According to an October 15, 2015 Consumer Affairs article, consumers are more complacent than ever when it comes to online security. In a recent survey by The National Cyber Security Alliance (NCSA), it found that one in five American homes received a data breach notification last year. Over half received multiple notifications. But it’s not just consumers that are cyber security complacent ... businesses suffer from it, as well.
In fact, the number of known security incidents experienced by businesses in 2014 increased by 48 percent over the previous year, according to an AT&T Cyber Security Insights report. With so many breach incidents and news reports, it’s easy to become desensitized to it and not take security as seriously as organizations should.
An important first step in enhancing cyber security is to change our mindsets. It begins with addressing three issues highlighted in the Cyber Security Insights report:
- Engage your entire board of directors when addressing cyber security issues. The Insights report noted that nearly three-quarters of businesses do not work with their boards.
- Revisit your information security practices and systems, not only following a data breach, but on a consistent basis as well. Currently, just 49 percent follow this advice.
- Ensure that your employees are thoroughly and regularly trained in the organization’s security policies and procedures. Unfortunately, more than three-quarters or approximately 78 percent of all employees don’t follow their organization’s security policies and procedures.
Ignorance isn’t bliss. Pretending like the problem doesn’t exist won’t make it go away. Just the opposite – cyber criminals are banking on your blissful ignorance.
Change Your Thinking, Mitigate Your Cyber Security Threats
In order to truly affect change, there needs to be an intrinsic shift in the typical cyber security mindsets that plague many organizations. Examine the following six below along with their solutions. Do so and your organization will reduce potential problems and boost operational efficiencies in the process:
- “We’ve got the latest security technology/upgrades.” If it were only that easy, no organization would be vulnerable. But effective cyber security requires a more holistic approach – often one of the most challenging mindsets to reverse. The focus needs to move from technology and money to people and processes. However, it’s worth the extra effort because it often results in serving as one of the most impactful, cost-effective steps in reducing cyber security threats: 1) Begin with a detailed risk assessment of your systems, policies, procedures and people. A qualified external professional can be instrumental in this all-important process. 2) Cultivate and implement processes prior to purchasing new technology – and ensure that technology is tested and monitored regularly. 3) Invest in your Evaluate their security knowledge and preparedness. Address any shortfalls or gaps. Define a security chain of command and protocols – and implement and follow through on a detailed training program for employees. An impartial party such as an outside firm can be very useful in crafting policies, procedures and training for your organization. 4) Once the assessment, processes and people have been executed, implemented and trained, respectively, then take a second look at your current technology. Are upgrades still necessary? Are the system technologies operating efficiently? Does your IT team regularly and consistently monitor, test and patch?
- “We’re confident our vendors are secure.” Many organizations – some retail giants like Target – had the same mindset. That is until they suffered a breach that was directly linked to one of their vendors. In the case of Target, its HVAC maintenance worker’s credentials (login and password) were compromised. It ended up costing Target – to the tune of approximately $252 million to date in insurance costs and breach-related operating expenses. Vet your vendors as you would anyone else that has access to your intellectual property and network systems. Require proof of their cyber security policies, procedures and training. Don’t assume they’ve got adequate encryption, segmentation and tokenization. Ask. Allow vendor access only where it is absolutely necessary.
- “Cyber criminals aren’t interested in our data.” It’s precisely that complacent mindset that cyber criminals are just hoping your organization will adopt. Even if you don’t capture, transmit or store cardholder data, there are plenty of other types of information that attract cyber thieves. The black market is ripe for selling intellectual property. According to the Federal Bureau of Investigations (FBI) website, U.S. businesses lose billions of dollars each year as well jobs and tax revenues due to theft of intellectual property. Make sure employees can adequately spot phishing tactics, so they can avoid them. Check your network to ensure strong spam filters are present. Regularly update malware software. Though an easy and highly effective step, many organizations neglect to update their malware software. Guard your privileged user access scrupulously. Revoke such access for employees no longer with the firm. Evaluate if transferred employees still need previous accesses. If the process is too daunting or you need a big picture perspective, engage an outside firm to help identify potential threats and tighten up your security plan. Develop a strong incident response plan and go through regular practice-runs with employees.
- “We haven’t had a problem since we implemented our security program five years ago.” A lot can change in five years. If technology changes at breakneck speed, you can bet the number and types of cyber security threats also increase at the same speed. What’s more disconcerting is that many organizations mistakenly believe that have not been breached. When – in fact – many were completely unaware that they had incurred a breach. A 2014 Mandiant report, “MTrends: Beyond the Breach” found that just 31 percent of breaches were self-detected by the organizations. The average length of time a breach went undetected was 205 days in 2014. These statistics underscore the importance of a yearly security program assessment – which should include monitoring, testing and patching throughout the year but at a minimum, once annually. A 2014 Ponemon Institute data breach preparedness study found that 43 percent of companies surveyed were victims of a breach in the previous year, and 27 percent lacked a data breach response plan and/or team. A proactive mindset and stance is your best defense against the cyber criminals.
- “PCI compliance will protect us from a breach.” While PCI compliance does help mitigate cyber threats, it can’t eliminate them entirely. A 2015 Verizon Compliance report revealed that out of hundreds of large businesses throughout the world, just 20 percent were fully PCI-compliant. Of those, only 28 percent were found to be fully compliant less than a year after full validation. Visit the PCI website for the latest developments and regulations. Often, organizations simply lack the time, understanding and resources to attain PCI compliance. If this is the case with your organization, engage a firm with expertise in this area to help you. PCI compliance isn’t and shouldn’t be a cyber threat catchall for your security program. It’s just one aspect of it.
- “We’ve trained are people adequately.”Think about it. If you don’t have a solid security plan, how can you possibly think your employees are adequately trained to detect and prevent cyber threats? Sadly, you’re not alone. Less than half of the Ponemon Institute’s 2013 respondents had a plan for addressing cyber attacks. 82 percent of organizations surveyed with highly effective security practices collaborated with other technology experts, such as the Information Sharing and Analysis Centers forums (ISACs), to better understand and deal with security and threat trends. No man is an island and no organization is either. You must enlist a consortium of other organizations, vendors and partners to combat cyber threats and develop a strong security program. Strength in numbers means better resources and greater opportunities to improve security and minimize threats.
Lay the groundwork for enhanced security and operational efficiencies. Evaluate, refine and tighten up your cyber security program. The above suggestions – along with consistent monitoring, testing and enforcement – will provide greater protection to your organization. Consider working with an outside firm if you lack the internal resources or expertise to go it alone. The investment can be invaluable and will more than justify the return on investment.
Steady Wins the Race
Technology has reinforced a sense of instant gratification in our culture. We tend to view it as “one and done”. But solely relying on it for your cyber security is a big mistake and this complacent approach can leave you more exposed to a potential breach.
Instead, adopt a “steady wins the race” attitude regarding your ongoing cyber security efforts. Take the time to assess your current situation and vulnerabilities. Improve your security processes. Train your people adequately and consistently. Upgrade technology when necessary. Then repeat ... and repeat again. Cyber criminals will curse your efforts, but your organization will reap the benefits tenfold.