By Scott Krawitz, CEO, People Driven Solutions
While today’s cyber threats have seemingly innocuous names—Poodle or Heartbleed, for example—they can cost companies both large and small millions of dollars. Ransomware, hacking, phishing, worms, distributed denial-of-service (DDoS) and malware are just a few of the many ways that criminals access precious information, potentially destroying companies.
The risk to a company’s bottom line—and reputation—is enormous. Consider Yahoo’s stock dive after the company announced that 1 billion of its email accounts were compromised. That event also put at peril the company’s potential sale to Verizon for USD$4.8 billion.
Cyber security breaches can wipe out smaller companies simply because they do not possess the resources to employ full-time technology officers or other IT support to adequately monitor security.
Whether the threat comes from a cybercriminal, a competitor, a hacktivist with a political ax to grind or a disgruntled employee, the statistics are staggering: In 2015, British insurance company Lloyd’s of London estimated that cyber attacks cost companies USD$400 billion per year. By 2019, the cost of data breaches will be over USD$2 trillion globally, according to a study published by Juniper Research.
Below are ways that senior leadership should be thinking about security within their own companies:
Security Must Be Holistic
Remember when computers were stand-alone objects in an office? Not so long ago, companies had to worry about someone stealing a computer and taking their files. As the world has become increasingly digitized and connected, the risks have become unprecedented and pervasive.
Today, criminals can access a myriad of “resources” from many different angles. Every piece of information that flows through devices—desktop computers, mobile devices, tablets, laptops, connected devices known as the Internet of Things (IoT)—are points of exposure. Every piece of information that is online becomes an asset that can be hacked and compromised for malicious intent.
Employees Are the First Line of Security
Many executives do not know about a significant threat to their company’s security: their own staff. Social engineering, the psychological manipulation of users who unknowingly divulge confidential information, allows cyber criminals to gain the confidence of company employees. Their goal is usually to execute a larger and more complex fraudulent transaction. The problem is not the use or lack of security tools, but the employee who unknowingly becomes the security breach.
One of the latest tricks employed by criminals is to pretend to be a trusted executive. For example, an employee may receive a legitimate-looking email from the CEO or CFO, instructing them to wire money. Years ago, suspicious emails were easy to spot. Today, however, hacking schemes are more sophisticated, and employees are often duped.
Employee awareness is key. Companies can spend millions of dollars to secure their systems, but must not forget to train their staff. Systems of verification should be put in place, including stopgap measures and policies to limit the damage caused by security breaches.
In addition to employee awareness and security protocols, other measures include password management, monitoring services, lock downs when it appears there is a data breach and minimum permission sets. An incident response plan is also critical: If the company is hacked, which employees handle it? What procedures are instantly implemented internally and externally?
One way to ensure employee awareness is to regularly hire a security firm to conduct a red team engagement. This exercise tests how deeply the outside firm can penetrate the company’s system. Red team experiments often expose weaknesses in employee awareness.
Solutions Must Be Right Sized
One might argue that security breaches are “right sized.” In other words, intruders will put in enough effort to equal the rewards. A burglar breaking into a house will not put much effort into the crime if an old TV and costume jewelry are the only items to steal. Another example is using a club to lock a steering wheel. This might be enough to deter some car thieves if it’s an old car, but not enough if it’s a Ferrari.
The key to ensuring safekeeping of your digital assets is to make sure that you protect them like a house and all its parts: the house’s architecture, as well as the tenants and possessions inside.
A right-sized solution begins with a security audit, which helps senior management understand a company’s blind spots. Ideally, the audit will be honed and focused, and the auditor must understand the business they are examining.
A reputable security consulting firm will help each company understand its unique risks. A few key questions: Is your company PCI (Payment Card Industry) compliant or, in the case of health care companies, HIPAA (Health Insurance Portability and Accountability Act) compliant? Alternatively, is there a standard that can be voluntarily adopted in order to differentiate your company?
Companies that are not compliant face a greater risk of a security breach but, more importantly, face potential lawsuits from consumers and fines from banks. Cleaning up the mess—remediation costs—adds to the bill. Lost revenue and a damaged reputation contribute to the long-term costs.
Why aren’t organizations doing a better job of protecting their assets? There is no greater risk a company faces than getting hacked. Most companies simply are not aware of the tremendous threat or perhaps they, ironically, have a false sense of security. Entire companies and businesses are on the line.