You hear a lot in the news about data breaches exposing tens or hundreds of thousands of records, costing companies millions of dollars.
And yet, the sad truth is that nearly half of it is our own fault. According to a recent study, human errors and system glitches were responsible for fully 49% of the data breaches in the study.
With the growth of cloud computing, misconfigured cloud servers are a common cause of these inadvertent breaches, accounting for 990 million records exposed in 2018, more than 40% of the total.
There is a growing awareness that cybercrime is not just a technical problem, but a business problem. And that businesses need to adopt a security mindset from the mailroom to the boardroom, from worker cubicles to the C-suite.
The problem is that most businesses still don’t do anything about it.
Read on to find out what you can do.
Business: Still in denial
Cybercriminals are busier than ever in 2019. Ransomware, phishing attacks, and other cybercrime are on the rise everywhere, thanks, ironically, to modern business practices.
The growing popularity of cloud-based ransomware-as-a-service (RaaS) and new forms of email phishing have made cybercrime not only more prevalent, but harder to detect and guard against.
And yet, according to another recent study, only a handful (12%) of executives at small and medium businesses (SME) seem to realize that a cyberattack against their company is highly likely.
More than 80% of businesses have experienced some form of cyberattack, and yet two-thirds of the SME leaders surveyed said they didn’t believe it will happen to them.
Email: Still the #1 Problem
In survey after survey, nearly all organizations agree that email is the big Achilles heel.
More that 90% of malware and ransomware attacks are delivered via email. And more than three-quarters of businesses say email-borne attacks have a huge impact on their operations. The number of attacks and the cost of dealing with them keep rising.
Increasingly, cybercriminals are targeting board members and C-suite executives rather than companies. These people have wide access to the most sensitive and critical information.
“We have all seen the ‘Russian hackers in hoodies’ headlines, but in reality it’s a busy executive clicking on an email from someone’s PA – not a nation state – that leads to the most costly breaches,” writes Computer Weekly.
Targeting individuals is called “spear phishing.” Cybercriminals use it to hack into sensitive information, but also to spread malware within an organization.
At the same time, identifying attacks keeps getting harder. Alongside phishing and spear phishing, new forms of email fraud — like lateral phishing, vishing, and SMiShing (seriously) — keep showing up more often.
Lateral phishing — taking over an email account to send malware — is another growing problem. It’s especially hard to detect because you’ll probably recognize or know the sender.
That’s why it’s not enough to check email headers. You need to check link destinations in the email itself. You do that by hovering over the links instead of clicking them.
The problem is that you’re less likely to do that because you know who it’s from. Or think you do.
Securing the Edge of Computing
Most people read email on their mobile devices these days. But that’s not the only reason smartphones and tablets are easy targets.
Devices are vulnerable because mobile security technology is newer and less developed than desktop security, which has decades of development behind it.
So ransomware is moving to mobile. Your device gets locked until you pay the ransom. A prime target are mobile banking apps — because they lead right to your money.
Cloud computing and artificial intelligence are also fairly new technologies, and their use — together with mobile computing and the Internet of Things (IoT) — makes modern “edge computing” triply vulnerable.
Towards More Secure Computing
A 2018 study of data access and governance lists five questions your organization must ask and answer to understand its overall risk:
- How secure is your data, both in the cloud and locally on computers?
- Have you protected your infrastructure against malware and ransomware?
- Are you protected against external attacks, e.g. distributed denial of service (DDoS)?
- How is your identity and access management (IAM))? That is, do all members of your organization have the access they need, and only that?
- Are you addressing the human risks by investing in training. Are all staff following security policies?
Here are some things you can do to reduce your cybersecurity risk.
“Second only to direct human risk, identity and access management represents one of the largest risk factors,” writes Computer Weekly.
Your IT department or IT services provider should conduct regular reviews to ensure that all employees and contractors have only the access they need. And to cut out “dead wood” by revoking access to people who are no longer employed.
Mobile app developers can improve security by updating their apps regularly, among other measures. An organization should also create policies for proper use, access, and security of all devices connected to its computing infrastructure.
But all workers — executives, staff, contractors — need to understand the policies and the importance of adhering to them.
Many business leaders don’t realize that password security itself is part of a strategic security plan or policy.
Strong passwords and multifactor authentication can be effective countermeasures. We all like passwords that are easy to remember, but those are often the easiest to crack. And they make logins more vulnerable to “password spraying” attacks like the one that breached Citrix.
Commercial password managers, or even the keychains built into web browsers, are effective ways to create strong, complex passwords you don’t need to remember that are accessible on any device.
“As long as organizations permit weak passwords without multifactor authentication, hackers will continue to find ways to exploit users,” writes TechTarget.
Server-side email gateways are critical to protect your IT infrastructure along the outside boundary. They block detectable viruses and malware before they even enter your system.
They can be physical devices onsite or virtual devices in the cloud. But cloud gateways can respond better to the latest emerging threats because they’re updated automatically by your cloud provider. You don’t need to manually upgrade appliances or software onsite.
Still, as you read above, plenty of dangerous email gets through. That’s why even the best technology may be ineffectual unless all members of your organization are trained to identify and respond to phishing.
Education and Culture
Security experts all agree that the growing menace of cybercrime means that everyone — not just IT departments — needs ongoing training.
That must include cloud security as well as best practices for desktop and mobile use.
But cybercrime has become so prevalent in our online activities — both work and personal — that merely taking classes periodically is not enough.
Organizations need to foster a security mindset — an awareness that even the simplest online actions may pose a risk. In a culture of security, incorporating safe practices is a matter of habit.
The Bottom Line Starts at the Top
“The reality is that cyber crime … has a direct impact on economic growth, jobs, innovation and investment,” according to Raj Samani, chief scientist at McAfee. “Companies need to understand that in today’s world, cyber risk is business risk.”
According to security researchers, cybercrime now represents as much 0.8% of the world’s total gross domestic product (GDP). It cost the global economy $1.5 trillion in 2018 alone. Today it’s nearly $3 million per minute.
In the United States, the average cost of a data breach is “$8.19 million, more than double the worldwide average. … Costs for data breaches in the U.S. increased by 130% over the past 14 years.”
Like any corporate culture, a culture of security starts at the top. Security decisions are business decisions.
And cybersecurity is not just about technology, but about humans and how they use technology.
Want to learn more about securing your IT infrastructure from server to smartphone? It’s easy. Contact PC Professional today.