Cybersecurity, once considered an issue only for Fortune 500 corporations and government agencies, is now becoming a major concern for businesses of all sizes across the globe. Security breaches at companies like Sony, Target and Equifax highlight the serious consequences of cyberattacks.
But despite this ongoing threat, many companies are not doing enough to shield themselves and their customers against harm from hackers.
A 2018 Cyber Readiness Report, commissioned by insurance company Hiscox, noted that the majority of respondents ranked cyberattacks as among the top threats to their companies. Despite this, the study found that 73 percent admitted they were not adequately prepared to defend themselves against cybercrime.
These figures are especially worrisome given how rapidly hacking security incidents are increasing. “Businesses can't afford to ignore cybersecurity," said Stacy Bertrand, manager of information security strategy and metrics for City National Bank. “It used to just be the big players that had cyber-related incidents, but now we're really seeing it at small and mid-sized companies and attacks seem to be increasing daily."
While the threat may seem overwhelming, there are many things organizations of every size can do to help avoid a security breach. Here are five of the best defenses.
“Security, including cybersecurity, is not just an IT department or a chief security officer issue; it's a company-wide issue," said Joel Bagnal, president and COO of Vericlave. As a former senior advisor to former President George W. Bush for cybersecurity and counterterrorism, Bagnal said he knows how important it is to ensure that people are working together to combat cyberattacks.
Unfortunately, not all employees in a business are going to be equally aware of what constitutes a hacking threat, which is why making sure your staff can recognize potential security issues is essential.
For example, educating your workforce about the dangers of email phishing (fraudulent emails that look legitimate but seek data or money) would be a huge first step in the right direction. “Phishing should be top priority for every company regardless of their size," said Bertrand. “We're seeing huge upticks in hackers using this method to get sensitive company information or ask for money transfers. Staff need to know what a 'phishy' email looks like and what they should do if they receive one."
Companies should consider implementing processes that allow employees to report suspicious emails and hosting a formal training program to educate employees on cybersecurity and develop awareness about the various ways attacks can occur.
Training can provide employees with the knowledge to identify red flags. For example, an email might appear as if it is coming from someone you know, but if you look closely at the email address, you might discover that it's slightly different or even completely different than that person's actual email address.
If you suspect that an email you receive is out of the norm in any way, simply verify it with a second source. Give the person a call or talk to them in person to confirm that they sent the original communication.
Providing employees with awareness of these types of tactics and the knowledge they need to handle the situation can help avoid cyberattack attempts. If a phishing event has previously happened within the company, develop a process to share the email details — what did the email want and who did it look like it came from — with employees who could be affected in the future.
Top-of-the-line security software, including firewalls, network breach detection utilities, and anti-virus and malware protection, is indispensable as a shield against cyberthreats. To thwart sophisticated hackers, however, organizations must make certain their software can keep up with evolving threats.
“Cybersecurity is never a single tool or policy to protect your company's assets," said Bagnal. “Testing the system and refining tools and processes to ensure you're improving your cybersecurity profile is critical to ensure the threat doesn't adapt and leap over your tools."
Proper password protection also plays a key role in system security. As much as we all hate constantly updating and memorizing lengthy new passwords, it's one of the best ways to protect individuals and businesses against cyberthreats.
“As basic as it sounds, having a complicated password that people aren't going to crack very easily is extremely important," said Bertrand. “And don't share passwords. We find a lot of IT groups often share the same password, one that grants them elevated access to sensitive data. Being even a little more secure with passwords could prevent a lot of cyberincidents."
While prevention is always the goal, it's vital to have a detailed plan in place for staff and management to follow in the event of a successful cyberstrike.
“Companies should have an incident response plan," said John Gomez, chief executive officer of Sensato Cybersecurity Solutions. “They need a dynamic, living plan that addresses every vulnerability with probable attack scenarios and a detailed response protocol. It sounds like a lot of work, and it is, but how do you expect your staff to know what to do if it's not clearly outlined for them? Staff need to be familiar with their own responsibilities in the event of an IT security breach."
To be effective, cybersecurity procedures don't have to be overly detailed and complicated. For smaller companies with fewer staff and less complex IT systems, Bertrand noted that even a simple preparedness plan is helpful. It can be as straightforward as a one-page document that tells employees which company member oversees shutting down the organization's critical infrastructure or what third-party experts to call if a network is compromised.
Whenever a requests come through to provide sensitive personal or financial information, click a link, download a file or send money, always verify that the request is legitimate by verifying it with a second source, Bertrand said.
If you received an email, for example, asking you to click a link to see tracking details of a package, but you know nothing about the package, pick up the phone and call the person or organization you believe is sending the email and ask them to confirm that they did in fact send it. This is a simple practice that should be followed by everyone within a company to avoid potentially costly mistakes.
Of course, while a plan is an excellent start, in a real-world incident, a strategy is only successful if it can be properly implemented as quickly as possible.
“It's human nature to file and forget a plan," said Gomez. “That's why I strongly recommend businesses conduct organization-wide incident response training like the type of disaster response drills that fire departments or the police use. These drills build muscle memory so precious time isn't lost and staff and managers get to test out the protocols and procedures outlined in the plan and participate in a debriefing to discuss what worked and what still needs improvement."
Another way for a business to prevent the corruption or theft of critical data is to divide the computer networks in order to limit loss in the case of an attack. In this way, critical systems in a company's network can remain unharmed even if another is breached or affected by a virus.
“I strongly urge businesses to segment systems containing highly sensitive data like account and customer information so if a breach occurs, traffic to those segments can be quickly shut off," said Gomez. “Segmenting systems is something many organizations think of as difficult and expensive, but it's necessary to keep an attack from spreading among devices or throughout a network. Segmentation cuts off access points through which an attack could go catastrophically organization-wide, spreading through devices and networks."
While it may be impossible for a business to completely avoid the threat of a cyberattack, ensuring that your management and staff are prepared and that your most vital data is protected can keep damage to a minimum.
This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.