaborated with other technology experts, such as the Information Sharing and Analysis Centers forums (ISACs), to better understand and deal with security and threat trends. The sooner that your organization recognizes that it can’t go it alone, the better. Banding together with other organizations, vendors, agencies and partners is a smart move. There truly is strength in numbers and those numbers are what help mitigate threats and improve cybersecurity programs across the board.
Make a commitment this month to shore up your cybersecurity program. Implement the above strategies and be consistent about following them. If it’s too much to handle internally or you don’t have expertise in one of the above areas, then consider an outside firm. They can detect trouble spots and provide actionable steps to mitigate your risk.
Don’t Put the Cart Before the Horse
Technology isn’t a cybersecurity be-all-end-all. If anything, relying solely on it can make your organization further complacent – leaving you even more vulnerable to a breach.
Shift your mindset from “one and done” to “steady wins the race”. Approach the problem in a holistic, consistent fashion. You’ll make it that much harder for the cybercriminals – now and in the future.
Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense services.