How to Protect Your Business from a Cyber Attack (Part 1)
If there is one thing we have learned in recent years, it is that no one’s information is safe. With the CIA WikiLeaks and the Equifax breach, even the protectors of some of the nation’s most precious information are vulnerable. However, the risks that exist in the cyber realm are not much different than the risks that exist with driving a car. When an individual drives a car, there is always the potential to crash. After all, the National Safety Council estimated that about 40, 000 people died in motor vehicle accidents in 2016. When an individual drives a car, they can take some precautions to limit the possibility of getting in an accident by driving defensively, sober, undistracted, and by wearing a seatbelt. The possibility of crashing still exists resulting from both controllable and uncontrollable actions and events, and could hurt many in the process, but the likelihood of that can still be minimized.
Computer and network security are the same way.
Hacks can and will continue to happen. The risk will always be there, but there is more that businesses can do to mitigate these risks. So, the Enlightened, Inc. cybersecurity team decided to address the current cyber climate in a recent Q&A.
What are the most common mistakes businesses make regarding computer and network security?
There are five common mistakes that businesses make when it comes to securing their computers and networks.
- The belief that compliance automatically equals security.
Depending on what industry a business operates in, there are certain security and information system frameworks that the business must adhere to. For example, healthcare providers must adhere to HIPAA laws, while financial sector companies are regulated by several policies such as PCI DSS. While these laws and frameworks are beneficial in guiding companies toward a better security posture, these guidelines alone are not enough to ensure that the company’s networks are completely secure. Businesses need to realize the importance in investing time and resources into going beyond the frameworks to follow best practices.
- Technology is not an end-all be-all.
Many companies will buy the best that technology has to offer in the hopes that it will alone solve any cyber issues they are currently struggling to alleviate. However, technology is not enough to protect a company’s networks and information systems. Resources should also go toward making sure that staff are properly trained, and that the policies and procedures are properly created and implemented to compliment the technology in keeping a business secure.
- The assumption that they will not be targeted.
Small businesses especially are guilty of believing that since they aren’t Google, Amazon, or Uber, that they will not be targeted by hackers. This thought process is dangerously inaccurate.
All businesses, regardless of size, contain items such as:
Human capital: personally identifiable information (names, addresses, phone numbers, social security numbers)
Financial capital: bank accounts and lines of credit
Proprietary capital: intellectual property such as source code, applications, theories, research, and other created products
These items are of value to hackers. Information such as human capital and intellectual capital can be sold on the dark web (or the normal web for that matter) to the highest bidder. Human capital can also be used by hackers to commit identity fraud. Finally, financial capital is used for financial gain. Unless there is a specific agenda, most hackers aren’t picky; anybody, including small businesses, can be targeted.
4. Lack of investment
Making the proper investments in cyber security can seem like a daunting and expensive task. Technology purchases, training resources, and policy creation can require a large amount of time and financial resources. However, dealing with the after-effects of a security breach is a much more expensive task. Victims of a security breach may have to pay for things like forensic experts, compliance violation fines, legal counsel, other litigation fees, credit monitoring services, PR firm fees, cyber insurance, and other security expenses. Furthermore, depending on the severity of the breach, a business may not have the operational resilience necessary to continue normal operations which may lead to a business having to close.
- Choosing efficiency over security
Sometimes, security takes extra steps that can seem to impede efficiency. Multi-factor authentication, for example, takes extra time because in addition to inputting a username and password, the user has to put in a third item such as a code that is sent to their phone or answer a security question. While adding extra steps to a process can initially appear cumbersome, these steps help to prevent successful security breaches. While a hacker may be able to get your username and password, they wouldn’t know the answer to your security question or receive the code that’s sent to your phone. Extra steps like these can be the difference in remaining protected and being breached.
What are the most common problems that businesses encounter?
- Policy and Procedure Gaps
When creating policy and procedures for cyber security, it is important to ensure that these processes are as comprehensive as possible. Security violations can occur due to employee mistakes that could have been avoided if properly defined in the policies or properly enforced in the procedures. NIST 800 series and SANS Institute are good resources for developing documentation for cyber security.
- Training and Awareness
In any information system, humans are the weakest link and the greatest vulnerability. It is extremely important that employees are aware of the common cyber issues and how to spot the issue indicators, know the common mistakes made by employees, how to avoid making such mistakes, and what the reporting process is for incidents. Employees should receive regular doses of cyber information in the form of tips, trainings, and other interactive activities.
- Operational Resilience/Preparedness
Operational resilience is defined as the ability of an entity to prevent disruptions to the mission from occurring, continue to meet mission tasks if a disruption or incident occurs, and return to normalcy once the disruption is eliminated. Companies that don’t have an operational plan in place in the event of a security breach face the risk of going out of business. It is imperative that companies take the proper steps to be prepared for breaches so that they can continue meeting their obligations if a breach ever occurs.
- Misconfigurations
Having the latest technology is only useful if it is setup correctly. It’s hard to take full advantage of everything a given software, or device has to offer if it isn’t configured properly. Sometimes, misconfigurations can lead to gaps in the security coverage of a network or system which can result in vulnerabilities that can be used by hackers to breach a company.
What have some of the most recent events (regarding data breaches), told us about how we are protecting our networks and information?
- Apathy is no longer an option.
An interesting observation that we have noticed regarding cyber security is that entities (whether they are businesses or individuals), don’t seem to care about cyber security until they become a victim. At that point, it is too late to care. Cyber-attacks are going to come, the best approach is to be prepared for when they show up on your networks and systems.
- We must train our people better.
Social engineering is quickly rising as one of the most effective ways of breaching a business. No matter what technology and antivirus/antimalware tools a business implements, they are rendered useless if an employee clicks on a link, or inadvertently shares their username and password to a hacker masquerading as a trusted party. Employees must be more cyber-aware: they do not necessarily need to become experts on the topic, however it would be beneficial for them to possess basic knowledge about what is going on and how to stay protected.
- We aren’t doing enough, time to get creative.
The obvious message from all the recent hacks are that companies aren’t doing enough to protect their systems. Remember, no matter how secure your company may be, hackers only need one tiny vulnerability to breach the company and cause chaos in the networks. We cannot just implement security and forget about it. It requires regular maintenance and assessments to remain at its best. Another thing to remember is that hackers are always getting more sophisticated with the types of attacks that they use. In response, companies must become more creative and proactive in finding solutions to protect their systems and networks.